Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat ReaderAuthor: villy (villys777 at gmail.com)
CVE: 2010-0188
Site: http://bugix-security.blogspot.com/
Tested : successfully tested on Adobe Reader 9.1/9.2/9.3.0 OS Windows XP(SP2,SP3),
also works with Adobe browser plug-in
also works with Adobe browser plug-in
Exploit works with Adobe javascript disabled.
http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.htmlInvitation.pdf, the source sample
Update March 18, 2010
Excerpt:"This exploit worked flawlessly against Adobe Reader 9.3 despite DEP being enabled. (For those who didn't know, Adobe Reader 9 enables DEP "permanently".)
...
"What I found was that several function tails were being used to create a hunk memory of that was not protected by DEP. After this was created, a bit more ROP (return oriented proramming) was used to accomplish a "memcpy" of a small loader stub to this memory and execute it.
You might be asking yourself, "Great, but why do we care?" ... Well, AFAIK (feel free to comment), this is the first public exploit that uses multiple tail chunks to completely bypass permanent DEP. It certainly gives me a bit of chill to see this coming from a maliciously circulating document..." - More from blog.metasploit.com
Update March 17, 2010
Client Sides and Adobe 9.3 Excerpt:
A hacker by the nick of villy made a python script that will create a pdf that will launch calc.exe on a WinXP SP2 Box with the most up-to-date version of Adobe Reader installed even with Java turned off.
After playing with it we replaced the shellcode with a Windows Reverse Shell and then tried it on a fully patch system! BAM – Shell again.
We took the PDF file and uploaded it to Virus Total and an amazing 0/42 was returned and that is before we even used Shakata Ganai to encode it." - loganWHD
more from social-engineer.org
Chris Hadnagy (aka loganWHD
) from www.social-engineer.org posted results of the exploit testing plus a video documenting their adventures. 
No comments:
Post a Comment