On Wed, Oct 6, 2010 at 11:28 AM, ZDI Disclosures < [email protected]> wrote:
> ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability > http://www.zerodayinitiative.com/advisories/ZDI-10-191 > October 6, 2010 > > -- CVE ID: > CVE-2010-3621 > > -- CVSS: > 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) > > -- Affected Vendors: > Adobe > > -- Affected Products: > Adobe Reader > > -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Adobe Reader. User interaction is required > in that a target must be coerced into opening a file or visiting a web > page. > > The specific flaw exists within the ACE.dll module responsible for > parsing ICC streams. When processing an ICC stream, the process performs > math on two DWORD values from the input file. If these values wrap over > the maximum integer value of 0xFFFFFFFF a mis-allocation can occur. > Later, the process uses one of the original DWORD values as a size to a > copy function. This can be abused by an attacker to overflow a stack > buffer and subsequently execute code under the context of the user > running the process. > Well, awesome. This sounds near-identical to some issues that the Sun JRE had a few years back[1]. I wonder if the code shares a common lineage? :) Cheers Chris [1] - http://scary.beasts.org/security/CESA-2006-004.html http://scary.beasts.org/misc/jdk/badicc.jpg (And additional integer problems not released at the time) http://scary.beasts.org/misc/jdk/badicc2.jpg http://scary.beasts.org/misc/jdk/badicc3.jpg http://scary.beasts.org/misc/jdk/badicc4.jpg http://scary.beasts.org/security/CESA-2007-005.html In addition, there have been plenty of bugs against lcms[2] and Apple's ICC profile parser. So it seems like ICC profile parsing is hard ;-) [2] - http://scary.beasts.org/security/CESA-2009-003.html > -- Vendor Response: > Adobe has issued an update to correct this vulnerability. More > details can be found at: > > http://www.adobe.com/support/security/bulletins/apsb10-21.html > > -- Disclosure Timeline: > 2010-06-23 - Vulnerability reported to vendor > 2010-10-06 - Coordinated public release of advisory > > -- Credit: > This vulnerability was discovered by: > * Sebastian Apelt (www.siberas.de) > > -- About the Zero Day Initiative (ZDI): > Established by TippingPoint, The Zero Day Initiative (ZDI) represents > a best-of-breed model for rewarding security researchers for responsibly > disclosing discovered vulnerabilities. > > Researchers interested in getting paid for their security research > through the ZDI can find more information and sign-up at: > > http://www.zerodayinitiative.com > > The ZDI is unique in how the acquired vulnerability information is > used. TippingPoint does not re-sell the vulnerability details or any > exploit code. Instead, upon notifying the affected product vendor, > TippingPoint provides its customers with zero day protection through > its intrusion prevention technology. Explicit details regarding the > specifics of the vulnerability are not exposed to any parties until > an official vendor patch is publicly available. Furthermore, with the > altruistic aim of helping to secure a broader user base, TippingPoint > provides this vulnerability information confidentially to security > vendors (including competitors) who have a vulnerability protection or > mitigation product. > > Our vulnerability disclosure policy is available online at: > > http://www.zerodayinitiative.com/advisories/disclosure_policy/ > > Follow the ZDI on Twitter: > > http://twitter.com/thezdi > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
