.

Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue Feb 24, 2009 8:35 am

Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

Description:
A vulnerability has been reported in Adobe Reader/Acrobat, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an array indexing error in the processing of JBIG2 streams. This can be exploited to corrupt arbitrary memory via a specially crafted PDF file.

Successful exploitation allows execution of arbitrary code.

NOTE: Reportedly, the vulnerability is currently being actively exploited.

http://secunia.com/advisories/33901/
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Feb 24, 2009 8:45 am

Re: Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

Hey Xen! =) I have topic about it too, people are all fired up on it!


More Bad News for Adobe - Zero Day

Here's some extra stuff i had on mine:

Adobe just cant catch a break. This is severe and many IT staff are going as far as moving to other vendors temporarily, my company included (foxit). Do what you can, with what you have.

Also, lol, funny as i just posted a whole bunch of shmoo talks with links to pdfs Doh

** HD Moore's writeup here

** Exploit code here

**Sourcefire has some snort updates for the attacks

http://www.snort.org/vrt/advisories/vrt ... 02-20.html

http://www.ethicalhacker.net/component/ ... een,1/#new
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Feb 24, 2009 11:32 am

Re: Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

I appreciate the link to HD Moore's blog, didn't think he'd do a write up on it. I had figured this one was going to be abused like the other 0 days that get published out there, as soon as I saw it on milw0rm. I hit up milw0rm yesterday and I saw the name "Adobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day" there highlighted in yellow and it had about 500 hits on it. I went ahead took a look at the code myself then closed it, refreshed the milw0rm page the exploit had over 1000 hits. Lucky I switched over to foxit awhile has me feeling safe from this one, it's also a lot smaller in size compared to adobe reader / acrobat. You can get it from below for the people who haven't made the switch yet:

http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Feb 24, 2009 11:51 am

Re: Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

Cheers for the links, HDM's writeup makes for a good read. One issue I found especially interesting was the comparison between Adobe's response to the incident and previous MS responses to similar issues:

Compare this Microsoft's response to MS08-078, MS08-067, or even MS06-001 and you can see a clear difference in how these companies respond to real-world attacks against their user base.


Whilst I'm a penguin lover, and have several reasons to dislike some of MS's software and business practices I think in a lot of areas they are damned-if-they-do and damned-if-they-don't. Despite a slower response from Adobe I doubt too many in the wider world are going to tar them with the same brush as MS.

I haven't had a chance to look too closely at the Milw0rm exploit, anyone had any success with it yet?
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Tue Feb 24, 2009 11:18 pm

Re: Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

hey guys i got this blog from a computer world where it says that a security reasercher as posted a home made pacth :D for fresh vuln of pdf

A security researcher has published a home-brewed patch for a critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks
Lurene Grenier, a vulnerability researcher at intrusion-prevention vendor Sourcefire Inc., posted the patch Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

"The patch is just a replacement .dll -- AcroRd32.dll to be precise," said Grenier in a post to the Sourcefire vulnerability research blog. The .dll, which weighs in at 19MB, replaces the existing file in the "C:\Program Files\Adobe\Reader 9.0\Reader\" directory on Windows machines.

"No warranty expressed or implied, etc. etc.," concluded Grenier.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Feb 26, 2009 4:57 am

Re: Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability

After adobe reader, now there's bad news for Adobe flash player


Adobe Flash Player Multiple Vulnerabilities
Description:
Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious, local users to disclose sensitive information and potentially gain escalated privileges, and by malicious people to bypass certain security restrictions, disclose potentially sensitive information, and compromise a user's system.

1) An error when processing multiple references to an unspecified object can be exploited to dereference freed memory via a specially crafted SWF file.

Successful exploitation allows execution of arbitrary code.

2) An input validation error in the processing of SWF files can be exploited to cause a crash and potentially execute arbitrary code.

3) An error when displaying the mouse pointer on Windows can be exploited to potentially conduct "Clickjacking" attacks.

4) An error in the Linux Flash Player binary can be exploited to disclose sensitive information and potentially gain escalated privileges.

http://secunia.com/advisories/34012/
http://www.adobe.com/support/security/b ... 09-01.html

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software