In this Section

Security Advisory – Adobe Reader 9.3.4 Multiple Memory Corruption Vulnerabilities

pdf_symbol

Sense of Security – Security Advisory – SOS-10-003

Release Date. 6-Oct-2010
Last Update.
Vendor Notification Date. 26-Jul-2010
Product. Adobe Reader
Adobe Acrobat
Platform. Windows
Affected versions. 9.3.4 verified and possibly others
Severity Rating. Medium
Impact. Denial of Service
Potentially code execution
Attack Vector. Local system
Solution Status. Upgrade to 9.4 (as advised by Adobe)
CVE reference. CCVE-2010-3630

 

Details.

Adobe Reader is a popular freeware PDF viewer. Version 9.3.4 of the application is vulnerable to multiple memory corruption vulnerabilities. By sending specially crafted PDF files it is possible to cause memory corruption in the 3difr and AcroRd32.dll modules. Both issues trigger a null pointer condition which results in an access violation. The issue in AcroRd32.dll is triggered when Adobe Reader is closed.

 

Function sub_60AF56 in AcroRd32.dll access violates when attempting to read data pointed to by the ESI register. Part disassembly of the function is shown below:

 

push ebp

mov ebp, esp

sub esp, 1Ch

and [ebp+var_4], 0

push ebx

push esi

mov esi, ecx

mov ebx, [esi+23Ch] <– crash

 

Function sub_1000EEE0 in 3difr also access violates when attempting to read data pointed to by the ECX register. Part disassembly of the function is shown below:

 

mov ecx, [eax+4]

mov eax, [edx+4]

mov dx, [eax]

cmp dx, [ecx] <– crash

jnz short loc_1000EF87

 

It may be possible to exploit these vulnerabilities to execute arbitrary code under the context of the user running Adobe Reader.

 

Proof of Concept.

Proof of concept PDF files are available to Sense of Security customers upon request.

 

Solution.

A patch is available from Adobe and is included in the next release (9.4).

 

Discovered by.

Brett Gervasoni from Sense of Security Labs.