| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Mar 2009 12:22:15 +0530
From: iViZ Security Advisories <advisories@...zsecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [IVIZ-09-001] Adobe Acrobat Reader Memory
Corruption Vulnerability
------------------------------------------------------------------------------------------
[ iViZ Security Advisory 09-001 25/03/2009 ]
------------------------------------------------------------------------------------------
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
------------------------------------------------------------------------------------------
* Title: Adobe Acrobat Reader Memory Corruption Vulnerability
* Date: 25/03/2009
* Software: Adobe Acrobat Reader 9.0.0, 8.1.3
--[ Synopsis:
Adobe acrobat reader crashes while processing a malformed PDF file.
--[ Affected Software:
* Adobe Acrobat Reader 9.0.0
* Adobe Acrobat Reader 8.1.3 and before
* Other versions may also be affected
(The vulnerability affects both Windows and Linux version of Acrobat Reader)
--[ Technical description:
Adobe acrobat reader initializes large memory based on specific values read
from the PDF file itself. Mostly this results in access violation but code
execution may be possible due to heap corruption.
The technical details tested on Acrobat Reader 9.0.0 are as follows:
There are two cases for the application to crash. In case A, the
function @0177C1AB
returns a large value which is copied in ESI register. In case B,
the function @0177CAAB
returns a large value in EAX register. The values returned by this
call instruction
are not predictable with the offset at 0x2024.
0177C1AB E8 700D0100 CALL AcroRd_1.0178CF20
0177C1B0 8BD6 MOV EDX,ESI ; Case A: ESI is large
0177C1B2 03F0 ADD ESI,EAX ; Case B: EAX is large
0177C1B4 3BD6 CMP EDX,ESI
0177C1B6 73 2B JNB SHORT AcroRd_1.0177C1E3
0177C1B8 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
0177C1BC 8D3C50 LEA EDI,DWORD PTR DS:[EAX+EDX*2]
0177C1BF 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C] ; EAX
holds the value to be initialized
0177C1C3 8BCE MOV ECX,ESI ; ECX
holds the count; copied from ESI
0177C1C5 2BCA SUB ECX,EDX
0177C1C7 8B5C24 30 MOV EBX,DWORD PTR SS:[ESP+30]
0177C1CB 66:8BD0 MOV DX,AX
0177C1CE C1E2 10 SHL EDX,10
0177C1D1 66:8BD0 MOV DX,AX
0177C1D4 D1E9 SHR ECX,1
0177C1D6 8BC2 MOV EAX,EDX
0177C1D8 F3:AB REP STOS DWORD PTR ES:[EDI] ; EDI
points to the target memory and
; results
in access violation for larger
; ECX values
A vulnerability like this can possibly be exploited through techniques like
heap spray, particularly since Adobe Acrobat Reader supports embedded
javascripts, however this possibility is currently unverified.
--[ Impact:
* Application crash in most cases.
* Code execution possibility is unverified.
--[ Vendor response:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
--[ Credits:
This vulnerability was discovered by Security Researcher
Jonathan Brossard from iViZ Security Research Team.
--[ Disclosure timeline:
* 25/03/2009: Public Disclosure
* 28/02/2009: Vendor acknowledged receipt of submitted vulnerability details
* 26/02/2009: Vendor replied providing PGP keys
* 25/02/2009: Contacted vendor asking for PGP keys
--[ Reference:
http://www.ivizsecurity.com/security-advisory.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists