信息来源:
www.securiteam.com
Summary
Adobe Acrobat Reader is a program for viewing Portable Document Format (PDF) documents.
Remote exploitation of a format string vulnerability in Adobe's Reader could allow attackers to execute arbitrary code.
Details
Vulnerable Systems:
* Adobe Reader version 6.0.2
Immune Systems:
* Adobe Reader version 6.0.3
The problem specifically exists in the parsing of .etd files used in eBook transactions. An .etd file containing a format string in the 'title' or 'baseurl' fields can cause an invalid memory access. This vulnerability may allow for the execution of arbitrary code.
Example:
The following fields in an .etd file would trigger the vulnerability in a vulnerable Adobe Reader:
<title>|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|</title>
<baseurl>|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|</baseurl>
Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching either the maliciously crafted PDF document or a link to it.
Workaround:
It is possible to disable the parsing of .etd files.
Deleting the following file will prevent exploitation of this vulnerability: C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.api
This will not impact reading .PDF files. Removing this file prevents Adobe Reader from handling eBooks. When a file handled by this plugin is detected, an error dialog box will appear, offering to take the user to Adobe's website for information.
Vendor Status:
This vulnerability is addressed in Adobe Acrobat Reader 6.0.3. Downloads for platform specific versions are available at the links shown below:
Reader/Win:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=2679
Reader/Mac:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=2680
Acrobat/Win:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=2677
Acrobat/Mac:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=2676
Disclosure Timeline:
10/13/2004 - Initial vendor notification
10/14/2004 - Initial vendor response
12/14/2004 - Coordinated public disclosure
