lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: team at sec-labs.hack.pl (sec-labs team) Subject: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code sec-labs team proudly presents: Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier by mcbethh 29/06/2003 I. BACKGROUND quote from documentation: 'The Acrobat Reader allows anyone to view, navigate, and print documents in the Adobe Portable Document Format (PDF).' However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7 is last for unix. II. DESCRIPTION There is buffer overflow vulnerability in WWWLaunchNetscape function. It copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is found. If link is longer than 256 bytes return address is overwritten. Notice that user have to execute (click on it) our link to exploit this vulnerability. User also have to have netscape browser in preferences, but it is default setting. III. IMPACT If somebody click on a link from .pdf file specialy prepared by attacker, malicious code can be executed with his privileges. IV. PROOF OF CONCEPT Proof of concept exploit is attached. It doesn't contain shellcode nor valid return address. It just shows that return address can be overwriten with any value. Use gdb to see it, because acroread will not crash. -- sec-labs team [http://sec-labs.hack.pl] -------------- next part -------------- A non-text attachment was scrubbed... Name: seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2 Type: application/octet-stream Size: 741 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030701/75e86303/seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030701/75e86303/attachment.bin
Powered by blists - more mailing lists