eEye Research - http://research.eeye.com Adobe Download Manager AOM Stack Buffer Overflow Vulnerability Release Date: December 5, 2006 Date Reported: November 10, 2006 Severity: High (Code Execution) Systems Affected: Adobe Download Manager 2.1.x and earlier Overview: eEye Digital Security has discovered a stack buffer overflow in Adobe Download Manager, a utility typically installed for the purpose of downloading Adobe software such as Adobe (Acrobat) Reader. By opening a malicious AOM file, a user's system may be compromised by arbitrary code within the file, which executes with the privileges of that user. A web-based attack conducted through Internet Explorer may succeed without the use of ActiveX or scripting, and without any additional user interaction other than viewing a web page, if the web server indicates a Content-Type of "application/aom" when serving up the malicious AOM file. In such a case, an ".aom" file extension is not required. Technical Details: AdobeDownloadManager.exe is responsible for extracting download instructions from AOM files, which are essentially XML with an appended CRC32 in decimal, and committing the instructions to the file "%APPDATA%\dm.ini" for later processing. For instance, opening the following AOM file: WelcomeToMyHumbleAdobe 3871966612 Will generate the following lines in "dm.ini": [STARTUP] Status=IncompleteDownload [WelcomeToMyHumbleAdobe] StoreID=0 TransactionID=0 When launched, whether or not it is supplied with an AOM file, AdobeDownloadManager.exe reads the entries from "dm.ini" and handles each described download according to its properties. It begins by reading a list of section names into a 400h-byte buffer using GetPrivateProfileStringA, then copies each section name into a 108h-byte stack buffer using strncpy with a length limit equal to the length of the section name string. The result is a relatively straightforward stack buffer overflow, with the only complication being the character restrictions. It should be possible to uninstall Adobe Download Manager, or at least unassociate the AOM file extension and "application/aom" Content-Type in the registry, to defend against this vulnerability. Hopefully users who have been forced to install Adobe Download Manager realized its superfluousness and have already uninstalled it. Protection: Retina - Network Security Scanner has been updated to identify this vulnerability. Blink - Unified Client Security has proactively protected from this vulnerability since its discovery. Vendor Status: Adobe has released a patch for this vulnerability which is available at http://www.adobe.com/products/acrobat/acrrmanager.html. The vendor bulletin is available at: http://www.adobe.com/support/security/bulletins/apsb06-19.html. Credit: Derek Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: Spooky action at a distance. Whoever else found that kernel race condition. Runner-up: Automatically Downloads Malware. (Thanks Daniel!) Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.