BugTraq
Back to list
|
Post reply
Re: Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged
Apr 04 2003 06:59AM
Vladimir Katalov (vkatalov elcomsoft com)
In-Reply-To: <200303261835.h2QIZD6g027059 (at) www.harkless (dot) org [email concealed]>
Dan Harkless <bugtraq (at) harkless (dot) org [email concealed]> writes:
>For those of us not familiar with Acrobat plugins, is there some facility
>for the program retrieving/installing plugins automatically, or, to
exploit
>this would you need to entice a user to manually place your .api file in
>their "plug_ins" directory (or run an installer program that would do so,
in
>which case you could run arbitrary code anyway in the installer)?
In any case, user should install plugin (i.e. put it into an appropriate
folder) manually. However, there are several ways to force user to so
so ;) For example, an author can make a plug-in which will look perfectly
valid -- i.e. doing something useful. Or that could be a security plug-in
required to read e-books in PDF format (offered for free). Malicious code,
however, can be activated at particular date, or when opening particular
PDF file etc.
But the main problem of this vulnerability, actually, falls into a
different category. It completely compromises the whole Acrobat security
model. For example, somebody can write a plug-in which allowing to save
an unprotected copy of *any* DRM-enabled PDF document (doesn't matter
what kind of security is being used -- FileOpen, WebBuy etc),
circumventing the protection completely. Such plug-in would never be
signed by Adobe (to be loaded into Acrobat, especially in "certified"
mode), but using the vulnerabilities we have described, fake signature
can be made -- so it will look like signed by Adobe.
--
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov (at) elcomsoft (dot) com [email concealed]
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Dan Harkless <bugtraq (at) harkless (dot) org [email concealed]> writes:
>For those of us not familiar with Acrobat plugins, is there some facility
>for the program retrieving/installing plugins automatically, or, to
exploit
>this would you need to entice a user to manually place your .api file in
>their "plug_ins" directory (or run an installer program that would do so,
in
>which case you could run arbitrary code anyway in the installer)?
In any case, user should install plugin (i.e. put it into an appropriate
folder) manually. However, there are several ways to force user to so
so ;) For example, an author can make a plug-in which will look perfectly
valid -- i.e. doing something useful. Or that could be a security plug-in
required to read e-books in PDF format (offered for free). Malicious code,
however, can be activated at particular date, or when opening particular
PDF file etc.
But the main problem of this vulnerability, actually, falls into a
different category. It completely compromises the whole Acrobat security
model. For example, somebody can write a plug-in which allowing to save
an unprotected copy of *any* DRM-enabled PDF document (doesn't matter
what kind of security is being used -- FileOpen, WebBuy etc),
circumventing the protection completely. Such plug-in would never be
signed by Adobe (to be loaded into Acrobat, especially in "certified"
mode), but using the vulnerabilities we have described, fake signature
can be made -- so it will look like signed by Adobe.
--
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov (at) elcomsoft (dot) com [email concealed]
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)
[ reply ]