lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTikKd7J6azv6PZTmtw6qqq3bxa_8Qys_KaGoRUNE@mail.gmail.com> Date: Thu, 7 Oct 2010 10:41:56 -0300 From: "Marcio B. Jr." <marcio.barbado@...il.com> To: Chris Evans <scarybeasts@...il.com> Cc: ZDI Disclosures <zdi-disclosures@...pingpoint.com>, "Full Disclosure \(full-disclosure@...ts.grok.org.uk\)" <full-disclosure@...ts.grok.org.uk> Subject: Re: ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability > Well, awesome. This sounds near-identical to some issues that the Sun JRE > had a few years back[1]. I wonder if the code shares a common lineage? :) Yes, Chris, though unnecessary (the lineage), it makes sense, really. And this is due to Adobe and Sun, partnering in the ICC's foundation. Regards, On Thu, Oct 7, 2010 at 2:05 AM, Chris Evans <scarybeasts@...il.com> wrote: > On Wed, Oct 6, 2010 at 11:28 AM, ZDI Disclosures > <zdi-disclosures@...pingpoint.com> wrote: >> >> ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability >> http://www.zerodayinitiative.com/advisories/ZDI-10-191 >> October 6, 2010 >> >> -- CVE ID: >> CVE-2010-3621 >> >> -- CVSS: >> 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) >> >> -- Affected Vendors: >> Adobe >> >> -- Affected Products: >> Adobe Reader >> >> -- Vulnerability Details: >> This vulnerability allows remote attackers to execute arbitrary code on >> vulnerable installations of Adobe Reader. User interaction is required >> in that a target must be coerced into opening a file or visiting a web >> page. >> >> The specific flaw exists within the ACE.dll module responsible for >> parsing ICC streams. When processing an ICC stream, the process performs >> math on two DWORD values from the input file. If these values wrap over >> the maximum integer value of 0xFFFFFFFF a mis-allocation can occur. >> Later, the process uses one of the original DWORD values as a size to a >> copy function. This can be abused by an attacker to overflow a stack >> buffer and subsequently execute code under the context of the user >> running the process. > > Well, awesome. This sounds near-identical to some issues that the Sun JRE > had a few years back[1]. I wonder if the code shares a common lineage? :) > > Cheers > Chris > [1] - http://scary.beasts.org/security/CESA-2006-004.html > http://scary.beasts.org/misc/jdk/badicc.jpg > (And additional integer problems not released at the time) > http://scary.beasts.org/misc/jdk/badicc2.jpg > http://scary.beasts.org/misc/jdk/badicc3.jpg > http://scary.beasts.org/misc/jdk/badicc4.jpg > http://scary.beasts.org/security/CESA-2007-005.html > In addition, there have been plenty of bugs against lcms[2] and Apple's ICC > profile parser. > So it seems like ICC profile parsing is hard ;-) > [2] - http://scary.beasts.org/security/CESA-2009-003.html >> >> -- Vendor Response: >> Adobe has issued an update to correct this vulnerability. More >> details can be found at: >> >> http://www.adobe.com/support/security/bulletins/apsb10-21.html >> >> -- Disclosure Timeline: >> 2010-06-23 - Vulnerability reported to vendor >> 2010-10-06 - Coordinated public release of advisory >> >> -- Credit: >> This vulnerability was discovered by: >> * Sebastian Apelt (www.siberas.de) >> >> -- About the Zero Day Initiative (ZDI): >> Established by TippingPoint, The Zero Day Initiative (ZDI) represents >> a best-of-breed model for rewarding security researchers for responsibly >> disclosing discovered vulnerabilities. >> >> Researchers interested in getting paid for their security research >> through the ZDI can find more information and sign-up at: >> >> http://www.zerodayinitiative.com >> >> The ZDI is unique in how the acquired vulnerability information is >> used. TippingPoint does not re-sell the vulnerability details or any >> exploit code. Instead, upon notifying the affected product vendor, >> TippingPoint provides its customers with zero day protection through >> its intrusion prevention technology. Explicit details regarding the >> specifics of the vulnerability are not exposed to any parties until >> an official vendor patch is publicly available. Furthermore, with the >> altruistic aim of helping to secure a broader user base, TippingPoint >> provides this vulnerability information confidentially to security >> vendors (including competitors) who have a vulnerability protection or >> mitigation product. >> >> Our vulnerability disclosure policy is available online at: >> >> http://www.zerodayinitiative.com/advisories/disclosure_policy/ >> >> Follow the ZDI on Twitter: >> >> http://twitter.com/thezdi >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > Marcio Barbado, Jr. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists