Re: Vulnerability found: The Adobe eBook Library

[c c <cesarc56 () yahoo com>]

The library is also affected by sql inyection, css,
etc.
The web application must be review and fixed.

Cesar.

--- Vladimir Katalov <info () elcomsoft com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: MD5
>
>
> Find attached the detailed information about the
> bugs/vulnerabilities
> we have found in The Adobe eBook Library.
>
> - --
> Sincerely yours,
>   Vladimir
>
> Vladimir Katalov
> Managing Director
> ElcomSoft Co.Ltd.
> Member of Russian Cryptology Association
> mailto:info () elcomsoft com
> http://www.elcomsoft.com (Corporate site)
> http://www.crackpassword.com (Password Recovery
> Software)
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6
iQEVAwUAPS7D14avf/iY3ldlAQFtbQf/TAvucVkcbkK63KOg/bVUXRzg8I106UaT
>
kROzh9GoqJPxh9Gp5xFJASg5cGPrHaNeDq6kMksHBL4EBpsUtjheCaZGBk0w66GK
>
+Kj6A0X1QW28/vTo9GKcBlLB3TGkVQrrCod7ofluIJHe9Jcd+ca85s9BfiEm02B+
>
MplH5hkQGrE2G4M+UPRATpzXAgvyu1eW+IA5l3aNmDOQNrXsAZchR8mZm7KY3E2H
>
sjTS9rnDkH8CdjV04WB8C7D7d/yoWVdL/MG0ghRekw1TUeyFjtFEKv62EsU6zBMV
>
+1gNk56LXEWMJHKsMU81kPRrmCQNwtL7zM+ApHIu6sXqMQ+fsJEc4Q==
> =iwne
> -----END PGP SIGNATURE-----> CONTACT INFORMATION
===============================================================================
>  Name                 : Vladimir Katalov
>  E-mail                       : info () elcomsoft com
>  Phone / fax          : +7 095 216-7937
>                           +1 866 448-2703 (fax; US,
> toll-free)
>  Affiliation and address: 2-171 generala Antonova
> st.
>                           Moscow 117279
>                           Russia
>
>
> TECHNICAL INFO
===============================================================================
> Description
> -----------
>
>   Adobe Systems Incorporated (http://www.adobe.com)
> recently opened
>   a special web site to demonstrate the new library
> features of
>   Adobe Content Server 3.0
> (http://www.adobe.com/products/contentserver).
>   According to Adobe description, "The Adobe eBook
> Library uses Adobe
>   Content Server as a secure repository for the
> eBooks". The library
>   is located at:
>
>   http://librarydemo.adobe.com/library/
>
>   There are a few books available -- 5 copies of
> each. The customer
>   can borrow any book for a fixed period of time
> (one or three days);
>   when one customer gets a book, the counter
> ("number of books
>   available") is decreased, and when it reaches
> zero, this book
>   becomes not available until at least one other
> customer will return
>   it to the library, or loan period will expire.
> However, there are three
>   bugs/vulnerabilities there:
>
>   1. It is possible to get all available copies of
> any book --
>      Adobe Acrobat eBook Reader doesn't check if you
> have borrowed the
>      given book already. 
>
>   2. The loan period (one or three days) is not
> verified. It is implemented
>      in the script using the following
>
>      <FORM id=form2 name="form2"
ACTION="http://librarydemo.adobe.com/library/download.asp";
> METHOD="POST">
>        <INPUT type=hidden value=133 name=bookid> 
>        <INPUT type=radio CHECKED value=1440
> name=loanMin> Borrow for 1 day<BR>
>        <INPUT type=radio value=4320 name=loanMin>
> Borrow for 3 days<BR>
>        ...
>
>      The value of loanMin is the loan period in
> minutes (1440 for one
>      day, and 4320 for three days). It is possible
> to save the form to
>      the local disk, change one of the values to the
> one you need (i.e.
>      525600 for one year), load the updated form
> into the browser, and
>      by pressing the "Add to  bookbag" button borrow
> this book for the
>      selected ("fake") period. 
>
>   3. When the book counter reaches zero, the user
> can see a note near the
>      book description: 
>
>      There are currently none available.
>      Please check back later. 
>
>      However, the "Add to  bookbag" button is still
> available and working
>      just fine, i.e. it is still possible to get
> another copy (copies) of
>      the book. And the "Number of Books" counter (on
> the library page)
>      becomes negative.
>
> The impact
> ----------
>
>   By combining bugs [1] and [2], it is very easy to
> implement something
>   like "Denial-of-service" attack for the library:
> just get all copies of
>   all books from the library (for very large period
> of time -- e.g. a few
>   years). So no books will be available to anybody
> else.
>
>   Besides, there is ability to borrow the books for
> unlimited time.
>
> Possible workaround/fixes
> -------------------------
>
>   The script should verify 'loanMin' input value,
> and should
>   not allow to borrow the book if it does not match
> pre-defined
>   values, or if number of books available is already
> zero.
>
>
> OTHER INFORMATION
===========================================================================
>   Some time ago we have found much more serious
> problem with another
>   Adobe software and reported it to the vendor;
> however, there was no
>   response at all, and so we decided not to waste
> our time reporting
>   this one (about the library) to Adobe.


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com