Full Disclosure mailing list archives

Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code

From: KF <dotslash () snosoft com>
Date: Mon, 07 Jul 2003 16:09:24 +0000

I could not reproduce this with the following files on linux:

gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread
a4908088a3dfe2d7a72f0792ca8534e0  /usr/local/Acrobat5/bin/acroread
gentoo adobe-PoC # md5sum linux-507.tar.gz
25f0ab387ebed3bf63ca24962ffcf9fa  linux-507.tar.gz

nor with

gentoo adobe-PoC # md5sum /usr/local/Acrobat5/bin/acroread
a3c3d54042e91d152bb82649038159cf  /usr/local/Acrobat5/bin/acroread
gentoo adobe-PoC # md5sum linux-505.tar.gz
5c1cef0b5b1eb75ed01fefb3d6a88ce0  linux-505.tar.gz

I was instead old "A browser has not been specified. Do you want to
configure Weblink Prefrences?"  I set the browser to mozilla and had
no luck with the overflow... just a mozilla mail with a HUGE mail to: line.

am I missing something?

-KF

sec-labs team wrote:

    sec-labs team proudly presents:
Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
    by mcbethh
    29/06/2003
I. BACKGROUNDquote from documentation:'The Acrobat Reader allows anyone to view, navigate, and print documentsin the Adobe Portable Document Format (PDF).'However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
    is last for unix.
II. DESCRIPTIONThere is buffer overflow vulnerability in WWWLaunchNetscape function. It
    copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
found. If link is longer than 256 bytes return address is overwritten.Notice that user have to execute (click on it) our link to exploit thisvulnerability. User also have to have netscape browser in preferences,but it is default setting.III. IMPACTIf somebody click on a link from .pdf file specialy prepared by attacker,
    malicious code can be executed with his privileges.
IV. PROOF OF CONCEPTProof of concept exploit is attached. It doesn't contain shellcode nor
    valid return address. It just shows that return address can be overwriten
with any value. Use gdb to see it, because acroread will not crash.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

[sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code sec-labs team (Jul 01)
- <Possible follow-ups>
- Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code KF (Jul 07)
  - Re: Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code KF (Jul 07)
- Re: Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code Paul Szabo (Jul 07)