exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sps39.acrobat.txt

sps39.acrobat.txt
Posted Jul 27, 2000
Authored by Unyun, shadowpenguin | Site shadowpenguin.backsection.net

Shadowpenguin Security Advisory #39 - Adobe Acrobat Series PDF File buffer overflow. Many versions of Acrobat for Windows95/98/NT/2000 overflows when reading the PDF file which has long Registry or Ordering. The EIP can be controled and arbitrary code can be executed on the machine which views the PDF file. Patches available here.

tags | overflow, arbitrary, registry
SHA-256 | 517e6a13e53bcce4434518e0ff0fb9a5d889fe202d03af6d287ea2a02993baaf

sps39.acrobat.txt

Change Mirror Download
SPS Advisory #39
Adobe Acrobat Series PDF File Buffer Overflow

UNYUN <shadowpenguin@backsection.net>
Shadow Penguin Security (http://shadowpenguin.backsection.net)
-------------------------------------------------------------

[Date]

July 26, 2000

[vulnerable]

Acrobat Reader 3.0J for Windows95/98/NT/2000
Acrobat Reader 4.0J for Windows95/98/NT/2000
Acrobat Reader 4.05J for Windows95/98/NT/2000
Acrobat 3.0J for Windows95/98/NT/2000
Acrobat 4.0J for Windows95/98/NT/2000
Acrobat 4.05J for Windows95/98/NT/2000
Adobe Acrobat Business Tools for Windows95/98/NT/2000
Adobe Acrobat FillIn for Windows95/98/NT/2000

[not vulnerable]

Adobe Acrobat/reader/FillIn/BuinessTools 4.05c

[Overview]

We found the exploitable buffer overflow problem in Acrobat series for
windows. Acrobat overflows when reading the PDF file which has long
Registry or Ordering. They are one of the font CDI system information,
you can see them in the PDF file which is generated by Acrobat. This
buffer overflow overwrites the local buffer, EIP can be controled and
can execute prepared code written in the font CDI system information.
This overflow contains the possibility of the virus and trojans
infection, sytsem destruction, intrusion, and so on.

[Detailed information]

The problem in the handling of /Registry and /Ordering string. We can
control EIP by handling of /Ordering, we describe about this problem on
the handling of /Ordering.

Generally, the country name is written in /Ordering. Following string is
generated by Japanese Acrobat.

/Ordering(Japanese1)

If the long country name is specified as follows,

/Ordering(DDDDDD... long 'D')

you will see the following GPF dialog box (it is the case in Acrobat
3.0J)

------------------------------------------------
ACROEX32 Page fault
Module : ACROEX32.EXE, Address : 0167:004e00f2
Registers:
EAX=88888888 CS=0167 EIP=004e00f2 EFLGS=00010a86
EBX=00e38788 SS=016f ESP=007ee3b4 EBP=007ee518
ECX=007ee4b0 DS=016f ESI=00fe393b FS=0edf
EDX=00000006 ES=016f EDI=007ee3c4 GS=0000
Bytes at CS:EIP:
c6 44 05 98 00 e8 54 17 05 00 66 89 85 14 ff ff
------------------------------------------------

The page fault has been occurred by the following code.
(You can see them in GPF dialog box)

c6 44 05 98 00

This is "mov byte ptr [ebp+eax-68h],0".
EAX is 0x88888888, this value is the total of two values which are
stored in the specific offset in the buffer. They are stored in offset
83,91, EAX is set to 0xffffffff if 0x80808080 and 0x7f7f7f7f are stored
in each address. The memory area of ebp-1-68h is writable, The page
fault has not been occurred and the instructions are executed until RET
if EAX is -1. RET is stored in offset 102.

In Acrobat 4.0/4.05, EAX is able to set by the values which are in the
offset 66,78, EIP is able to set by the value which is stored in offset
74(We could code an exploit which explotis 3.0 and 4.0/4.05 both).

NULL, '(',')' are not be able to use. They are termination character for
/Ordering and /Resitry.

[Fix]

The patches for this problem has already been released
on 26 July at adobe site.

http://www.adobe.com/misc/pdfsecurity.html

[Caution]

We will change this information without any notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatever arising out of or in
connection with the use or spread of this information. Any use of this
information is only for personal experiment.

[Comments ?]

If you have something comments, please send to following address..
UNYUN <shadowpenguin@backsection.net>
http://shadowpenguin.backsection.net

-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
shadowpenguin@backsection.net (webmaster)
% eEye Digital Security Team [ http://www.eEye.com ]
unyun@eEye.com

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close