Adobe Reader PDF LibTiff Integer Overflow Code Execution

Santosh Mallappa April 22, 2010

Blog tags: Malware, Vulnerabilities / Exploits

Abstract

Vulnerability exists in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 where TIFF [Tagged Image File Format] is used to compile a PDF with shellcode which can do an arbitrary code execution making the host vulnerable. The twist is this does not use Java Script to do the exploit as we have seen for the past few days PDF Exploit mostly contains Java Script. After the exploit is done shellcode is executed triggering the malicious Trojan implanted in the system overriding the DEP [Data Execution Prevention] even if it is enabled and crashing PDF.

Severity

Critical

Propagation Vectors

Attachment through mails, execution of documents when accessed via browser on a web-server

Impact

Arbitrary code execution

Detailed analysis of the exploit

The PDF exploit explained is compiled with Python script and encoded with two tier compression such as Base64 and Zlib algorithms. Mostly the exploit PDF are multi-level compressed for evading the detection from the anti-viruses or the firewall installed.

The exploit has a class defined where it refers to the TIFF header [49 49 2A 00] followed by the multiplication of NOP instruction with the predefined shellcode offset resulting in a huge integer which the application (Adobe) will not be able to handle. The following figure (Fig 1) shows the initiation of the overflow.

Fig 1

The following figure (Fig 2) show the predefined shellcode offset

Fig 2

The huge integer value results in overflowing the heap and throws an exception with an Instruction Pointer pointing to a memory location in the shellcode of the program itself. The following figure (Fig 3) shows the exception thrown at the time of crash of the application.

Fig 3

Immediately after this instance the shellcode starts to execute as the instruction pointer’s flow which can be witnessed in the following figure (Fig 4) containing the shellcode.

Fig 4

In this example the shellcode is appended and prepended by NOPs (No operation) which will crash the application and spawn the calc.exe through WinExec API which can be seen from the following figure (Fig 5 and Fig 6) traced through a debugger.

Fig 5

Fig 6

A hacker will replace the same EIP to the malware which he wants to execute in the vulnerable host and followed by multiple fission reactions to accomplish his task. If the exploit PDF is accessed through a browser, the browser will crash it too. This scenario might be a worse situation if the vulnerable user was concurrently accessing a banking site or e-shopping leading to identity theft.

Remediation

Update the latest version of Adobe.

References

http://www.adobe.com/support/security/bulletins/apsb10-07.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188
http://www.exploit-db.com/exploits/11787

Add comment

If you find the content of this comment offensive, you can report it and our crew will have a look at it

Comments

79447

Spam (10)

Vulnerabilities / Exploits (33)

Blog archive

August 2011 (1)

June 2011 (1)

May 2011 (2)

April 2011 (5)

March 2011 (5)

February 2011 (4)

January 2011 (11)

December 2010 (8)

November 2010 (5)

October 2010 (3)

September 2010 (5)

August 2010 (5)

July 2010 (3)

June 2010 (12)

May 2010 (5)

April 2010 (2)

March 2010 (2)

February 2010 (1)

January 2010 (2)

December 2009 (1)

October 2009 (5)

September 2009 (4)

August 2009 (1)

June 2009 (1)

May 2009 (3)

April 2009 (2)

March 2009 (8)

February 2009 (4)

January 2009 (2)

November 2008 (6)

October 2008 (5)

RSS FEEDS

Latest Security articles

Latest Blog items