Various UNIX and Linux PDF readers/viewers execute commands embedded within hyperlinks

2003-06-18T00:00:00
ID VU:200132
Type cert
Reporter CERT
Modified 2003-09-26T00:00:00

Description

Overview

A vulnerability in various UNIX and Linux PDF viewers/readers may allow remote attackers to execute arbitrary commands on your system.

Description

Adobe Systems Incorporated describes PDF (Portable Document Format) as "a universal file format that preserves the fonts, images, graphics, and layout of any source document, regardless of the application and platform used to create it." A viewer such as Adobe Reader or Xpdf is needed to view a document encoded in PDF. Various PDF viewers are widely deployed on the Internet. Quoting from the Adobe Systems Incorporated web site:

Governments and enterprises around the world have adopted PDF to streamline document management, increase productivity, and reduce reliance on paper....An open file format specification, PDF is available to anyone who wants to develop tools to create, view, or manipulate PDF documents. Indeed, more than 1,800 vendors offer PDF-based solutions, ensuring that organizations that adopt the PDF standard have a variety of tools to leverage the Portable Document Format and to customize document processes.

When a victim clicks on a hyperlink contained within a malicious PDF file, an attacker may be able to execute arbitrary commands with the privileges of the victim. This is possible because some UNIX and Linux PDF readers/viewers spawn external programs to handle hyperlinks by invoking the shell command interpreter.


Impact

A remote attacker may be able to execute arbitrary commands with the privileges of the victim.


Solution

Apply a patch when available.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Adobe Systems Incorporated| | 08 May 2003| 18 Jun 2003
Conectiva| | 15 May 2003| 22 Sep 2003
Debian| | 15 May 2003| 19 May 2003
MandrakeSoft| | 15 May 2003| 14 Jul 2003
Red Hat Inc.| | 15 May 2003| 19 Jun 2003
Sun Microsystems Inc.| | 15 May 2003| 17 Jun 2003
Xpdf| | 20 May 2003| 17 Jun 2003
Apple Computer Inc.| | -| 18 Jun 2003
Fujitsu| | 15 May 2003| 08 Aug 2003
Hitachi| | 15 May 2003| 18 Jun 2003
Ingrian Networks| | 15 May 2003| 23 May 2003
Microsoft Corporation| | 15 May 2003| 19 May 2003
NEC Corporation| | 15 May 2003| 16 Jun 2003
Nortel Networks| | 15 May 2003| 14 Jul 2003
Xerox Corporation| | 15 May 2003| 14 Jul 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.adobe.com/products/acrobat/adobepdf.html>
  • <http://www.adobe.com/products/acrobat/readermain.html>
  • <http://www.foolabs.com/xpdf/about.html>
  • <http://www.secunia.com/advisories/9037/>
  • <http://www.secunia.com/advisories/9038/>

Credit

This vulnerability was discovered by Martyn Gilmore. The CERT/CC thanks Martyn, Adobe, and the folks responsible for the Xpdf project.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2003-0434
  • Date Public: 13 Jun 2003
  • Date First Published: 18 Jun 2003
  • Date Last Updated: 26 Sep 2003
  • Severity Metric: 37.97
  • Document Revision: 26