------------------------------------------------------------------------------------------ [ iViZ Security Advisory 09-001 25/03/2009 ] ------------------------------------------------------------------------------------------ iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com ------------------------------------------------------------------------------------------ * Title: Adobe Acrobat Reader Memory Corruption Vulnerability * Date: 25/03/2009 * Software: Adobe Acrobat Reader 9.0.0, 8.1.3 --[ Synopsis: Adobe acrobat reader crashes while processing a malformed PDF file. --[ Affected Software: * Adobe Acrobat Reader 9.0.0 * Adobe Acrobat Reader 8.1.3 and before * Other versions may also be affected (The vulnerability affects both Windows and Linux version of Acrobat Reader) --[ Technical description: Adobe acrobat reader initializes large memory based on specific values read from the PDF file itself. Mostly this results in access violation but code execution may be possible due to heap corruption. The technical details tested on Acrobat Reader 9.0.0 are as follows: There are two cases for the application to crash. In case A, the function @0177C1AB returns a large value which is copied in ESI register. In case B, the function @0177CAAB returns a large value in EAX register. The values returned by this call instruction are not predictable with the offset at 0x2024. 0177C1AB E8 700D0100 CALL AcroRd_1.0178CF20 0177C1B0 8BD6 MOV EDX,ESI ; Case A: ESI is large 0177C1B2 03F0 ADD ESI,EAX ; Case B: EAX is large 0177C1B4 3BD6 CMP EDX,ESI 0177C1B6 73 2B JNB SHORT AcroRd_1.0177C1E3 0177C1B8 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] 0177C1BC 8D3C50 LEA EDI,DWORD PTR DS:[EAX+EDX*2] 0177C1BF 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C] ; EAX holds the value to be initialized 0177C1C3 8BCE MOV ECX,ESI ; ECX holds the count; copied from ESI 0177C1C5 2BCA SUB ECX,EDX 0177C1C7 8B5C24 30 MOV EBX,DWORD PTR SS:[ESP+30] 0177C1CB 66:8BD0 MOV DX,AX 0177C1CE C1E2 10 SHL EDX,10 0177C1D1 66:8BD0 MOV DX,AX 0177C1D4 D1E9 SHR ECX,1 0177C1D6 8BC2 MOV EAX,EDX 0177C1D8 F3:AB REP STOS DWORD PTR ES:[EDI] ; EDI points to the target memory and ; results in access violation for larger ; ECX values A vulnerability like this can possibly be exploited through techniques like heap spray, particularly since Adobe Acrobat Reader supports embedded javascripts, however this possibility is currently unverified. --[ Impact: * Application crash in most cases. * Code execution possibility is unverified. --[ Vendor response: http://www.adobe.com/support/security/bulletins/apsb09-04.html --[ Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Security Research Team. --[ Disclosure timeline: * 25/03/2009: Public Disclosure * 28/02/2009: Vendor acknowledged receipt of submitted vulnerability details * 26/02/2009: Vendor replied providing PGP keys * 25/02/2009: Contacted vendor asking for PGP keys --[ Reference: http://www.ivizsecurity.com/security-advisory.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/