Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow.
Oct 27 2009 09:11AM
adam hispasec com
Vulnerability like in topic (connected with vulns in xpdf). More details available here:
======
Last few weeks I was talking(mailing) with Derek (xpdf developer ?
btw. really nice guy) about some vulnerabilities in his product. 14th of
October he published path for bugs (not only my vulnerabilites) so i decide
to release advisory?
Oryginal advisory you can find here? I want to write about this
vulnerabilites on blog for several reasons:
1) This is interesting bug in draw image function
2) This vulnerability exists NOT only in xpdf application
3) Adobe Acrobat Reader is vulnerable to this attack too (but ONLY Linux
version !!!)
4) Adobe Acrobat Reader didn?t know about this bug but in his last
release fix this vulnerability.
First reason you can analyse in advisory but what about others? Vulnerable
is:
*) xpdf
*) libpoppler (so it implies vulnerability in for example evince software
? default pdf reader in Fedora Linux ? I made PoC for this
software).
*) Adobe Acrobat Reader ONLY for Linux (versions up to 9.1.1 ? 9.1.2
and 9.1.3 aren?t vuln)
*) Maybe others?
Ok let?s analyse Adobe Acrobat vuln in version 9.1.1:
# gdb ?pid=<smth>
?
?
(gdb) c
Continuing.
Missing separate debuginfo for
/opt/A911/Adobe/Reader9/Reader/intellinux/plug_ins/EFS.api
Program received signal SIGSEGV, Segmentation fault.
0×01499e6d in memmove () from /lib/libc.so.6
Missing separate debuginfos, use: debuginfo-install
GConf2-2.26.2-1.fc11.i586 ORBit2-2.14.17-1.fc11.i586
gamin-0.1.10-4.fc11.i586 gvfs-1.2.3-12.fc11.i586 libidn-1.9-4.i586
nss-mdns-0.10-7.fc11.i586(gdb) bt
#0 0×01499e6d in memmove () from /lib/libc.so.6
#1 0×08a95bdf in ?? ()
#2 0×28371a0a in ?? ()
#3 0×0d2e66aa in ?? ()
#4 0×8e15b1fe in ?? ()
#5 0×8e15b1fe in ?? ()
#6 0xbffb5f7c in ?? ()
#7 0×089e2189 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/i $eip
0×1499e6d <memmove+77>: rep movsl %ds:(%esi),%es:(%edi)
(gdb) i r esi edi ds es ecx
esi 0×27b72ffe 666316798
edi 0×42bfe35e 1119871838
ds 0×7b 123
es 0×7b 123
ecx 0×6a23256 111293014
(gdb)
So we have hard evidence that this is probably integer overflow vuln which
causes heap overflow vulnerability :)
PoC for Adobe Acrobat Reader in versions =< 9.1.1 ? private?
yet :)
======
(Taken from my blog: http://blog.pi3.com.pl/?p=19)
Best regards,
Adam Zabrocki
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
======
Last few weeks I was talking(mailing) with Derek (xpdf developer ?
btw. really nice guy) about some vulnerabilities in his product. 14th of
October he published path for bugs (not only my vulnerabilites) so i decide
to release advisory?
Oryginal advisory you can find here? I want to write about this
vulnerabilites on blog for several reasons:
1) This is interesting bug in draw image function
2) This vulnerability exists NOT only in xpdf application
3) Adobe Acrobat Reader is vulnerable to this attack too (but ONLY Linux
version !!!)
4) Adobe Acrobat Reader didn?t know about this bug but in his last
release fix this vulnerability.
First reason you can analyse in advisory but what about others? Vulnerable
is:
*) xpdf
*) libpoppler (so it implies vulnerability in for example evince software
? default pdf reader in Fedora Linux ? I made PoC for this
software).
*) Adobe Acrobat Reader ONLY for Linux (versions up to 9.1.1 ? 9.1.2
and 9.1.3 aren?t vuln)
*) Maybe others?
Ok let?s analyse Adobe Acrobat vuln in version 9.1.1:
# gdb ?pid=<smth>
?
?
(gdb) c
Continuing.
Missing separate debuginfo for
/opt/A911/Adobe/Reader9/Reader/intellinux/plug_ins/EFS.api
Program received signal SIGSEGV, Segmentation fault.
0×01499e6d in memmove () from /lib/libc.so.6
Missing separate debuginfos, use: debuginfo-install
GConf2-2.26.2-1.fc11.i586 ORBit2-2.14.17-1.fc11.i586
gamin-0.1.10-4.fc11.i586 gvfs-1.2.3-12.fc11.i586 libidn-1.9-4.i586
nss-mdns-0.10-7.fc11.i586(gdb) bt
#0 0×01499e6d in memmove () from /lib/libc.so.6
#1 0×08a95bdf in ?? ()
#2 0×28371a0a in ?? ()
#3 0×0d2e66aa in ?? ()
#4 0×8e15b1fe in ?? ()
#5 0×8e15b1fe in ?? ()
#6 0xbffb5f7c in ?? ()
#7 0×089e2189 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/i $eip
0×1499e6d <memmove+77>: rep movsl %ds:(%esi),%es:(%edi)
(gdb) i r esi edi ds es ecx
esi 0×27b72ffe 666316798
edi 0×42bfe35e 1119871838
ds 0×7b 123
es 0×7b 123
ecx 0×6a23256 111293014
(gdb)
So we have hard evidence that this is probably integer overflow vuln which
causes heap overflow vulnerability :)
PoC for Adobe Acrobat Reader in versions =< 9.1.1 ? private?
yet :)
======
(Taken from my blog: http://blog.pi3.com.pl/?p=19)
Best regards,
Adam Zabrocki
[ reply ]