Full Disclosure mailing list archives
Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code
From: KF <dotslash () snosoft com>
Date: Mon, 07 Jul 2003 16:09:24 +0000
I could not reproduce this with the following files on linux: gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread a4908088a3dfe2d7a72f0792ca8534e0 /usr/local/Acrobat5/bin/acroread gentoo adobe-PoC # md5sum linux-507.tar.gz 25f0ab387ebed3bf63ca24962ffcf9fa linux-507.tar.gz nor with gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread a3c3d54042e91d152bb82649038159cf /usr/local/Acrobat5/bin/acroread gentoo adobe-PoC # md5sum linux-505.tar.gz 5c1cef0b5b1eb75ed01fefb3d6a88ce0 linux-505.tar.gz I was instead old "A browser has not been specified. Do you want to configure Weblink Prefrences?" I set the browser to mozilla and had no luck with the overflow... just a mozilla mail with a HUGE mail to: line. am I missing something? -KF sec-labs team wrote:
sec-labs team proudly presents:Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlierby mcbethh 29/06/2003I. BACKGROUND quote from documentation: 'The Acrobat Reader allows anyone to view, navigate, and print documents in the Adobe Portable Document Format (PDF).' However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7is last for unix.II. DESCRIPTION There is buffer overflow vulnerability in WWWLaunchNetscape function. Itcopies link address to 256 bytes (in 5.0.5 version) buffer until '\0' isfound. If link is longer than 256 bytes return address is overwritten. Notice that user have to execute (click on it) our link to exploit this vulnerability. User also have to have netscape browser in preferences, but it is default setting. III. IMPACT If somebody click on a link from .pdf file specialy prepared by attacker,malicious code can be executed with his privileges.IV. PROOF OF CONCEPT Proof of concept exploit is attached. It doesn't contain shellcode norvalid return address. It just shows that return address can be overwritenwith any value. Use gdb to see it, because acroread will not crash.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code sec-labs team (Jul 01)
- <Possible follow-ups>
- Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code KF (Jul 07)
- Re: Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code Paul Szabo (Jul 07)