Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21532
HistoryMar 26, 2009 - 12:00 a.m.

[Full-disclosure] [IVIZ-09-001] Adobe Acrobat Reader Memory Corruption Vulnerability

2009-03-2600:00:00
vulners.com
12

[ iViZ Security Advisory 09-001 25/03/2009 ]

iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com

  • Title: Adobe Acrobat Reader Memory Corruption Vulnerability
  • Date: 25/03/2009
  • Software: Adobe Acrobat Reader 9.0.0, 8.1.3

–[ Synopsis:

Adobe acrobat reader crashes while processing a malformed PDF file.

–[ Affected Software:

  • Adobe Acrobat Reader 9.0.0
  • Adobe Acrobat Reader 8.1.3 and before
  • Other versions may also be affected
    (The vulnerability affects both Windows and Linux version of Acrobat Reader)

–[ Technical description:

Adobe acrobat reader initializes large memory based on specific values read
from the PDF file itself. Mostly this results in access violation but code
execution may be possible due to heap corruption.

The technical details tested on Acrobat Reader 9.0.0 are as follows:

There are two cases for the application to crash. In case A, the

function @0177C1AB
returns a large value which is copied in ESI register. In case B,
the function @0177CAAB
returns a large value in EAX register. The values returned by this
call instruction
are not predictable with the offset at 0x2024.

0177C1AB    E8 700D0100     CALL AcroRd_1.0178CF20
0177C1B0    8BD6            MOV EDX,ESI           ; Case A: ESI is large
0177C1B2    03F0            ADD ESI,EAX           ; Case B: EAX is large
0177C1B4    3BD6            CMP EDX,ESI
0177C1B6    73 2B           JNB SHORT AcroRd_1.0177C1E3
0177C1B8    8B4424 20       MOV EAX,DWORD PTR SS:[ESP+20]
0177C1BC    8D3C50          LEA EDI,DWORD PTR DS:[EAX+EDX*2]
0177C1BF    8B4424 1C       MOV EAX,DWORD PTR SS:[ESP+1C]  ; EAX

holds the value to be initialized
0177C1C3 8BCE MOV ECX,ESI ; ECX
holds the count; copied from ESI
0177C1C5 2BCA SUB ECX,EDX
0177C1C7 8B5C24 30 MOV EBX,DWORD PTR SS:[ESP+30]
0177C1CB 66:8BD0 MOV DX,AX
0177C1CE C1E2 10 SHL EDX,10
0177C1D1 66:8BD0 MOV DX,AX
0177C1D4 D1E9 SHR ECX,1
0177C1D6 8BC2 MOV EAX,EDX
0177C1D8 F3:AB REP STOS DWORD PTR ES:[EDI] ; EDI
points to the target memory and
; results
in access violation for larger
; ECX values

A vulnerability like this can possibly be exploited through techniques like
heap spray, particularly since Adobe Acrobat Reader supports embedded
javascripts, however this possibility is currently unverified.

–[ Impact:

* Application crash in most cases.
* Code execution possibility is unverified.

–[ Vendor response:

http://www.adobe.com/support/security/bulletins/apsb09-04.html

–[ Credits:

This vulnerability was discovered by Security Researcher
Jonathan Brossard from iViZ Security Research Team.

–[ Disclosure timeline:

  • 25/03/2009: Public Disclosure
  • 28/02/2009: Vendor acknowledged receipt of submitted vulnerability details
  • 26/02/2009: Vendor replied providing PGP keys
  • 25/02/2009: Contacted vendor asking for PGP keys

–[ Reference:

http://www.ivizsecurity.com/security-advisory.html

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/