lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3F099B34.70408@snosoft.com>
Date: Mon, 07 Jul 2003 16:09:24 +0000
From: KF <dotslash@...soft.com>
To: bugtraq <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.netsys.com, team@...-labs.hack.pl
Subject: Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability
 + PoC code


I could not reproduce this with the following files on linux:

gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread
a4908088a3dfe2d7a72f0792ca8534e0  /usr/local/Acrobat5/bin/acroread
gentoo adobe-PoC # md5sum linux-507.tar.gz
25f0ab387ebed3bf63ca24962ffcf9fa  linux-507.tar.gz

nor with

gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread
a3c3d54042e91d152bb82649038159cf  /usr/local/Acrobat5/bin/acroread
gentoo adobe-PoC # md5sum linux-505.tar.gz
5c1cef0b5b1eb75ed01fefb3d6a88ce0  linux-505.tar.gz

I was instead old "A browser has not been specified. Do you want to
configure Weblink Prefrences?"  I set the browser to mozilla and had
no luck with the overflow... just a mozilla mail with a HUGE mail to: line.

am I missing something?

-KF

sec-labs team wrote:

>     sec-labs team proudly presents:
>     
>     Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
>     by mcbethh
>     29/06/2003
>     
>   I. BACKGROUND
>     
>     quote from documentation: 
>     'The Acrobat Reader allows anyone to view, navigate, and print documents 
>     in the Adobe Portable Document Format (PDF).'
>     
>     However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
>     is last for unix.
>     
>   II. DESCRIPTION
>     
>     There is buffer overflow vulnerability in WWWLaunchNetscape function. It
>     copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
>     found. If link is longer than 256 bytes return address is overwritten. 
>     Notice that user have to execute (click on it) our link to exploit this 
>     vulnerability. User also have to have netscape browser in preferences, 
>     but it is default setting. 
>     
>   III. IMPACT
>     
>     If somebody click on a link from .pdf file specialy prepared by attacker,
>     malicious code can be executed with his privileges.
>     
>   IV. PROOF OF CONCEPT
>     
>     Proof of concept exploit is attached. It doesn't contain shellcode nor
>     valid return address. It just shows that return address can be overwriten
>     with any value. Use gdb to see it, because acroread will not crash. 
>     
>     
>
>  
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ