iDefense Security Advisory 11.04.08 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 04, 2008 I. BACKGROUND The getPlus Download Manager is a software management tool. It is used to download, install, and update other software through the browser. The getPlus Download Manager consists of an ActiveX control that is used to prompt users to install other vendor's software. Adobe uses this control for web based installations of Adobe Reader. If a client installed Adobe Reader through the Adobe website, they will have the control on their system. For more information see the vendor's site at the following URL. http://www.adobe.com/support/security/bulletins/apsb08-19.html II. DESCRIPTION Remote exploitation of a stack based buffer overflow vulnerability in NOS Microsystems Ltd.'s getPlus Download Manager, potentially used by multiple vendors, could allow an attacker to execute arbitrary code with the privileges of the current user. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the web page. Exploitation requires that attackers social engineer victims into viewing a malicious web page. After the user visits the malicious web page, no further user interaction is needed if the user already has the control installed. If the user visiting the web page does not already have the getPlus control installed, they will be prompted to install it. This control could potentially be used by a number of different software vendors. The exploitability of this vulnerability is likely to be dependent on the way that the given vendor uses the control. In the case of Adobe Reader, the installation file that triggers the vulnerability needs to be located on a site ending in adobe.com. Normally, such a condition would make exploitation significantly more difficult. However, in this case, by using the http://bugs.adobe.com site, an attacker can place arbitrary text files onto the site. These files are supposed to contain information relevant to bug reports, but this functionality could be abused by an attacker for the purpose of exploitation. IV. DETECTION iDefense has confirmed the existence of this vulnerability in getPlus gp.ocx version 1.2.2.50, which is used in web based installations of Adobe Reader 8.1. Previous versions may also be affected. In order to determine if this version of the control is installed, the Registry Editor can be used to attempt to browse to the registry key: HKEY_CLASSES_ROOT\CLSID\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} If that key exists, then the control is installed. V. WORKAROUND Setting the kill bit for this control will mitigate the threat of web based attacks which could be conducted through Internet Explorer. The CLSID for the vulnerable control is CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7 VI. VENDOR RESPONSE Adobe reports that the input validation issue in the Download Manager used by Adobe Reader has been resolved. Adobe has released an update which addresses this issue. For more information, consult their advisory at the following URL. http://www.adobe.com/support/security/bulletins/apsb08-19.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4817 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/05/2008 Initial Vendor Notification 02/06/2008 Initial Vendor Reply 10/31/2008 Additional Vendor Feedback 11/04/2008 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Peter Vreugdenhil. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.