‘Adobe Reader .ETD File Format String’

Summary

Adobe Acrobat Reader is a program for viewing Portable Document Format (PDF) documents.

Remote exploitation of a format string vulnerability in Adobe’s Reader could allow attackers to execute arbitrary code.’

Credit:

‘The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=163&type=vulnerabilities


Details

Vulnerable Systems:
 * Adobe Reader version 6.0.2

Immune Systems:
 * Adobe Reader version 6.0.3

The problem specifically exists in the parsing of .etd files used in eBook transactions. An .etd file containing a format string in the ‘title’ or ‘baseurl’ fields can cause an invalid memory access. This vulnerability may allow for the execution of arbitrary code.

Example:
The following fields in an .etd file would trigger the vulnerability in a vulnerable Adobe Reader:

<title>|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|</title>
<baseurl>|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|%p|</baseurl>

Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching either the maliciously crafted PDF document or a link to it.

Workaround:
It is possible to disable the parsing of .etd files.
Deleting the following file will prevent exploitation of this vulnerability: C:Program FilesAdobeAcrobat 6.0Readerplug_inseBook.api
This will not impact reading .PDF files. Removing this file prevents Adobe Reader from handling eBooks. When a file handled by this plugin is detected, an error dialog box will appear, offering to take the user to Adobe’s website for information.

Vendor Status:
This vulnerability is addressed in Adobe Acrobat Reader 6.0.3. Downloads for platform specific versions are available at the links shown below:

Reader/Win: http://www.adobe.com/support/downloads/detail.jsp?ftpID=2679
Reader/Mac: http://www.adobe.com/support/downloads/detail.jsp?ftpID=2680
Acrobat/Win: http://www.adobe.com/support/downloads/detail.jsp?ftpID=2677
Acrobat/Mac: http://www.adobe.com/support/downloads/detail.jsp?ftpID=2676

Disclosure Timeline:
10/13/2004 – Initial vendor notification
10/14/2004 – Initial vendor response
12/14/2004 – Coordinated public disclosure’

Categories: News