Bug 639890 (CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3632, CVE-2010-3658)
Summary: | acroread: multiple code execution flaws (APSB10-21) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | kurt, mkasik, security-response-team, stransky |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.adobe.com/support/security/bulletins/apsb10-21.html | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-10-07 06:51:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 639915, 639916, 639917 | ||
Bug Blocks: |
Description
Tomas Hoger
2010-10-04 10:01:08 UTC
Public now via: http://www.adobe.com/support/security/bulletins/apsb10-21.html Fixed in Adobe Reader 9.4. CVE-2010-3630 http://www.senseofsecurity.com.au/advisories/SOS-10-003 Sense of Security - Security Advisory - SOS-10-003 security advisory Release Date. 6-Oct-2010 Last Update. - Vendor Notification Date. 26-Jul-2010 Product. Adobe Reader Adobe Acrobat Platform. Microsoft Windows Affected versions. 9.3.4 verified and possibly others. Severity Rating. Medium Impact. Denial of service, potentially code execution. Attack Vector. Local system Solution Status. Upgrade to 9.4 (as advised by Adobe) CVE reference. CVE-2010-3630 Details. Adobe Reader is a popular freeware PDF viewer. Version 9.3.4 of the application is vulnerable to multiple memory corruption vulnerabilities. By sending specially crafted PDF files it is possible to cause memory corruption in the 3difr and AcroRd32.dll modules. Both issues trigger a null pointer condition which results in an access violation. The issue in AcroRd32.dll is triggered when Adobe Reader is closed. Function sub_60AF56 in AcroRd32.dll access violates when attempting to read data from the ESI register. Part disassembly of the function is shown below: push ebp mov ebp, esp sub esp, 1Ch and [ebp+var_4], 0 push ebx push esi mov esi, ecx mov ebx, [esi+23Ch] <-- crash Function sub_1000EEE0 in 3difr also access violates when attempting to read data from the ECX register. Part disassembly of the function is shown below: mov ecx, [eax+4] mov eax, [edx+4] mov dx, [eax] cmp dx, [ecx] <-- crash jnz short loc_1000EF87 It may be possible to exploit these vulnerabilities to execute arbitrary code under the context of the user running Adobe Reader. Proof of Concept. A patch is available from Adobe and is included in the next release (9.4). Solution. Proof of concept PDF files are available to Sense of Security customers upon request. Discovered by. Brett Gervasoni from Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2010:0743 https://rhn.redhat.com/errata/RHSA-2010-0743.html CVE-2010-3627 http://www.coresecurity.com/content/adobe-acrobat-acrord23-reader-use-after-free CVE-2010-3621 http://www.zerodayinitiative.com/advisories/ZDI-10-191/ CVE-2010-3622 http://www.zerodayinitiative.com/advisories/ZDI-10-192/ CVE-2010-3632 http://www.zerodayinitiative.com/advisories/ZDI-10-193/ |