I could not reproduce this with the following files on linux: gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread a4908088a3dfe2d7a72f0792ca8534e0 /usr/local/Acrobat5/bin/acroread gentoo adobe-PoC # md5sum linux-507.tar.gz 25f0ab387ebed3bf63ca24962ffcf9fa linux-507.tar.gz nor with gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread a3c3d54042e91d152bb82649038159cf /usr/local/Acrobat5/bin/acroread gentoo adobe-PoC # md5sum linux-505.tar.gz 5c1cef0b5b1eb75ed01fefb3d6a88ce0 linux-505.tar.gz I was instead old "A browser has not been specified. Do you want to configure Weblink Prefrences?" I set the browser to mozilla and had no luck with the overflow... just a mozilla mail with a HUGE mail to: line. am I missing something? -KF sec-labs team wrote: > sec-labs team proudly presents: > > Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier > by mcbethh > 29/06/2003 > > I. BACKGROUND > > quote from documentation: > 'The Acrobat Reader allows anyone to view, navigate, and print documents > in the Adobe Portable Document Format (PDF).' > > However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7 > is last for unix. > > II. DESCRIPTION > > There is buffer overflow vulnerability in WWWLaunchNetscape function. It > copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is > found. If link is longer than 256 bytes return address is overwritten. > Notice that user have to execute (click on it) our link to exploit this > vulnerability. User also have to have netscape browser in preferences, > but it is default setting. > > III. IMPACT > > If somebody click on a link from .pdf file specialy prepared by attacker, > malicious code can be executed with his privileges. > > IV. PROOF OF CONCEPT > > Proof of concept exploit is attached. It doesn't contain shellcode nor > valid return address. It just shows that return address can be overwriten > with any value. Use gdb to see it, because acroread will not crash. > > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 15:16:53 PDT