Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:1169
HistoryJan 13, 2007 - 12:00 a.m.

Adobe Acrobat Reader畸形文档处理堆溢出漏洞

2007-01-1300:00:00
Root
www.seebug.org
16
JSON

Adobe Acrobat Reader是非常流行的PDF文件阅读器。

Adobe产品在渲染特制的PDF文件时存在堆溢出漏洞,远程攻击者可能通过利用此漏洞诱骗用户打开恶意文件控制用户机器。

相关的代码段如下:

----// SNIP SNIP //-------------------------------------------------
0:000> u 08009d3f
CoolType+0x9d3f:
08009d3f 83e904           sub     ecx,0x4
08009d42 890da07a1d08     mov     [CoolType!CTCleanup+0xb393b (081d7aa0)],ecx
08009d48 ffb49070feffff   push    dword ptr [eax+edx*4-0x190]
08009d4f 8b09             mov     ecx,[ecx]
08009d51 51               push    ecx
08009d52 ff506c           call    dword ptr [eax+0x6c] ; (*)
08009d55 59               pop     ecx
08009d56 59               pop     ecx
----// SNIP SNIP //-------------------------------------------------

0x08009d52处的指令调用了地址储存在[eax+0x6c]的位置,eax的值指向了已分配堆内存块中,如下所示:

----// SNIP SNIP //-------------------------------------------------
...
K: 199 -> [*] HeapAlloc(0x3E0000,0x0,0x4(4))=0x16F6FF8 end at: 0x16F6FFC
K: 200 -> [*] HeapAlloc(0x3E0000,0x0,0x4F4(1268))=0x16F6958 end at: 0x16F6E4C
K: 201 -> [*] HeapAlloc(0x3E0000,0x0,0xFE30(65072))=0x16F6E58 end at: 0x1706C88
K: 202 -> [*] HeapAlloc(0x3E0000,0x0,0x304(772))=0x1706C90 end at: 0x1706F94
K: 203 -> [*] HeapAlloc(0x3E0000,0x0,0xFE24(65060))=0x1706FA0 end at: 0x1716DC4 <- THIS ONE
----// SNIP SNIP //-------------------------------------------------

[EAX+0x6c]执行从最后堆内存块开始起0x222C偏移处。

在渲染特制的PDF文件时,内存破坏可能导致覆盖[eax+0x6c]处的子例程地址。

以下是调用了被覆盖的[eax+0x6c]后的调试代码段:

----// SNIP SNIP //-------------------------------------------------
(25a0.2170): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=016f4320 ebx=00000000 ecx=baadf00d edx=00000069 esi=016f4ab9 edi=016f14b4
eip=baadf00d esp=0012deec ebp=0012df80 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll - 

baadf00d ??               ???
----// SNIP SNIP //-------------------------------------------------

攻击者可以控制EIP寄存器,导致以当前用户的权限执行任意代码。

Adobe Acrobat Reader <= 7.0.8
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=“http://www.adobe.com/go/getreader” target=“_blank”>http://www.adobe.com/go/getreader</a>

JSON