CVE-2005-1625
CVSS5.0
发布时间 :2005-07-05 00:00:00
修订时间 :2008-09-05 16:49:38
NMCOPS    

[原文]Stack-based buffer overflow in the UnixAppOpenFilePerform function in Adobe Reader 5.0.9 and 5.0.10 for Unix allows remote attackers to execute arbitrary code via a PDF document with a long /Filespec tag.


[CNNVD]Adobe Reader UnixAppOpenFilePerform() 堆栈溢出漏洞(CNNVD-200507-002)

        Adobe Reader是非常流行的PDF文件阅读器。
        Adobe Reader for Unix 5.0.9及5.0.10版本中的UnixAppOpenFilePerform函数存在堆栈溢出漏洞。
        远程攻击者可利用此漏洞,通过一个包含超长的/Filespec标记的PDF文件,执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:adobe:acrobat_reader:5.0.9Adobe Acrobat Reader 5.0.9
cpe:/a:adobe:acrobat_reader:5.0.10Adobe Acrobat Reader 5.0.10

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1625
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1625
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-002
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=279&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050705 iDEFENSE Security Advisory 07.05.05: Adobe Acrobat Reader UnixAppOpenFilePerform() Buffer Overflow Vulnerability
http://www.adobe.com/support/techdocs/329083.html
(VENDOR_ADVISORY)  CONFIRM  http://www.adobe.com/support/techdocs/329083.html
http://www.redhat.com/support/errata/RHSA-2005-575.html
(UNKNOWN)  REDHAT  RHSA-2005:575
http://www.novell.com/linux/security/advisories/2005_42_acroread.html
(UNKNOWN)  SUSE  SUSE-SA:2005:042

- 漏洞信息

Adobe Reader UnixAppOpenFilePerform() 堆栈溢出漏洞
中危 缓冲区溢出
2005-07-05 00:00:00 2005-10-20 00:00:00
远程  
        Adobe Reader是非常流行的PDF文件阅读器。
        Adobe Reader for Unix 5.0.9及5.0.10版本中的UnixAppOpenFilePerform函数存在堆栈溢出漏洞。
        远程攻击者可利用此漏洞,通过一个包含超长的/Filespec标记的PDF文件,执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://get.adobe.com/reader/otherversions/

- 漏洞信息 (F38601)

Gentoo Linux Security Advisory 200507-9 (PacketStormID:F38601)
2005-07-12 00:00:00
Gentoo  security.gentoo.org
advisory,overflow
linux,gentoo
CVE-2005-1625
[点击下载]

Gentoo Linux Security Advisory GLSA 200507-09 - A buffer overflow has been discovered in the UnixAppOpenFilePerform() function, which is called when Adobe Acrobat Reader tries to open a file with the \Filespec tag. Versions less than or equal to 5.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200507-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Adobe Acrobat Reader: Buffer overflow vulnerability
      Date: July 11, 2005
      Bugs: #98101
        ID: 200507-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Adobe Acrobat Reader is vulnerable to a buffer overflow that could lead
to remote execution of arbitrary code.

Background
==========

Adobe Acrobat Reader is a utility used to view PDF files.

Affected packages
=================

    -------------------------------------------------------------------
     Package            /  Vulnerable  /                    Unaffected
    -------------------------------------------------------------------
  1  app-text/acroread       <= 5.10                            >= 7.0

Description
===========

A buffer overflow has been discovered in the UnixAppOpenFilePerform()
function, which is called when Adobe Acrobat Reader tries to open a
file with the "\Filespec" tag.

Impact
======

By enticing a user to open a specially crafted PDF document, a remote
attacker could exploit this vulnerability to execute arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

Since Adobe will most likely not update the 5.0 series of Adobe Acrobat
Reader for Linux, all users should upgrade to the latest available
version of the 7.0 series:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/acroread-7.0"

References
==========

  [ 1 ] CAN-2005-1625
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1625
  [ 2 ] iDEFENSE Security Advisory
        http://www.idefense.com/application/poi/display?id=279&type=vulnerabilities&flashstatus=true
  [ 3 ] Adobe Security Advisory
        http://www.adobe.com/support/techdocs/329083.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200507-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息 (F38507)

iDEFENSE Security Advisory 2005-07-05.t (PacketStormID:F38507)
2005-07-07 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
windows,unix
CVE-2005-1625
[点击下载]

iDEFENSE Security Advisory 07.05.05 - Remote exploitation of a buffer overflow in Adobe Acrobat Reader for Unix could allow an attacker to execute arbitrary code. iDEFENSE has confirmed the existence of this vulnerability in Adobe Acrobat Reader version 5.0.9 for Unix and Adobe Acrobat Reader version 5.0.10 for Unix. Adobe Acrobat for Windows is not affected. Adobe Acrobat 7.0 for Unix is not affected.

Adobe Acrobat Reader UnixAppOpenFilePerform() Buffer Overflow
Vulnerability

iDEFENSE Security Advisory 07.05.05
www.idefense.com/application/poi/display?id=279&type=vulnerabilities
July 05, 2005

I. BACKGROUND

Adobe Acrobat Reader is a program for viewing Portable Document Format
(PDF) documents. More information is available at the following site:

   http://www.adobe.com/products/acrobat/readermain.html

II. DESCRIPTION

Remote exploitation of a buffer overflow in Adobe Acrobat Reader for 
Unix could allow an attacker to execute arbitrary code. 

The vulnerability specifically exists in the function 
UnixAppOpenFilePerform(). This routine is called by Acrobat Reader while

opening a document containing a /Filespec tag. Within this routine, 
sprintf is used to copy user-supplied data into a fixed-sized stack 
buffer. This leads to a stack based overflow and the execution of 
arbitrary code. The following demonstrates what the overflow looks like 
in a debugger: 

#0  0x41414141 in ?? ()
(gdb) i r ebx
ebx            0xbfffef54       -1073746092
(gdb) x/x 0xbfffef54
0xbfffef54:     0x40404040
(gdb) 

As shown, EIP is easily controllable; ebx also points to the 4 bytes 
before the EIP overwrite in a controlled buffer. This allows remote 
exploitation without having to know stack addresses, as an attacker can 
craft an exploit to return to a jmp ebx or call ebx instruction.

III. ANALYSIS

Successful exploitation allows an attacker to execute arbitrary code 
under the privileges of the local user. Remote exploitation is possible 
via e-mail attachment or link to the maliciously crafted PDF document. 
The impact of this vulnerability is lessened by the fact that two error 
messages appear before exploitation is successful; however, closing 
these windows does not prevent exploitation from occurring.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Adobe 
Acrobat Reader version 5.0.9 for Unix and Adobe Acrobat Reader version 
5.0.10 for Unix. Adobe Acrobat for Windows is not affected. Adobe
Acrobat 7.0 for Unix is not affected.

V. WORKAROUND

User awareness is the best defense against this class of attack. Users 
should be aware of the existence of such attacks and proceed with 
caution when following links from suspicious or unsolicited e-mail. 
Users should consider using an unaffected version of Adobe Acrobat, such

as Acrobat 7.0

VI. VENDOR RESPONSE

Adobe has addressed this issue in the following security advisory:

   http://www.adobe.com/support/techdocs/329083.html

Adobe is recommending the following steps for remediation:

 -- If you use Adobe Reader 5.0.9 or 5.0.10 on Linux or Solaris,
download Adobe Reader 7.0 at
www.adobe.com/products/acrobat/readstep2.html.

 -- If you use Adobe Reader 5.0.9 or 5.0.10 on IBM-AIX or HP-UX,
download Adobe Reader 5.0.11 at
www.adobe.com/products/acrobat/readstep2.html.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1625 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/12/2005  Initial vendor notification
05/12/2005  Initial vendor response
07/05/2005  Public disclosure

IX. CREDIT

iDEFENSE Labs is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

17740
Adobe Acrobat Reader UnixAppOpenFilePerform() Function /Filespec Tag Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Adobe Acrobat Reader for Unix. The program fails to handle the processing of a document which contains a malformed /Filespec tag, resulting in a stack based buffer overflow. With a specially crafted PDF file, an attacker can cause arbitrary code execution under the privileges of the local user resulting in a loss of integrity.

- 时间线

2005-07-05 2005-05-12
Unknow 2005-07-05

- 解决方案

Upgrade to version 7.0 or higher on Linux or Solaris, 5.0.11 or higher on IBM-AIX or HP-UX, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Adobe Reader For Unix Remote Buffer Overflow Vulnerability
Boundary Condition Error 14153
Yes No
2005-07-05 12:00:00 2009-07-12 04:06:00
iDEFENSE Labs discovered this issue.

- 受影响的程序版本

S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.1 x86_64
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Gentoo Linux
Adobe Acrobat Reader (UNIX) 5.0.10
+ Gentoo Linux
Adobe Acrobat Reader (UNIX) 5.0.9
+ Gentoo Linux
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Desktop 1.0
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Adobe Acrobat Reader (UNIX) 7.0
Adobe Acrobat Reader (UNIX) 5.0.11

- 不受影响的程序版本

Adobe Acrobat Reader (UNIX) 7.0
Adobe Acrobat Reader (UNIX) 5.0.11

- 漏洞讨论

Adobe Reader for Unix is affected by a remote buffer overflow vulnerability.

An attacker can exploit this issue by crafting a malicious PDF file and sending it to a vulnerable user. If the victim user opens this PDF file, the attacker may be able to execute arbitrary code on the affected computer and gain unauthorized access in the context of the user.

Adobe Reader 5.0.9 and 5.0.10 are vulnerable to this issue.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vendor has released Adobe Reader 7.0 as an upgrade for Adobe Reader 5.0.9 or 5.0.10 on Linux or Solaris. Adobe Reader 5.0.11 is available as an upgrade for 5.0.9 or 5.0.10 on IBM-AIX or HP-UX.

Red Hat has released advisory RHSA-2005:575-11 to address this issue. Please see the referenced advisory for more information.

Gentoo Linux has relased advisory GLSA 200507-09 to address this issue. Users of affected packages are urged to execute the following commands with superuser privileges:
emerge --sync
emerge --ask --oneshot --verbose ">=app-text/acroread-7.0"
Please see the referenced advisory for further information.

SUSE has released advisory SUSE-SA:2005:042 to address this issue. Please see the referenced advisory for more information.


Adobe Acrobat Reader (UNIX) 5.0.10

Adobe Acrobat Reader (UNIX) 5.0.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站