Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
by mcbethh
29/06/2003
I. BACKGROUND
quote from documentation:
'The Acrobat Reader allows anyone to view, navigate, and print documents
in the Adobe Portable Document Format (PDF).'
However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
is last for unix.
II. DESCRIPTION
There is buffer overflow vulnerability in WWWLaunchNetscape function. It
copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
found. If link is longer than 256 bytes return address is overwritten.
Notice that user have to execute (click on it) our link to exploit this
vulnerability. User also have to have netscape browser in preferences,
but it is default setting.
III. IMPACT
If somebody click on a link from .pdf file specialy prepared by attacker,
malicious code can be executed with his privileges.
IV. PROOF OF CONCEPT
Proof of concept exploit is attached. It doesn't contain shellcode nor
valid return address. It just shows that return address can be overwriten
with any value. Use gdb to see it, because acroread will not crash.
sec-labs team proudly presents:
Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
by mcbethh
29/06/2003
I. BACKGROUND
quote from documentation:
'The Acrobat Reader allows anyone to view, navigate, and print documents
in the Adobe Portable Document Format (PDF).'
However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
is last for unix.
II. DESCRIPTION
There is buffer overflow vulnerability in WWWLaunchNetscape function. It
copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
found. If link is longer than 256 bytes return address is overwritten.
Notice that user have to execute (click on it) our link to exploit this
vulnerability. User also have to have netscape browser in preferences,
but it is default setting.
III. IMPACT
If somebody click on a link from .pdf file specialy prepared by attacker,
malicious code can be executed with his privileges.
IV. PROOF OF CONCEPT
Proof of concept exploit is attached. It doesn't contain shellcode nor
valid return address. It just shows that return address can be overwriten
with any value. Use gdb to see it, because acroread will not crash.
--
sec-labs team [http://sec-labs.hack.pl]
[ reply ]