lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <217445447.20020715131331@elcomsoft.com>
From: vkatalov at elcomsoft.com (Vladimir Katalov)
Subject: Vulnerability found: The Adobe eBook Library

  Adobe Systems Incorporated (http://www.adobe.com) recently opened
  a special web site to demonstrate the new library features of
  Adobe Content Server 3.0 (http://www.adobe.com/products/contentserver).
  According to Adobe description, "The Adobe eBook Library uses Adobe
  Content Server as a secure repository for the eBooks". The library
  is located at:

  http://librarydemo.adobe.com/library/

  There are a few books available -- 5 copies of each. The customer
  can borrow any book for a fixed period of time (one or three days);
  when one customer gets a book, the counter ("number of books
  available") is decreased, and when it reaches zero, this book
  becomes not available until at least one other customer will return
  it to the library, or loan period will expire. However, there are three
  bugs/vulnerabilities there:

  1. It is possible to get all available copies of any book --
     Adobe Acrobat eBook Reader doesn't check if you have borrowed the
     given book already. 

  2. The loan period (one or three days) is not verified. It is implemented
     in the script using the following

     <FORM id=form2 name="form2" ACTION="download.asp" METHOD="POST">
       <INPUT type=hidden value=133 name=bookid> 
       <INPUT type=radio CHECKED value=1440 name=loanMin> Borrow for 1 day<BR>
       <INPUT type=radio value=4320 name=loanMin> Borrow for 3 days<BR>
       ...

     The value of loanMin is the loan period in minutes (1440 for one
     day, and 4320 for three days). It is possible to save the form to
     the local disk, change one of the values to the one you need (i.e.
     525600 for one year), load the updated form into the browser, and
     by pressing the "Add to  bookbag" button borrow this book for the
     selected ("fake") period.

     Note: it is also needed to change (in the local copy of the form)
     "download.asp" to the following:
     
     http://librarydemo.adobe.com/library/download.asp

     Otherwise, the local form will not work.

  3. When the book counter reaches zero, the user can see a note near the
     book description: 

     There are currently none available.
     Please check back later. 

     However, the "Add to  bookbag" button is still available and working
     just fine, i.e. it is still possible to get another copy (copies) of
     the book. And the "Number of Books" counter (on the library page)
     becomes negative.


  By combining bugs [1] and [2], it is very easy to implement something
  like "Denial-of-service" attack for the library: just get all copies of
  all books from the library (for very large period of time -- e.g. a few
  years). So no books will be available to anybody else.

  Besides, there is ability to borrow the books for unlimited time.
  

-- 
Sincerely yours,
  Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov@...omsoft.com
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ