Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Adobe Acrobat XFDF Vulnerability

From: Nate McFeters <nate.mcfeters () gmail com>
Date: Sat, 19 Feb 2005 14:57:15 -0500
I'm sure some of you have experience trying to trace thru a programs
execution with a debugger looking for overflow conditions... I've been
trying to find this vulnerability as an exercise and have come to a
stand still.  I actually was put on to this during a job interview I
had, they wanted me to use Ollydbg to find which function the overflow
occurs in.  I was unable to do so in the interview, but they were more
interested with seeing how I used olly anyhow.  Anyways, I decided I
would still go thru and try to find the exploit for my own knowledge,
but I can't seem to reproduce it.

Anyhow, the vulnerability exists when Acrobat Reader 5.1 parses xfdf
files (xfdf files are basically an xml representation used to comment
PDF files) and exists in an sprintf function call that occurs in
preparation for a call to OutputDebugMessage.

My strategy for finding this first off was to get the specs for what's
in an XML file (http://partners.adobe.com/public/developer/en/xml/xfdf_2.0_draft.pdf),
then create a sample xfdf file and go thru an individually attempt to
cause an overflow by stuffing elements and attributes full of A's. 
The idea was that when you looked at this in ollydbg, you would get a
bunch of 41's to show up on the EIP register.  It didn't happen.

The next idea was to look for all instances of the sprintf family
functions and all instances of the OutputDeubgString function and then
find the ones that were close to each other (with the sprintf
proceeding) and set break points on them to observe what was happening
to all of the A's I was stuffing in there.  No dice.

Anyone else got any ideas?  I'm starting to think that I have
downloaded a patched version from Adobe.  It is a 5.1 version, but I'm
thinking maybe they put a patch on it to fix it.  Totally stuck here,
any suggestions would be appreciated.

Nate
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: