Adobe security bulletin APSB10-21 describes multiple security flaws that can lead to arbitrary code execution when malicious PDF file is opened in Adobe Reader. http://www.adobe.com/support/security/bulletins/apsb10-21.html Two of the issues were previously public, as they were exploited in the wild: This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-2883). (see bug #632267) This update resolves a memory corruption vulnerability in the authplay.dll component that could lead to code execution (CVE-2010-2884). (see bug #633917, affects embedded Flash player) Additional issues with possible code execution impact: This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-2889). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2890). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3619). This update resolves an image-parsing input validation vulnerability that could lead to code execution (CVE-2010-3620). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3621). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3622). This update resolves a prefix protocol handler vulnerability that could lead to code execution (CVE-2010-3625). This update resolves a font-parsing input validation vulnerability that could lead to code execution (CVE-2010-3626). This update resolves an input validation vulnerability that could lead to code execution (CVE-2010-3627). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3628). This update resolves an image-parsing input validation vulnerability that could lead to code execution (CVE-2010-3629). This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-3630). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3632). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3658)
Public now via: http://www.adobe.com/support/security/bulletins/apsb10-21.html Fixed in Adobe Reader 9.4.
CVE-2010-3630 http://www.senseofsecurity.com.au/advisories/SOS-10-003 Sense of Security - Security Advisory - SOS-10-003 security advisory Release Date. 6-Oct-2010 Last Update. - Vendor Notification Date. 26-Jul-2010 Product. Adobe Reader Adobe Acrobat Platform. Microsoft Windows Affected versions. 9.3.4 verified and possibly others. Severity Rating. Medium Impact. Denial of service, potentially code execution. Attack Vector. Local system Solution Status. Upgrade to 9.4 (as advised by Adobe) CVE reference. CVE-2010-3630 Details. Adobe Reader is a popular freeware PDF viewer. Version 9.3.4 of the application is vulnerable to multiple memory corruption vulnerabilities. By sending specially crafted PDF files it is possible to cause memory corruption in the 3difr and AcroRd32.dll modules. Both issues trigger a null pointer condition which results in an access violation. The issue in AcroRd32.dll is triggered when Adobe Reader is closed. Function sub_60AF56 in AcroRd32.dll access violates when attempting to read data from the ESI register. Part disassembly of the function is shown below: push ebp mov ebp, esp sub esp, 1Ch and [ebp+var_4], 0 push ebx push esi mov esi, ecx mov ebx, [esi+23Ch] <-- crash Function sub_1000EEE0 in 3difr also access violates when attempting to read data from the ECX register. Part disassembly of the function is shown below: mov ecx, [eax+4] mov eax, [edx+4] mov dx, [eax] cmp dx, [ecx] <-- crash jnz short loc_1000EF87 It may be possible to exploit these vulnerabilities to execute arbitrary code under the context of the user running Adobe Reader. Proof of Concept. A patch is available from Adobe and is included in the next release (9.4). Solution. Proof of concept PDF files are available to Sense of Security customers upon request. Discovered by. Brett Gervasoni from Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations.
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2010:0743 https://rhn.redhat.com/errata/RHSA-2010-0743.html
CVE-2010-3627 http://www.coresecurity.com/content/adobe-acrobat-acrord23-reader-use-after-free CVE-2010-3621 http://www.zerodayinitiative.com/advisories/ZDI-10-191/ CVE-2010-3622 http://www.zerodayinitiative.com/advisories/ZDI-10-192/ CVE-2010-3632 http://www.zerodayinitiative.com/advisories/ZDI-10-193/