[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Adobe Acrobat Series PDF File Buffer Overflow

Title: Adobe Acrobat Series PDF File Buffer Overflow
Released by: Shadow Penguin Security
Date: 26th July 2000
Printable version: Click here
SPS Advisory #39

Adobe Acrobat Series PDF File Buffer Overflow



UNYUN 

Shadow Penguin Security (http://shadowpenguin.backsection.net)

-------------------------------------------------------------



[Date]



July 26, 2000



[vulnerable]



Acrobat Reader 3.0J for Windows95/98/NT/2000

Acrobat Reader 4.0J for Windows95/98/NT/2000

Acrobat Reader 4.05J for Windows95/98/NT/2000

Acrobat 3.0J for Windows95/98/NT/2000

Acrobat 4.0J for Windows95/98/NT/2000

Acrobat 4.05J for Windows95/98/NT/2000

Adobe Acrobat Business Tools for Windows95/98/NT/2000

Adobe Acrobat FillIn for Windows95/98/NT/2000



[not vulnerable]



Adobe Acrobat/reader/FillIn/BuinessTools 4.05c



[Overview]



 We found the exploitable buffer overflow problem in Acrobat series for

windows. Acrobat overflows when reading the PDF file which has long

Registry or Ordering. They are one of the font CDI system information,

you can see them in the PDF file which is generated by Acrobat. This

buffer overflow overwrites the local buffer, EIP can be controled and

can execute prepared code written in the font CDI system information.

This overflow contains the possibility of the virus and trojans

infection, sytsem destruction, intrusion, and so on.



[Detailed information]



The problem in the handling of /Registry and /Ordering string. We can

control EIP by handling of /Ordering, we describe about this problem on

the handling of /Ordering.



Generally, the country name is written in /Ordering. Following string is

generated by Japanese Acrobat.



/Ordering(Japanese1)



If the long country name is specified as follows,



/Ordering(DDDDDD... long 'D')



you will see the following GPF dialog box (it is the case in Acrobat

3.0J)



------------------------------------------------

ACROEX32 Page fault

Module : ACROEX32.EXE, Address : 0167:004e00f2

Registers:

EAX=88888888 CS=0167 EIP=004e00f2 EFLGS=00010a86

EBX=00e38788 SS=016f ESP=007ee3b4 EBP=007ee518

ECX=007ee4b0 DS=016f ESI=00fe393b FS=0edf

EDX=00000006 ES=016f EDI=007ee3c4 GS=0000

Bytes at CS:EIP:

c6 44 05 98 00 e8 54 17 05 00 66 89 85 14 ff ff

------------------------------------------------



The page fault has been occurred by the following code.

(You can see them in GPF dialog box)



c6 44 05 98 00



This is "mov byte ptr [ebp+eax-68h],0".

EAX is 0x88888888, this value is the total of two values which are

stored in the specific offset in the buffer. They are stored in offset

83,91, EAX is set to 0xffffffff if 0x80808080 and 0x7f7f7f7f are stored

in each address. The memory area of ebp-1-68h is writable, The page

fault has not been occurred and the instructions are executed until RET

if EAX is -1. RET is stored in offset 102.



In Acrobat 4.0/4.05, EAX is able to set by the values which are in the

offset 66,78, EIP is able to set by the value which is stored in offset

74(We could code an exploit which explotis 3.0 and 4.0/4.05 both).



NULL, '(',')' are not be able to use. They are termination character for

/Ordering and /Resitry.



[Fix]



The patches for this problem has already been released

on 26 July at adobe site.



http://www.adobe.com/misc/pdfsecurity.html



[Caution]



We will change this information without any notice. Use of this

information constitutes acceptance for use in an AS IS condition. There

are NO warranties with regard to this information. In no event shall the

author be liable for any damages whatever arising out of or in

connection with the use or spread of this information. Any use of this

information is only for personal experiment.



[Comments ?]



If you have something comments, please send to following address..

UNYUN 

http://shadowpenguin.backsection.net



-----

UNYUN

% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]

   shadowpenguin@backsection.net (webmaster)

% eEye Digital Security Team [ http://www.eEye.com ]

   unyun@eEye.com








(C) 1999-2000 All rights reserved.