------------------------------------------------------------------------------------------
[ iViZ Security Advisory 09-001                            25/03/2009 ]
------------------------------------------------------------------------------------------
iViZ Techno Solutions Pvt. Ltd.
                                            http://www.ivizsecurity.com
------------------------------------------------------------------------------------------

* Title:     Adobe Acrobat Reader Memory Corruption Vulnerability
* Date:      25/03/2009
* Software:  Adobe Acrobat Reader 9.0.0, 8.1.3

--[ Synopsis:

    Adobe acrobat reader crashes while processing a malformed PDF file.

--[ Affected Software:

  * Adobe Acrobat Reader 9.0.0
  * Adobe Acrobat Reader 8.1.3 and before
  * Other versions may also be affected
    (The vulnerability affects both Windows and Linux version of Acrobat Reader)

--[ Technical description:

    Adobe acrobat reader initializes large memory based on specific values read
    from the PDF file itself. Mostly this results in access violation but code
    execution may be possible due to heap corruption.

    The technical details tested on Acrobat Reader 9.0.0 are as follows:

    There are two cases for the application to crash. In case A, the
function @0177C1AB
    returns a large value which is copied in ESI register. In case B,
the function @0177CAAB
    returns a large value in EAX register. The values returned by this
call instruction
    are not predictable with the offset at 0x2024.

    0177C1AB    E8 700D0100     CALL AcroRd_1.0178CF20
    0177C1B0    8BD6            MOV EDX,ESI           ; Case A: ESI is large
    0177C1B2    03F0            ADD ESI,EAX           ; Case B: EAX is large
    0177C1B4    3BD6            CMP EDX,ESI
    0177C1B6    73 2B           JNB SHORT AcroRd_1.0177C1E3
    0177C1B8    8B4424 20       MOV EAX,DWORD PTR SS:[ESP+20]
    0177C1BC    8D3C50          LEA EDI,DWORD PTR DS:[EAX+EDX*2]
    0177C1BF    8B4424 1C       MOV EAX,DWORD PTR SS:[ESP+1C]  ; EAX
holds the value to be initialized
    0177C1C3    8BCE            MOV ECX,ESI                    ; ECX
holds the count; copied from ESI
    0177C1C5    2BCA            SUB ECX,EDX
    0177C1C7    8B5C24 30       MOV EBX,DWORD PTR SS:[ESP+30]
    0177C1CB    66:8BD0         MOV DX,AX
    0177C1CE    C1E2 10         SHL EDX,10
    0177C1D1    66:8BD0         MOV DX,AX
    0177C1D4    D1E9            SHR ECX,1
    0177C1D6    8BC2            MOV EAX,EDX
    0177C1D8    F3:AB           REP STOS DWORD PTR ES:[EDI] ; EDI
points to the target memory and
                                                            ; results
in access violation for larger
                                                            ; ECX values

    A vulnerability like this can possibly be exploited through techniques like
    heap spray, particularly since Adobe Acrobat Reader supports embedded
    javascripts, however this possibility is currently unverified.

--[ Impact:

    * Application crash in most cases.
    * Code execution possibility is unverified.

--[ Vendor response:

   http://www.adobe.com/support/security/bulletins/apsb09-04.html

--[ Credits:

    This vulnerability was discovered by Security Researcher
    Jonathan Brossard from iViZ Security Research Team.

--[ Disclosure timeline:

   * 25/03/2009: Public Disclosure
   * 28/02/2009: Vendor acknowledged receipt of submitted vulnerability details
   * 26/02/2009: Vendor replied providing PGP keys
   * 25/02/2009: Contacted vendor asking for PGP keys

--[ Reference:

    http://www.ivizsecurity.com/security-advisory.html