discovered a vulnerability in Adobe Reader and Adobe Acrobat Could Allow For Remote Code Execution
OVERVIEW:
OVERVIEW:
A vulnerability has been discovered in the Adobe Acrobat and Adobe Reader applications which could allow attackers to execute arbitrary code on the affected systems. Adobe Reader allows users to view Portable Document Format (PDF) files while Adobe Acrobat offers users additional features such as the ability to create PDF files. This vulnerability may be exploited if a user visits or is redirected to a specially crafted web page or when a user opens a specially crafted PDF file. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.
SYSTEMS AFFECTED:- Adobe Acrobat 9.3.4 for Windows
- Adobe Acrobat 9.x
- Adobe Acrobat 8.x
- Adobe Reader 7.x
VULNERABILITY DESCRIPTION:
Adobe Reader and Adobe Acrobat are prone to a remote code execution vulnerability when handling malicious PDF files. The vulnerability is a remote memory-corruption that occurs in 'AcroForm.api' when processing unspecified 'special characters'. This vulnerability may be exploited if a user visits or is redirected to a specially crafted web page. Exploitation may also occur when a user opens a specially crafted PDF file.
Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000001 ecx=02ae1314 edx=020c4bc8 esi=02adb470 edi=0012f4b4 eip=20946b4a esp=0012f414 ebp=0012f470 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api - AcroForm!DllUnregisterServer+0x130993: 20946b4a 8b00 mov eax,dword ptr [eax] ds:0023:00000000=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:000> u AcroForm!DllUnregisterServer+0x130993: 20946b4a 8b00 mov eax,dword ptr [eax] 20946b4c c3 ret 20946b4d 56 push esi 20946b4e 8b742408 mov esi,dword ptr [esp+8] 20946b52 57 push edi 20946b53 33ff xor edi,edi 20946b55 393e cmp dword ptr [esi],edi 20946b57 7e1a jle AcroForm!DllUnregisterServer+0x1309bc (20946b73) |
Well we see that after Cmp eax, [eax] program gives Access violation
But the memory of this bug occurs when special characters it is injected. But because it is not possible to register them and can not be changed with the chain to locate crash can not be changed after the currently exploit this vulnerability to be a solution to this vulnerability found. Api above with the following 3 module that you can see with the address------------------------------------------------------------------------------------
http://www.exploit-db.com/exploits/14761
http://packetstormsecurity.org/1008-exploits/adobear-corrupt.tgz
------------------------------------------------------------------------------------
No comments:
Post a Comment