Bug 639890 (CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3632, CVE-2010-3658)

Summary: acroread: multiple code execution flaws (APSB10-21)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: kurt, mkasik, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.adobe.com/support/security/bulletins/apsb10-21.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-07 06:51:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 639915, 639916, 639917    
Bug Blocks:    

Description Tomas Hoger 2010-10-04 10:01:08 UTC 
Adobe security bulletin APSB10-21 describes multiple security flaws that can lead to arbitrary code execution when malicious PDF file is opened in Adobe Reader.

http://www.adobe.com/support/security/bulletins/apsb10-21.html

Two of the issues were previously public, as they were exploited in the wild:

This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-2883). (see bug #632267)

This update resolves a memory corruption vulnerability in the authplay.dll component that could lead to code execution (CVE-2010-2884). (see bug #633917, affects embedded Flash player)

Additional issues with possible code execution impact:

This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-2889).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2890).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3619).

This update resolves an image-parsing input validation vulnerability that could lead to code execution (CVE-2010-3620).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3621).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3622).

This update resolves a prefix protocol handler vulnerability that could lead to code execution (CVE-2010-3625).

This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-3626).

This update resolves an input validation vulnerability that could lead to code execution (CVE-2010-3627).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3628).

This update resolves an image-parsing input validation vulnerability that could lead to code execution (CVE-2010-3629).

This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-3630).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3632).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3658)
Comment 2 Tomas Hoger 2010-10-06 07:06:40 UTC 
Public now via:
  http://www.adobe.com/support/security/bulletins/apsb10-21.html

Fixed in Adobe Reader 9.4.
Comment 3 Kurt Seifried 2010-10-06 07:19:52 UTC 
CVE-2010-3630

http://www.senseofsecurity.com.au/advisories/SOS-10-003

Sense of Security - Security Advisory - SOS-10-003 security advisory

Release Date.                  6-Oct-2010
Last Update.                   -
Vendor Notification Date.      26-Jul-2010
Product.                       Adobe Reader
                               Adobe Acrobat
Platform.                      Microsoft Windows
Affected versions.             9.3.4 verified and 
                               possibly others.
Severity Rating.               Medium
Impact.                        Denial of service, potentially
                               code execution.
Attack Vector.                 Local system
Solution Status.               Upgrade to 9.4 (as advised by
                               Adobe)
CVE reference.                 CVE-2010-3630

Details.
Adobe Reader is a popular freeware PDF viewer. Version 9.3.4 of
the application is vulnerable to multiple memory corruption 
vulnerabilities. By sending specially crafted PDF files it is
possible to cause memory corruption in the 3difr and
AcroRd32.dll modules. Both issues trigger a null pointer
condition which results in an access violation. The issue in
AcroRd32.dll is triggered when Adobe Reader is closed.

Function sub_60AF56 in AcroRd32.dll access violates when 
attempting to read data from the ESI register. Part disassembly
of the function is shown below:

push    ebp
mov     ebp, esp
sub     esp, 1Ch
and     [ebp+var_4], 0 
push    ebx
push    esi
mov     esi, ecx
mov     ebx, [esi+23Ch] <-- crash

Function sub_1000EEE0 in 3difr also access violates when
attempting to read data from the ECX register. Part disassembly
of the function is shown below:

mov     ecx, [eax+4]
mov     eax, [edx+4]
mov     dx, [eax]
cmp     dx, [ecx] <-- crash
jnz     short loc_1000EF87

It may be possible to exploit these vulnerabilities to execute
arbitrary code under the context of the user running Adobe
Reader.

Proof of Concept.
A patch is available from Adobe and is included in the next
release (9.4).

Solution.
Proof of concept PDF files are available to Sense of Security
customers upon request. 

Discovered by.
Brett Gervasoni from Sense of Security Labs.

About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
organisations.
Comment 4 errata-xmlrpc 2010-10-06 10:29:01 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2010:0743 https://rhn.redhat.com/errata/RHSA-2010-0743.html
Comment 5 Tomas Hoger 2010-10-07 06:51:54 UTC 
CVE-2010-3627
http://www.coresecurity.com/content/adobe-acrobat-acrord23-reader-use-after-free

CVE-2010-3621
http://www.zerodayinitiative.com/advisories/ZDI-10-191/

CVE-2010-3622
http://www.zerodayinitiative.com/advisories/ZDI-10-192/

CVE-2010-3632
http://www.zerodayinitiative.com/advisories/ZDI-10-193/