Release Date: 06-Oct-2010

Last Update: –

Vendor Notification Date: 26-Jul-2010

Product: Adobe Reader
Adobe Acrobat

Platform: Microsoft Windows

Affected versions: 9.3.4 verified and possibly others

Severity Rating: Medium

Impact: Denial of service, potentially code execution.

Attack Vector: Local system

Solution Status: Vendor patch

CVE reference: CVE-2010-3630

Details

Adobe Reader is a popular freeware PDF viewer. Version 9.3.4 of the application is vulnerable to multiple memory corruption vulnerabilities. By sending specially crafted PDF files it is possible to cause memory corruption in the 3difr and AcroRd32.dll modules. Both issues trigger a null pointer condition which result in an access violation. The issue in AcroRd32.dll is triggered when Adobe Reader is closed.

Function sub_60AF56 in AcroRd32.dll access violates when attempting to read data pointed to by the ESI register. Part disassembly of the function is shown below:

push  ebp
mov  ebp, esp
sub  esp, 1Ch
and  [ebp+var_4], 0
push  ebx
push  esi
mov  esi, ecx
mov  ebx, [esi+23Ch] <– crash

Function sub_1000EEE0 in 3difr also access violates when attempting to read data pointed to by the ESI register the ECX register. Part disassembly of the function is shown below:

move  ecx, [eax+4]
mov  eax, [edx+4]
mov  dx, [eax]
cmp  dx, [ecx] <– crash
jnz short loc_1000EF87

It may be possible to exploit these vulnerabilities to execute arbitrary code under the context of the user running Adobe Reader.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

A patch is available from Adobe and is included in the next release (9.4).

Discovered By

Brett Gervasoni from Sense of Security Labs.