[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTintzWamjbqqxTpMkk0y12SyanVdCQ+nBbCXRoP4@mail.gmail.com>
Date: Wed, 6 Oct 2010 22:05:35 -0700
From: Chris Evans <scarybeasts@...il.com>
To: ZDI Disclosures <zdi-disclosures@...pingpoint.com>
Cc: "Full Disclosure \(full-disclosure@...ts.grok.org.uk\)"
<full-disclosure@...ts.grok.org.uk>
Subject: Re: ZDI-10-191: Adobe Reader ICC Parsing Remote
Code Execution Vulnerability
On Wed, Oct 6, 2010 at 11:28 AM, ZDI Disclosures <
zdi-disclosures@...pingpoint.com> wrote:
> ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability
> http://www.zerodayinitiative.com/advisories/ZDI-10-191
> October 6, 2010
>
> -- CVE ID:
> CVE-2010-3621
>
> -- CVSS:
> 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
>
> -- Affected Vendors:
> Adobe
>
> -- Affected Products:
> Adobe Reader
>
> -- Vulnerability Details:
> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable installations of Adobe Reader. User interaction is required
> in that a target must be coerced into opening a file or visiting a web
> page.
>
> The specific flaw exists within the ACE.dll module responsible for
> parsing ICC streams. When processing an ICC stream, the process performs
> math on two DWORD values from the input file. If these values wrap over
> the maximum integer value of 0xFFFFFFFF a mis-allocation can occur.
> Later, the process uses one of the original DWORD values as a size to a
> copy function. This can be abused by an attacker to overflow a stack
> buffer and subsequently execute code under the context of the user
> running the process.
>
Well, awesome. This sounds near-identical to some issues that the Sun JRE
had a few years back[1]. I wonder if the code shares a common lineage? :)
Cheers
Chris
[1] - http://scary.beasts.org/security/CESA-2006-004.html
http://scary.beasts.org/misc/jdk/badicc.jpg
(And additional integer problems not released at the time)
http://scary.beasts.org/misc/jdk/badicc2.jpg
http://scary.beasts.org/misc/jdk/badicc3.jpg
http://scary.beasts.org/misc/jdk/badicc4.jpg
http://scary.beasts.org/security/CESA-2007-005.html
In addition, there have been plenty of bugs against lcms[2] and Apple's ICC
profile parser.
So it seems like ICC profile parsing is hard ;-)
[2] - http://scary.beasts.org/security/CESA-2009-003.html
> -- Vendor Response:
> Adobe has issued an update to correct this vulnerability. More
> details can be found at:
>
> http://www.adobe.com/support/security/bulletins/apsb10-21.html
>
> -- Disclosure Timeline:
> 2010-06-23 - Vulnerability reported to vendor
> 2010-10-06 - Coordinated public release of advisory
>
> -- Credit:
> This vulnerability was discovered by:
> * Sebastian Apelt (www.siberas.de)
>
> -- About the Zero Day Initiative (ZDI):
> Established by TippingPoint, The Zero Day Initiative (ZDI) represents
> a best-of-breed model for rewarding security researchers for responsibly
> disclosing discovered vulnerabilities.
>
> Researchers interested in getting paid for their security research
> through the ZDI can find more information and sign-up at:
>
> http://www.zerodayinitiative.com
>
> The ZDI is unique in how the acquired vulnerability information is
> used. TippingPoint does not re-sell the vulnerability details or any
> exploit code. Instead, upon notifying the affected product vendor,
> TippingPoint provides its customers with zero day protection through
> its intrusion prevention technology. Explicit details regarding the
> specifics of the vulnerability are not exposed to any parties until
> an official vendor patch is publicly available. Furthermore, with the
> altruistic aim of helping to secure a broader user base, TippingPoint
> provides this vulnerability information confidentially to security
> vendors (including competitors) who have a vulnerability protection or
> mitigation product.
>
> Our vulnerability disclosure policy is available online at:
>
> http://www.zerodayinitiative.com/advisories/disclosure_policy/
>
> Follow the ZDI on Twitter:
>
> http://twitter.com/thezdi
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists