Adobe Download Manager buffer overflow

Overview

Adobe Download Manager contains a buffer overflow. This vulnerability may allow a remote, unauthenticated attacker to run arbitrary code with the privileges of the affected user or cause a denial-of-service condition.

Description

Adobe Download Manager (ADM)

ADM is a utility that Adobe provides to aid in downloading Adobe software. ADM is included with the download of numerous Adobe products including, but not limited to, Adobe Reader. More information on ADM is available at the About Download Manager website.

AOM files

AOM files contain download instructions to be executed by ADM. When an AOM file is parsed, the download instructions in that AOM file are stored in %APPDATA%``\dm.ini for further processing by ADM. Note that a file association is created between ADM and AOM files (.aom) when ADM is installed. As a result, accessing an AOM file launches ADM by default.

The Problem

ADM fails to properly handle malformed download instructions allowing a stack-based buffer overflow to occur. If a remote attacker can persuade a user to access a specially crafted AOM file with ADM, that attacker may be able to trigger the buffer overflow.

Note that in some instances ADM is automatically removed when the installation of requested Adobe software is completed. To determine if ADM is installed follow the instructions in Adobe Security bulletin APSB06-19.

---

Impact

A remote unauthenticated attacker may be able to execute arbitrary code by convincing a user to open a specially crafted AOM file. This can be achieved by creating a specially crafted web page or other HTML document that may launch ADM without any user interaction.

---

Solution

Uninstall Adobe Download Manager
To uninstall ADM follow the instructions in Adobe Security bulletin APSB06-19.

Adobe has also addressed this issue in Adobe Download Manager version 2.2.

---

Disable file association for AOM files

Disable the file association for AOM files to help prevent windows applications from using Adobe Download Manager to open AOM files. This can be accomplished by deleting the following registry key:

HKEY_CLASSES_ROOT\``aom
Do not access AOM files from untrusted sources

Attackers may host malicious AOM files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

---

Vendor Information

448569

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Adobe __ Affected

Updated: December 07, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Adobe Security bulletin APSB06-19.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23448569 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://secunia.com/advisories/23233/&gt;
• <http://www.adobe.com/support/security/bulletins/apsb06-19.html&gt;
• <http://research.eeye.com/html/advisories/published/AD20061205.html&gt;
• <http://www.adobe.com/products/acrobat/acrrmanager.html&gt;

Acknowledgements

This issue was reported in Adobe Security bulletin APSB06-19. Adobe credits Zero Day Initiative and eEye Digital Security for reporting this vulnerability.

This document was written by Chris Taschner.

Other Information

CVE IDs:	CVE-2006-5856
Severity Metric:	4.62 Date Public: