Full Report
APSB08-15 is the latest adobe security advisory regarding a memory corruption vulnerabilty in Acrobat Reader versions As expected, the advisory does not include technical details about the attack vector, So let’s try to reverse the related Adobe patch to find more about this vulnerability. I’m going to use IDA 5.2 with patchdiff2 plugin (thanks to kris hint on this plug-in). The patch is released as a MSI file. I used Greg Duncan’s Less MSIèrables tool to examine the content of this patch:
Analysis Summary
# Vulnerability: Adobe Acrobat Reader Memory Corruption in annots.api
## CVE Details
- CVE ID: Not explicitly provided in the text, referenced under APSB08-15.
- CVSS Score: Not explicitly provided in the text.
- CWE: Memory Corruption Vulnerability (Inferred)
## Affected Systems
- Products: Adobe Acrobat Reader
- Versions: Versions prior to 8.1.2
- Configurations: Likely affects systems utilizing the `annots.api` functionality, specifically related to JavaScript execution.
## Vulnerability Description
The vulnerability is a memory corruption flaw located within the `annots.api` plugin, specifically related to a method named `Collab.collectEmailInfo`. Patch analysis revealed that the parameters passed to the `msg` argument of this JavaScript method appear to be a candidate for triggering an overflow.
## Exploitation
- Status: Proof of Concept (PoC) available. The analysis successfully triggered an access violation using a crafted PDF containing JavaScript: `Collab.collectEmailInfo({msg:"aaaaaa.....aaaaa"});` (32K of 'a's).
- Complexity: Medium (Requires crafting a specific PDF and leveraging JavaScript execution).
- Attack Vector: Network (via malicious PDF) or Local (if PDF is opened locally).
## Impact
- Confidentiality: Undetermined (Based on general memory corruption, potential for information disclosure).
- Integrity: Undetermined (Based on general memory corruption, potential for data modification).
- Availability: High (Access violation observed, leading to application crash).
## Remediation
### Patches
- Adobe Security Advisory APSB08-15 addresses this vulnerability. The patch is available via MSI installer updates, specifically updating the `annots.api` component. Users should update to version **8.1.2 or later**.
### Workarounds
- No specific workarounds were detailed in the provided summary beyond applying the patch.
## Detection
- Indicators of compromise: Attempts to open specially crafted PDF files containing JavaScript that calls the `doc.Collab.collectEmailInfo` method with large input strings in the `msg` parameter.
- Detection methods and tools: Patch difference analysis (IDA 5.2 + patchdiff2) was used for pre-exploitation analysis. Runtime detection would involve monitoring for unusual memory access violations related to `annots.api` code execution flow.
## References
- Vendor Advisories: http://www.adobe.com/support/security/bulletins/apsb08-15.html
- Relevant links:
- SensePost Article: SensePost | Adobe APSB08-15 Patch Reversing
- Less MSIèrables Tool: blogs.pingpoet.com/overflow/archive/2005/06/02/2449.aspx (Defanged)