[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B4D6CA3.3000907@idefense.com>
Date: Wed, 13 Jan 2010 01:48:03 -0500
From: iDefense Labs <labs-no-reply@...fense.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...ts.grok.org.uk
Subject: iDefense Security Advisory 01.12.10: Adobe Reader
and Acrobat JpxDecode Memory Corruption Vulnerability
iDefense Security Advisory 01.12.10
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2010
I. BACKGROUND
Adobe Reader and Acrobat are Portable Document Format (PDF) reader and
processors. For more information, please visit following pages:
http://www.adobe.com/products/reader/
http://www.adobe.com/products/acrobat/
II. DESCRIPTION
Remote exploitation of a memory corruption vulnerability in multiple
versions of Adobe Systems Inc.'s Reader and Acrobat PDF reader and
processor could allow an attacker to execute arbitrary code with the
privileges of the current user.
The vulnerability occurs when processing the Jp2c stream of a JpxDecode
encoded data stream within a PDF file. During the processing of a
JPC_MS_RGN marker, an integer sign extension may cause a bounds check
to be bypassed. This results in an exploitable memory corruption
vulnerability.
III. ANALYSIS
Exploitation of this vulnerability allows an attacker to execute
arbitrary code with the privileges of the user opening the file. The
attacker will have to create a malicious PDF file and convince the
victim to open it. This can be accomplished by embedding the PDF file
into an IFrame inside of a Web page, which will result in automatic
exploitation once the page is viewed. The file could also be e-mailed
as an attachment or placed on a file share. In these cases, a user
would have to manually open the file to trigger exploitation. If
preview is enabled in Windows Explorer, Acrobat will try to generate a
preview for PDF files when a folder containing PDF files is accessed,
thus triggering the exploitation.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in latest
version of Adobe Reader, at the time of testing, version 9.1.0.
Previous versions may also be affected.
Adobe has stated that all 9.2 and below versions, as well as all 8.1.7
and below versions are vulnerable.
V. WORKAROUND
None of the following workarounds will prevent exploitation, but they
can reduce potential attack vectors and make exploitation more
difficult.
Prevent PDF documents from being opened automatically by the Web browser
Disable JavaScript
Disable PDFShell extension by removing or renaming the Acrord32info.exe file
VI. VENDOR RESPONSE
Adobe has released a patch which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://www.adobe.com/support/security/bulletins/apsb10-02.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-3955 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/06/2009 Initial Contact
08/06/2009 Initial Response
09/16/2009 Vendor requested POC. iDefense sent POC.
09/17/2009 Vendor response.
01/12/2010 Coordinated public disclosure.
IX. CREDIT
This vulnerability was reported to iDefense by Code Audit Labs
http://www.vulnhunt.com.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@...fense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists