lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030701151011.263a607a.team@sec-labs.hack.pl>
From: team at sec-labs.hack.pl (sec-labs team)
Subject: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow
 Vulnerability + PoC code



     sec-labs team proudly presents:
     
     Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
     by mcbethh
     29/06/2003
     
   I. BACKGROUND
     
     quote from documentation: 
     'The Acrobat Reader allows anyone to view, navigate, and print documents 
     in the Adobe Portable Document Format (PDF).'
     
     However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
     is last for unix.
     
   II. DESCRIPTION
     
     There is buffer overflow vulnerability in WWWLaunchNetscape function. It
     copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
     found. If link is longer than 256 bytes return address is overwritten. 
     Notice that user have to execute (click on it) our link to exploit this 
     vulnerability. User also have to have netscape browser in preferences, 
     but it is default setting. 
     
   III. IMPACT
     
     If somebody click on a link from .pdf file specialy prepared by attacker,
     malicious code can be executed with his privileges.
     
   IV. PROOF OF CONCEPT
     
     Proof of concept exploit is attached. It doesn't contain shellcode nor
     valid return address. It just shows that return address can be overwriten
     with any value. Use gdb to see it, because acroread will not crash. 
     
     

-- 
sec-labs team [http://sec-labs.hack.pl]


-------------- next part --------------
A non-text attachment was scrubbed...
Name: seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2
Type: application/octet-stream
Size: 741 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030701/75e86303/seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030701/75e86303/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ