Bugzilla – Bug 64257
VUL-0: CVE-2004-1152: acroread buffer overflow
Last modified: 2021-10-19 13:56:07 UTC
We received the following report via bugtraq. The issue is public. They are talking about email all the time but that doesn't make any sense to me. It rather sounds like anything you open with acroread is potentially dangerous. So I wouldn't be surprised if this also affects the browser plugin. Date: Tue, 14 Dec 2004 10:39:02 -0500 From: customer service mailbox <customerservice@idefense.com> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Subject: iDEFENSE Security Advisory 12.14.04 - Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability iDEFENSE Security Advisory 12.14.04 www.idefense.com/application/poi/display?id=161&type=vulnerabilities December 14, 2004 I. BACKGROUND Adobe Acrobat Reader is a program for viewing Portable Document Format (PDF) documents. More information is available at the following site: http://www.adobe.com/products/acrobat/readermain.html II. DESCRIPTION Remote exploitation of a buffer overflow in version 5.09 of Adobe Acrobat Reader for Unix could allow for execution of arbitrary code. The vulnerability specifically exists in a the function mailListIsPdf(). This function checks if the input file is an email message containing a PDF. It unsafely copies user supplied data using strcat into a fixed sized buffer. III. ANALYSIS Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching either the maliciously crafted PDF document or a link to it. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Adobe Acrobat Reader version 5.0.9 for Unix. Previous versions of Adobe Acrobat Reader 5 for Unix are suspected also to be vulnerable. V. WORKAROUND User awareness is the best defense against this class of attack. Users should be aware of the existence of such attacks and proceed with caution when following links from suspicious and/or unsolicited e-mail. Additionally, you may wish to apply the following unofficial patch from iDEFENSE Labs to the acroread shell script. The acroread shell script calls the appropriate binary for the platform. The patch adds a check that ensures that files passed as arguments to acroread are in fact PDF documents. This patch will not protect against files opened from within the Acrobat Reader GUI. The bin/ directory of the application contains an 'acroread' shell script while the Reader/ directory contains a binary with the same name. The command 'file acroread', when executed in the same directory as the shell script, should return the line: acroread: a /bin/sh script text executable This result indicates the existence of the appropriate file that the patch below can be applied to. acroread.patch: --- acroread.orig 2004-10-13 17:25:57.000000000 -0400 +++ acroread 2004-10-13 17:55:43.000000000 -0400 fi if [ -f "$ACRO_EXEC_CMD" ] ; then + for CHECK in ${1+"$@"}; + do + [ -f "$CHECK" ] && { + file "$CHECK" | grep "PDF document" || \ + { + echo "$CHECK" exists, but is not a PDF document. + exit 1; + } + } + done exec "$ACRO_EXEC_CMD" ${1+"$@"} else echo "ERROR: Cannot find $ACRO_EXEC_CMD" VI. VENDOR RESPONSE This vulnerability is fixed in Adobe Acrobat Reader 5.0.10 for Unix. Further details of the vulnerability are available in the following knowledgebase article: http://www.adobe.com/support/techdocs/331153.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-1152 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/14/2004 Initial vendor notification 10/15/2004 Initial vendor response 12/14/2004 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDEFENSE Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Ah! The usual acroread security trouble. Why the hell insists our management to use it by default? As it is the usual stuff and hapens every few month I reduce priority to normal - simply because it IS normal for acroread.
There is already version 5.0.10 The README states ------------------------------------------------------------------ New for Acrobat Reader 5.0.10 A security patch was applied that solves a problem reported with malformed mail containing pdf attachments. ------------------------------------------------------------------ But the acroread shell script is still ------------------------------------------------------------------ if [ -f "$ACRO_EXEC_CMD" ] ; then exec "$ACRO_EXEC_CMD" ${1+"$@"} ------------------------------------------------------------------ Therefore I don't know if 5.0.10 solves the problem or if I should additionally add the above "for CHECK ... do ... done". In any case I think we should upgrade the version to be safe not to miss any other security related stuff but I NEEDINFO what I should do regarding "for CHECK ... do ... done".
The bug apparently is inside the acroread binary and must be fixed there. The shellscript snippet is just a workaround and not needed if adobe has actually fixed the problem. We cannot verify this with neither source code nor proof of concept exploit though.
For testing here is an RPM: ~jsmeix/Export/acroread-5.0.10-1.i586.rpm Note that there is a problem with the version number which was wrong before - it was 5.09 but it should have been 5.0.9 Now I don't know how to increase the version number so that RPM recognizes that it is really higher (5.0.10 < 5.09). Should I simply continue to use wrong version numbers like 5.10 ?
Regarding comment #3: Therefore I would like to upgrade the version. But my question was because in the initial report there is ------------------------------------------------------------------------ They are talking about email all the time but that doesn't make any sense to me. It rather sounds like anything you open with acroread is potentially dangerous. ------------------------------------------------------------------------ Therefore again my question: Should I _additionally_ add the "for CHECK ... do ... done" test to the acroread shell script?
wrt version I'd probably use 5.010 that should be equivalent to 5.10 AFAIK but includes a leading zero to not confuse it with 5.1.0. wrt shell script thingie, I can't judge. It would probably cripple acroread if it's normally useable for other things than plain pdf (which the original report indicates). There is also no guarantee that "file" is always right. I'll ask idefense, maybe they can give us some exploit or know more details.
i think the shell script does not need to be fixed.
iDefense doesn't want to give us details or PoC code. They said we should contact Nils Puhlmann (puhlmann@adobe.com) if we want to know more.
At the moment only submitted acroread-5.010 to STABLE. Reagrding this bug: It is not clear at the moment whether or not an additional test in the acroread shell script is required. I will ask Nils Puhlmann (puhlmann@adobe.com).
No, the check is NOT required.
There is a request for approvement for the acroread version update on prjmgr@suse.de Please tell me when I can start to submit 5.0.10 and please tell me exactly for which distributions I sould submit it.
Ralf approved it for sles. You need to submit packages for all maintained distros, i.e. 8.1-9.2
swamp id 79
Submitted for - 9.2-i386 (i.e. SUSE LINUX 9.2) - 9.1-i386 (i.e. SLES9 and SUSE LINUX 9.1) - 9.0-i386 (i.e. SUSE LINUX 9.0) - 8.2-i386 (i.e. SUSE LINUX 8.2) - 8.1-i386 (i.e. SLES8 and SUSE LINUX 8.1) Could you please create the necessary patchinfo and putonftp and "Laufzettel" and whatever required other files. (I have no idea what "swamp id 79" means.)
Reassign to security team.
approved.
CVE-2004-1152: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)