TUCoPS :: Windows Apps :: bt515.txt

Adobe Acrobat Reader <=5.0.7 Buffer OverflowVulnerability + PoC code 


--=.)f:ahZGJ081Iij
Content-Type: multipart/mixed;
 boundary="Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580"


--Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit



     sec-labs team proudly presents:
     
     Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
     by mcbethh
     29/06/2003
     
   I. BACKGROUND
     
     quote from documentation: 
     'The Acrobat Reader allows anyone to view, navigate, and print documents 
     in the Adobe Portable Document Format (PDF).'
     
     However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
     is last for unix.
     
   II. DESCRIPTION
     
     There is buffer overflow vulnerability in WWWLaunchNetscape function. It
     copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
     found. If link is longer than 256 bytes return address is overwritten. 
     Notice that user have to execute (click on it) our link to exploit this 
     vulnerability. User also have to have netscape browser in preferences, 
     but it is default setting. 
     
   III. IMPACT
     
     If somebody click on a link from .pdf file specialy prepared by attacker,
     malicious code can be executed with his privileges.
     
   IV. PROOF OF CONCEPT
     
     Proof of concept exploit is attached. It doesn't contain shellcode nor
     valid return address. It just shows that return address can be overwriten
     with any value. Use gdb to see it, because acroread will not crash. 
     
     

-- 
sec-labs team [http://sec-labs.hack.pl]


--Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580
Content-Type: application/octet-stream;
 name="seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2"
Content-Disposition: attachment;
 filename="seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2"
Content-Transfer-Encoding: base64

QlpoOTFBWSZTWQLp8bAAAOh/rMiQAgB45//ZOA3XxH/v3+oABAEAAAEACFADPeBQAAHNGTEwATEY
EaYEGIwTJgEYc0ZMTABMRgRpgQYjBMmARhzRkxMAExGBGmBBiMEyYBGDJTKPUAANMjQAAA0ANAAB
VITRNMhMieJo0JpppBiempk0M1MT0an6o+domzg3+EBjNAgpEJIIW6IZdKKRxSOSkWWAzDYTgKR0
uZI4mhreKS8+D8NySMjjSSVYxKMHzTfSKul61XgSScy9oSyM7Q29mdV9WC5cokq8U3IqtUWnyet8
1ptfQtZDlaVjB/lv3vZZ2WTpKarsfZofRYqotRzv1N4cFGZV1Ni5V4JFEnY7fd7T0MItfZ3Nqwm3
OGnh2P0S9MpSlJKSUpSl14tUel1rHequjILmRMj1QNFoGBscBCKyWAAJoRRVFCwFhwsfCBRQrBYV
RVdOKx0Wd6i6JVkKpRf/GTPRbBnjcGTCkl2RkugrF8Th2uVzpNzed6JtCLYan1dywj4xJZIWElrt
HBJWOg7nkuOxJ7Y7XvUc72R717uNTFR4Od8GuIeLCH4cSR7mhqXB72qHseSMjkbm5lbl7euXsESf
FQ5iqcNTKca5xOVgk2JuJtWRYxeK0qVWoqYM7kRcxfyzI5jgvLYmysWMPFoUWDWkzqMzrZ3BcsVT
cZsTNajTDexVJQ72ttcSM7U87FeoqztTBNVmaE1FrOjYk2LFjkWM7FvcSxGVQ8x1MFWRV5jFe9EZ
WVFrQuLk01FhxqNBJYSRJqPVDIbYjQEkXGC50qNKxNlUdrFnfh2PBa7mWFkn3lE5J4szLGJ1pDna
mlesNTldCjjbFhSDJHMzMyTM2sWt5JmERlZE41movdCpgWptKsVUTMTZSUpHUxYw0ptyjFJyr01E
2B5P+L0YupaxeUb3CNi50pmk3OI1pHB6+9Khnbzztx4rGx1rlXmLVrMk9K1KA/8XckU4UJAC6fGw

--Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580--

--=.)f:ahZGJ081Iij
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/AaP3Z4yD+a7QMvgRAg8JAKCe/J8uAm5HuOEol6oSeI6Rebo0XgCfd9CW
tbVBG/P0C+urR678bIWk0F8=
=sw6q
-----END PGP SIGNATURE-----

--=.)f:ahZGJ081Iij--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH