[Infowarrior] - Critical vulnerability in Adobe Reader

Thu Nov 6 00:48:09 UTC 2008

Critical vulnerability in Adobe Reader
Posted on 04 November 2008.

http://www.net-security.org/secworld.php?id=6715

Core Security Technologies issued an advisory disclosing a  
vulnerability that could affect millions of individuals and businesses  
using Adobe’s Reader PDF file viewing software. Engineers from  
CoreLabs determined that Adobe Reader could be exploited to gain  
access to vulnerable systems via the use of a specially crafted PDF  
file with malicious JavaScript content. Upon making the discovery,  
CoreLabs immediately alerted Adobe to the vulnerability and the two  
companies have since coordinated efforts to ensure that a patch could  
be created and made available to protect users of the program.

Successful exploitation of the vulnerability requires that users open  
a maliciously crafted PDF file thereby allowing attackers to gain  
access to vulnerable systems and assume the privileges of a user  
running Acrobat Reader. Adobe Reader version 9, which was released in  
June 2008, is not vulnerable to the reported problem.

Adobe has issued a security update that addresses the vulnerable  
version 8.1.2 of Reader. Alternatively, users of affected versions of  
the program can also work around the problem and reduce their exposure  
by disabling JavaScript functionality in the software’s Edit| 
Preferences menu.

Vulnerability details

While investigating the feasibility of exploiting a vulnerability  
previously disclosed in Foxit Reader (CVE-2008-1104), a CoreLabs  
researcher found that Adobe Reader was affected by the same bug.

After an initial examination of the involved implementation bug, it  
was believed that although the problem was present, it was apparently  
not exploitable in Adobe Reader due to the use of two structured  
exception handlers in the program. The primary difference between the  
Adobe and Foxit applications is the manner in which they perform  
security checks, and at first glance, it seemed as if the bug was not  
exploitable in Reader, since there was no way to control the program’s  
first exception handler.

However, upon further examination of the code, CoreLabs found that  
another overflow occurs before the call to the involved code is made  
in relation to the previously known vulnerability. This new problem  
was identified in the way vulnerable versions of Adobe Reader  
implement the JavaScript util.printf() function. The function first  
converts the argument it receives to a String, using only the first 16  
digits of the argument and padding the rest with a fixed value of  
“0” (0x30). By passing an overly long and properly formatted command  
to the function, it is possible to overwrite the program’s memory and  
control its execution flow.

A specifically crafted PDF file that embeds JavaScript code to  
manipulate the program’s memory allocation pattern and trigger the  
vulnerability can allow an attack to execute arbitrary code with the  
privileges of a user running the Adobe Reader application.

The vulnerability was discovered by Damián Frizza, a CoreLabs  
researcher and software engineer with the CORE IMPACT Exploit Writers  
Team. The previously disclosed vulnerability (CVE-2008-1104) mentioned  
in this report was discovered in Foxit Reader by Dyon Balding from  
Secunia Research and disclosed on May 20th, 2008. 