Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code

From: sec-labs team (team@sec-labs.hack.pl)
Date: Wed Jul 09 2003 - 04:15:37 PDT

Next message: Joshua Jore: "Black Box Voting"

Previous message: Massimo Arrigoni: "Re: Another ProductCart SQL Injection Vulnerability"
In reply to: KF: "Re: [Full-Disclosure] Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We can easily reproduce this bug on version 5.0.7 and 5.0.5 on Slackware
Linux and Phoenix and Mozilla browsers. You can choose Netscape or NCSA
compatibile browser in Adobe preferences, and WWWLaunchNetscape and 
WWWLaunchNCSA functions. 

You should not have problem with this bug. It is quite simple to
reproduce. Just create .pdf file with long link, execute adobe, open
this file, then attach to it using gdb, put breakpoint on
WWWLaunchNetscape and click on link. There is loop in this function that
do something like this:

    while(*src != '\0')
        *dst++ = *src++;

As you can see there is no bounds checking.

best regards

-- 
sec-labs team [http://sec-labs.hack.pl]







-- 
sec-labs team [http://sec-labs.hack.pl]




-- 
sec-labs team [http://sec-labs.hack.pl]

application/pgp-signature attachment: stored

Next message: Joshua Jore: "Black Box Voting"
Previous message: Massimo Arrigoni: "Re: Another ProductCart SQL Injection Vulnerability"
In reply to: KF: "Re: [Full-Disclosure] Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 10:52:02 PDT