Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability
iDEFENSE Security Advisory 08.13.04 www.idefense.com/application/poi/display?id=126&type=vulnerabilities August 13, 2004
I. BACKGROUND
Adobe Acrobat/Acrobat Reader are programs for creating and/or viewing documents in Adobe Portable Document Format (PDF). More information is available at http://www.adobe.com/products/acrobat/.
II. DESCRIPTION
Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote attackers to execute arbitrary code.
The problem specifically exists upon retrieving a link of the following form:
GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1
Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a "file not found" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an attacker to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here:
The register EDI contains a pointer to a user-supplied string. The attacker therefore has control over both the ECX and EAX registers used in the shown MOV instruction.
III. ANALYSIS
Successful exploitation allows remote attackers to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.
An attacker does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script.
Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in Adobe Acrobat 5.0.5, specifically, pdf.ocx version 5.0.5.452. It is suspected that all current versions of Adobe Acrobat/Acrobat Reader are affected by this vulnerability.
V. WORKAROUND
Change Adobe Acrobat/Acrobat Reader settings to prevent PDF files from automatically opening when accessed via a web browser. When prompted, first save the file to disk before opening thereby closing the exploitation vector described.
This can be accomplished using the following steps:
1. Open Adobe Acrobat/Acrobat Reader 2. Go to Edit --> Preferences 3. Uncheck the "Display PDF in browser" setting 4. Click OK
