[Full-Disclosure] Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code

From: KF (dotslashat_private)
Date: Mon Jul 07 2003 - 09:09:24 PDT

Next message: Tim Yardley: "[Full-Disclosure] RE: [VulnWatch] MacOSX - crash screensaver locked with password and get thedesktop back"

Previous message: keepitsecretat_private: "Re: Contact information for Microsoft Security Response Center [tf]"
In reply to: sec-labs team: "[sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Next in thread: KF: "Re: [Full-Disclosure] Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Reply: KF: "Re: [Full-Disclosure] Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I could not reproduce this with the following files on linux:

gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread
a4908088a3dfe2d7a72f0792ca8534e0  /usr/local/Acrobat5/bin/acroread
gentoo adobe-PoC # md5sum linux-507.tar.gz
25f0ab387ebed3bf63ca24962ffcf9fa  linux-507.tar.gz

nor with

gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread
a3c3d54042e91d152bb82649038159cf  /usr/local/Acrobat5/bin/acroread
gentoo adobe-PoC # md5sum linux-505.tar.gz
5c1cef0b5b1eb75ed01fefb3d6a88ce0  linux-505.tar.gz

I was instead old "A browser has not been specified. Do you want to
configure Weblink Prefrences?"  I set the browser to mozilla and had
no luck with the overflow... just a mozilla mail with a HUGE mail to: line.

am I missing something?

-KF

sec-labs team wrote:

>     sec-labs team proudly presents:
>     
>     Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
>     by mcbethh
>     29/06/2003
>     
>   I. BACKGROUND
>     
>     quote from documentation: 
>     'The Acrobat Reader allows anyone to view, navigate, and print documents 
>     in the Adobe Portable Document Format (PDF).'
>     
>     However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
>     is last for unix.
>     
>   II. DESCRIPTION
>     
>     There is buffer overflow vulnerability in WWWLaunchNetscape function. It
>     copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
>     found. If link is longer than 256 bytes return address is overwritten. 
>     Notice that user have to execute (click on it) our link to exploit this 
>     vulnerability. User also have to have netscape browser in preferences, 
>     but it is default setting. 
>     
>   III. IMPACT
>     
>     If somebody click on a link from .pdf file specialy prepared by attacker,
>     malicious code can be executed with his privileges.
>     
>   IV. PROOF OF CONCEPT
>     
>     Proof of concept exploit is attached. It doesn't contain shellcode nor
>     valid return address. It just shows that return address can be overwriten
>     with any value. Use gdb to see it, because acroread will not crash. 
>     
>     
>
>  
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Tim Yardley: "[Full-Disclosure] RE: [VulnWatch] MacOSX - crash screensaver locked with password and get thedesktop back"
Previous message: keepitsecretat_private: "Re: Contact information for Microsoft Security Response Center [tf]"
In reply to: sec-labs team: "[sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Next in thread: KF: "Re: [Full-Disclosure] Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Reply: KF: "Re: [Full-Disclosure] Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 15:16:53 PDT