Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged

From: Vladimir Katalov <vkatalov () elcomsoft com>
Date: 4 Apr 2003 06:59:12 -0000
In-Reply-To: <200303261835.h2QIZD6g027059 () www harkless org>

Dan Harkless <bugtraq () harkless org> writes:

For those of us not familiar with Acrobat plugins, is there some facility
for the program retrieving/installing plugins automatically, or, to 

exploit

this would you need to entice a user to manually place your .api file in
their "plug_ins" directory (or run an installer program that would do so, 

in

which case you could run arbitrary code anyway in the installer)?


In any case, user should install plugin (i.e. put it into an appropriate
folder) manually. However, there are several ways to force user to so
so ;) For example, an author can make a plug-in which will look perfectly
valid -- i.e. doing something useful. Or that could be a security plug-in
required to read e-books in PDF format (offered for free). Malicious code,
however, can be activated at particular date, or when opening particular
PDF file etc.

But the main problem of this vulnerability, actually, falls into a
different category. It completely compromises the whole Acrobat security
model. For example, somebody can write a plug-in which allowing to save
an unprotected copy of *any* DRM-enabled PDF document (doesn't matter
what kind of security is being used -- FileOpen, WebBuy etc),
circumventing the protection completely. Such plug-in would never be
signed by Adobe (to be loaded into Acrobat, especially in "certified"
mode), but using the vulnerabilities we have described, fake signature
can be made -- so it will look like signed by Adobe.

-- 
Sincerely yours,
  Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov () elcomsoft com
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)
Previous By Date Next
Previous By Thread Next

Current thread: