Bug 64257 (CVE-2004-1152)

Summary: VUL-0: CVE-2004-1152: acroread buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1152: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2004-12-15 18:25:03 UTC 
We received the following report via bugtraq.
The issue is public.

They are talking about email all the time but that doesn't make any
sense to me. It rather sounds like anything you open with acroread
is potentially dangerous. So I wouldn't be surprised if this also
affects the browser plugin.

Date: Tue, 14 Dec 2004 10:39:02 -0500
From: customer service mailbox <customerservice@idefense.com>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Subject: iDEFENSE Security Advisory 12.14.04 - Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability

Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability

iDEFENSE Security Advisory 12.14.04
www.idefense.com/application/poi/display?id=161&type=vulnerabilities
December 14, 2004

I. BACKGROUND

Adobe Acrobat Reader is a program for viewing Portable Document Format
(PDF) documents. More information is available at the following site:

    http://www.adobe.com/products/acrobat/readermain.html

II. DESCRIPTION

Remote exploitation of a buffer overflow in version 5.09 of Adobe 
Acrobat Reader for Unix could allow for execution of arbitrary code.

The vulnerability specifically exists in a the function mailListIsPdf().

This function checks if the input file is an email message containing 
a PDF. It unsafely copies user supplied data using strcat into a fixed 
sized buffer.

III. ANALYSIS

Successful exploitation allows an attacker to execute arbitrary code 
under the privileges of the local user. Remote exploitation is possible 
by sending a specially crafted e-mail and attaching either the 
maliciously crafted PDF document or a link to it.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Adobe 
Acrobat Reader version 5.0.9 for Unix. Previous versions of Adobe 
Acrobat Reader 5 for Unix are suspected also to be vulnerable.

V. WORKAROUND

User awareness is the best defense against this class of attack. 
Users should be aware of the existence of such attacks and proceed with 
caution when following links from suspicious and/or unsolicited e-mail.

Additionally, you may wish to apply the following unofficial patch from 
iDEFENSE Labs to the acroread shell script. The acroread shell script 
calls the appropriate binary for the platform. The patch adds a check
that ensures that files passed as arguments to acroread are in fact PDF 
documents. This patch will not protect against files opened from within
the Acrobat Reader GUI.

The bin/ directory of the application contains an 'acroread' shell
script while the Reader/ directory contains a binary with the same name.
The command 'file acroread', when executed in the same directory as the
shell script, should return the line:

acroread: a /bin/sh script text executable

This result indicates the existence of the appropriate file that the
patch below can be applied to.

acroread.patch:

--- acroread.orig 2004-10-13 17:25:57.000000000 -0400
+++ acroread 2004-10-13 17:55:43.000000000 -0400
 fi
 
 if [ -f "$ACRO_EXEC_CMD" ] ; then
+  for CHECK in ${1+"$@"};
+  do
+   [ -f "$CHECK" ] && {
+    file "$CHECK" | grep "PDF document" || \
+    {
+     echo "$CHECK" exists, but is not a PDF document. 
+     exit 1;
+    }
+   }
+   done
   exec "$ACRO_EXEC_CMD" ${1+"$@"}
 else
   echo "ERROR: Cannot find $ACRO_EXEC_CMD"

VI. VENDOR RESPONSE

This vulnerability is fixed in Adobe Acrobat Reader 5.0.10 for Unix.
Further details of the vulnerability are available in the following
knowledgebase article:

   http://www.adobe.com/support/techdocs/331153.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-1152 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/14/2004  Initial vendor notification
10/15/2004  Initial vendor response
12/14/2004  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus, iDEFENSE Labs.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Comment 1 Johannes Meixner 2004-12-15 19:14:12 UTC 
Ah!
The usual acroread security trouble.
Why the hell insists our management to use it by default?
As it is the usual stuff and hapens every few month I reduce
priority to normal - simply because it IS normal for acroread.
Comment 2 Johannes Meixner 2004-12-15 23:55:59 UTC 
There is already version 5.0.10

The README states
------------------------------------------------------------------
New for Acrobat Reader 5.0.10

A security patch was applied that solves a problem reported 
with malformed mail containing pdf attachments.
------------------------------------------------------------------

But the acroread shell script is still
------------------------------------------------------------------
if [ -f "$ACRO_EXEC_CMD" ] ; then
  exec "$ACRO_EXEC_CMD" ${1+"$@"}
------------------------------------------------------------------

Therefore I don't know if 5.0.10 solves the problem or
if I should additionally add the above "for CHECK ... do ... done".

In any case I think we should upgrade the version to be safe not to
miss any other security related stuff but I NEEDINFO what I should do
regarding "for CHECK ... do ... done".
Comment 3 Ludwig Nussel 2004-12-16 00:00:33 UTC 
The bug apparently is inside the acroread binary and must be fixed there. The 
shellscript snippet is just a workaround and not needed if adobe has actually 
fixed the problem. We cannot verify this with neither source code nor proof of 
concept exploit though.
Comment 4 Johannes Meixner 2004-12-16 00:03:24 UTC 
For testing here is an RPM:
~jsmeix/Export/acroread-5.0.10-1.i586.rpm

Note that there is a problem with the version number which was
wrong before - it was 5.09 but it should have been 5.0.9

Now I don't know how to increase the version number so that
RPM recognizes that it is really higher (5.0.10 < 5.09).
Should I simply continue to use wrong version numbers
like 5.10 ?
Comment 5 Johannes Meixner 2004-12-16 00:05:32 UTC 
Regarding comment #3:
Therefore I would like to upgrade the version.
But my question was because in the initial report there is
------------------------------------------------------------------------
They are talking about email all the time but that doesn't make any
sense to me. It rather sounds like anything you open with acroread
is potentially dangerous.
------------------------------------------------------------------------
Therefore again my question:
Should I _additionally_ add the "for CHECK ... do ... done" test
to the acroread shell script?
Comment 6 Ludwig Nussel 2004-12-16 00:22:43 UTC 
wrt version I'd probably use 5.010 that should be equivalent to 5.10 AFAIK but 
includes a leading zero to not confuse it with 5.1.0. 
 
wrt shell script thingie, I can't judge. It would probably cripple acroread if 
it's normally useable for other things than plain pdf (which the original 
report indicates). There is also no guarantee that "file" is always right. 
I'll ask idefense, maybe they can give us some exploit or know more details.
Comment 7 Marcus Meissner 2004-12-16 17:00:49 UTC 
i think the shell script does not need to be fixed.
Comment 8 Ludwig Nussel 2004-12-16 20:45:33 UTC 
iDefense doesn't want to give us details or PoC code. They said we should 
contact Nils Puhlmann (puhlmann@adobe.com) if we want to know more.
Comment 9 Johannes Meixner 2004-12-16 21:42:53 UTC 
At the moment only submitted acroread-5.010 to STABLE.

Reagrding this bug: It is not clear at the moment
whether or not an additional test in the acroread shell
script is required.
I will ask Nils Puhlmann (puhlmann@adobe.com).
Comment 10 Marcus Meissner 2004-12-16 21:44:20 UTC 
No, the check is NOT required.
Comment 11 Johannes Meixner 2004-12-17 18:07:05 UTC 
There is a request for approvement for the acroread version update
on prjmgr@suse.de

Please tell me when I can start to submit 5.0.10 and please tell me
exactly for which distributions I sould submit it.
Comment 12 Ludwig Nussel 2004-12-17 18:16:37 UTC 
Ralf approved it for sles. You need to submit packages for all maintained 
distros, i.e. 8.1-9.2
Comment 13 Marcus Meissner 2004-12-17 20:29:07 UTC 
swamp id 79
Comment 14 Johannes Meixner 2004-12-17 20:49:23 UTC 
Submitted for
- 9.2-i386 (i.e. SUSE LINUX 9.2)
- 9.1-i386 (i.e. SLES9 and SUSE LINUX 9.1)
- 9.0-i386 (i.e. SUSE LINUX 9.0)
- 8.2-i386 (i.e. SUSE LINUX 8.2)
- 8.1-i386 (i.e. SLES8 and SUSE LINUX 8.1)

Could you please create the necessary patchinfo and putonftp
and "Laufzettel" and whatever required other files.
(I have no idea what "swamp id 79" means.)
Comment 15 Johannes Meixner 2004-12-17 21:03:10 UTC 
Reassign to security team.
Comment 16 Marcus Meissner 2005-01-03 19:19:19 UTC 
approved.
Comment 17 Thomas Biege 2009-10-13 20:05:02 UTC 
CVE-2004-1152: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)