106408 2003-07-01 23:56 /43 rader/ sec-labs team <team@sec-labs.hack.pl>
Importerad: 2003-07-01 23:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5381>
Ärende: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
------------------------------------------------------------
sec-labs team proudly presents:
Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and
earlier by mcbethh 29/06/2003
I. BACKGROUND
quote from documentation: 'The Acrobat Reader allows anyone to
view, navigate, and print documents in the Adobe Portable
Document Format (PDF).'
However there is Acrobat Reader 6.0 for windows nad MacOS,
version 5.0.7 is last for unix.
II. DESCRIPTION
There is buffer overflow vulnerability in WWWLaunchNetscape
function. It copies link address to 256 bytes (in 5.0.5 version)
buffer until '\0' is found. If link is longer than 256 bytes
return address is overwritten. Notice that user have to execute
(click on it) our link to exploit this vulnerability. User also
have to have netscape browser in preferences, but it is default
setting.
III. IMPACT
If somebody click on a link from .pdf file specialy prepared by
attacker, malicious code can be executed with his privileges.
IV. PROOF OF CONCEPT
Proof of concept exploit is attached. It doesn't contain
shellcode nor valid return address. It just shows that return
address can be overwriten with any value. Use gdb to see it,
because acroread will not crash.
--
sec-labs team [http://sec-labs.hack.pl]
(106408) /sec-labs team <team@sec-labs.hack.pl>/(Ombruten)
Bilaga (application/octet-stream) i text 106409
Bilaga (application/pgp-signature) i text 106410
106409 2003-07-01 23:56 /3 rader/ sec-labs team <team@sec-labs.hack.pl>
Bilagans filnamn: "seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2"
Importerad: 2003-07-01 23:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5382>
Bilaga (text/plain) till text 106408
Ärende: Bilaga (seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2) till: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
------------------------------------------------------------
BZh91AY&SY�éñ°��è¬È��xçÿÙ8
×Äïßê��������P�=àP��Í�10�1��¦���&��sFLL�LF�i�#�ÉF�Ñ�����`AÁ2`�%2P�
24��
�4��TÑ4ÈLâhÐi¤�43S�Ñ©ú£çh87ø@c4�)��[¢�t¢Å#eÌ6�¤t¹8�Þ)/>�ÃrHÈãI%XÄ£�Í7Ò*ézÕx�I̽¡,í
½Õ}X.\¢J¼Sr*µE§Éë|Ö_BÖC¥c�ùoÞöYÙdé)ªì}�E¨µ�ïÔÞ��fUÔعWE�v;}ÞÓÐÂ-}Í«
·8iáØý�ôÊRR¥×Tz]k�ê®æDÈõ@Ñh����"²X�
¡�U�,�����P¬��EWN+��w¨º%Y
¥�ÿ�3Ñl�ãpdÂ]è+�ÄáÚås¤ÜÞw¢m�¶�WrÂ>1%��Zí��V:�çã±'¶;^õ�ïd{×»LTx9ß�¸�~�I�æ¥Áïj±äFææVåíë°D��b©ÃS)ƹÄå`bn&Õc�Ò¥V¢¦�îD\Åü³#༶&ÊÅ<Z�X5¤Î£3ÁrÅSq�5¨Ó
ìU%�ö¶×�3µ<ìW¨«;S�ÕfhME¬èØbÅEì[ÜK�CÌu0UWÅ{Ñ�YQkBâäÓQaÆ£A%&£Õ�Ø�$\`¹Ò£JÄÙTv±g~��®æXY'ÞQ9'3,bu¤9ÚW¬59]
8Û��$s33$ÌÚÅäFVDãY¨½Ð©jm*ÅTLÄÙIJGS�0ÒrRr¯MDØ�Oø½�º±yF÷�عҤÜâ5¤pzûÒ¡¼ó·�+��kyV³$ôJ�ÿ�rE8P�éñ°
(106409) /sec-labs team <team@sec-labs.hack.pl>/(Ombruten)
106410 2003-07-01 23:56 /8 rader/ sec-labs team <team@sec-labs.hack.pl>
Importerad: 2003-07-01 23:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5383>
Bilaga (text/plain) till text 106408
Ärende: Bilaga till: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE/AaP3Z4yD+a7QMvgRAg8JAKCe/J8uAm5HuOEol6oSeI6Rebo0XgCfd9CW
tbVBG/P0C+urR678bIWk0F8=
=sw6q
-----END PGP SIGNATURE-----
(106410) /sec-labs team <team@sec-labs.hack.pl>/----