Archive for June, 2010

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Title:

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Summary:

Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.

Vendor:

Adobe Systems Incorporated

Product Web Page:

http://www.adobe.com/

Version tested:

9.3.2
9.3.1

Description:

Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).

———————————————————————————–

(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
CoolType!CTInit+0x2f827:
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??

———————————————————————————–

Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) / 2.6.27.41-170.2.117.fc10.i686

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4943.php
Adobe Advisory ID: APSB10-15
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-15.html
CVE ID: CVE-2010-2204

Live Demo:

http://www.zeroscience.mk/codes/thricer.pdf

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

Повеќе: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4943.php

UK One Media CMS (id) Error Based SQL Injection Vulnerability

Summary: Content Management System (PHP+MySQL)

Vendor: UK One Media – http://www.uk1media.com

Desc: UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

Tested on Apache 2.x (linux), PHP/5.2.11 and MySQL/4.1.22

More details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4942.php

ZS T-Shirts

Zero Science Lab T-Shirts

Ref:

[1] http://www.zeroscience.mk/codes/nero_bof.txt
[2] http://www.zeroscience.mk

Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

Vendor: Adobe Systems Inc.

Product Web Page: http://www.adobe.com

Version tested: CS3 10.0

Summary: Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Desc: When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Pottential vulnerability use is arbitrary code execution and denial of service.

Tested on Microsoft Windows XP Professional SP3 (English)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

16.09.2009

Vendor status:

[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.

Zero Science Lab Advisory ID: ZSL-2010-4941

More info: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4941.php

Security Threat Report: 2010 [Sophos]

The first decade of the 21st century saw a dramatic change in the nature of cybercrime. Once the province of teenage boys spreading graffiti for kicks and notoriety, hackers today are organized, financially motivated gangs. In the past, virus writers displayed offensive images and bragged about the malware they had written; now hackers target companies to steal intellectual property, build complex networks of compromised PCs and rob individuals of their identities.
2009 saw Facebook, Twitter and other social networking sites solidify their position at the heart of many users’ daily internet activities, and saw these websites become a primary target for hackers. Because of this, social networks have become one of the most significant vectors for data loss and identity theft.
New computing platforms also emerged last year, and shortly thereafter fell victim to cybercriminal activities. What was lost was once again found in 2009, as old hacking techniques re-emerged as means to penetrate data protection.

By understanding the problems that have arisen in the past, perhaps internet users can craft themselves a better, safer future.

Read full report: SophosSecReport2010.pdf