eEye Digital Security has discovered a stack buffer overflow in Adobe Download Manager, a utility typically installed for the purpose of downloading Adobe software such as Adobe (Acrobat) Reader. By opening a malicious AOM file, a user's system may be compromised by arbitrary code within the file, which executes with the privileges of that user.
Vulnerable Systems:
* Adobe Download Manager versions 2.1.x and earlier
A web-based attack conducted through Internet Explorer may succeed without the use of ActiveX or scripting, and without any additional user interaction other than viewing a web page, if the web server indicates a Content-Type of "application/aom" when serving up the malicious AOM file. In such a case, an ".aom" file extension is not required.
AdobeDownloadManager.exe is responsible for extracting download instructions from AOM files, which are essentially XML with an appended CRC32 in decimal, and committing the instructions to the file "%APPDATA%\dm.ini" for later processing. For instance, opening the following AOM file:
When launched, whether or not it is supplied with an AOM file, AdobeDownloadManager.exe reads the entries from "dm.ini" and handles each described download according to its properties. It begins by reading a list of section names into a 400h-byte buffer using GetPrivateProfileStringA, then copies each section name into a 108h-byte stack buffer using strncpy with a length limit equal to the length of the section name string. The result is a relatively straightforward stack buffer overflow, with the only complication being the character restrictions.
It should be possible to uninstall Adobe Download Manager, or at least unassociate the AOM file extension and "application/aom" Content-Type in the registry, to defend against this vulnerability. Hopefully users who have been forced to install Adobe Download Manager realized its superfluousness and have already uninstalled it.
