lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 4 Apr 2003 06:59:12 -0000
From: Vladimir Katalov <vkatalov@...omsoft.com>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerability (critical): Digital signature for Adobe
    Acrobat/Reader plug-in can be forged


In-Reply-To: <200303261835.h2QIZD6g027059@....harkless.org>

Dan Harkless <bugtraq@...kless.org> writes:
>For those of us not familiar with Acrobat plugins, is there some facility
>for the program retrieving/installing plugins automatically, or, to 
exploit
>this would you need to entice a user to manually place your .api file in
>their "plug_ins" directory (or run an installer program that would do so, 
in
>which case you could run arbitrary code anyway in the installer)?

In any case, user should install plugin (i.e. put it into an appropriate
folder) manually. However, there are several ways to force user to so
so ;) For example, an author can make a plug-in which will look perfectly
valid -- i.e. doing something useful. Or that could be a security plug-in
required to read e-books in PDF format (offered for free). Malicious code,
however, can be activated at particular date, or when opening particular
PDF file etc.

But the main problem of this vulnerability, actually, falls into a
different category. It completely compromises the whole Acrobat security
model. For example, somebody can write a plug-in which allowing to save
an unprotected copy of *any* DRM-enabled PDF document (doesn't matter
what kind of security is being used -- FileOpen, WebBuy etc),
circumventing the protection completely. Such plug-in would never be
signed by Adobe (to be loaded into Acrobat, especially in "certified"
mode), but using the vulnerabilities we have described, fake signature
can be made -- so it will look like signed by Adobe.

-- 
Sincerely yours,
  Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov@...omsoft.com
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)

Powered by blists - more mailing lists