Thursday, November 4, 2010

full disclosure xpl.pdf Adober Reader 9.4 poc - printSeps() - cve-2010-4091


November 26,2010 – Update:

Thank you, Mario, but our printSeps() is in another castle !
http://esec-lab.sogeti.com/dotclear/index.php?post/2010/11/26/Thank-you-Mario-but-our-printSeps%28%29-is-in-another-castle

November 22, 2010 – Update:

Who’s looking for eggs in your PDF?  (reported also in  cve-2010-4091 exploited ?)
http://labs.m86security.com/2010/11/whos-looking-for-eggs-in-your-pdf/

November 16, 2010 – Update:

Security updates available for Adobe Reader and Acrobat – ABSP10-28
http://www.adobe.com/support/security/bulletins/apsb10-28.html

November 9, 2010 – Update:

Adobe  PSIRT released - CVE-2010-4091
http://blogs.adobe.com/psirt/2010/11

US-CERT response:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4091

November 8, 2010 – Update 2:

VUPEN confirms the "remote code execution"
http://www.vupen.com/english/advisories/2010/2890
http://www.vupen.com/english/zerodays

November 8, 2010 – Update 1:

Some screenshots of my brief analysis for this bug.  The vtable where is referenced the PrintSeps() method:




 
 
 
 
 
 
 
 
 
 
 
 
 
the location where the Javascript code is being processed:
jscriptprocessed
 
Where Adobe Reader 9.4 crash after PrintSeps is processed:

















November 5, 2010 – Update:

emerging threats Snort sign

 http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/7437

eEye report as remote code execution

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20101104

Adobe response:

http://blogs.adobe.com/psirt/2010/11/potential-issue-in-adobe-reader.html

November 4, 2010:
The vulnerable method seem: printSeps():

 
more info:

The original xpl.pdf is retrived via
http://seclists.org/fulldisclosure/2010/Nov/23

Xanda
http://twitter.xanda.org/

fuzzyd00r
http://fuzzyd00r.blogspot.com/2010/04/adobe-acrobat-javascript.html

PasteBIN
http://pastebin.com/h9GVyJhQ

2 comments:

  1. what tool did you use to see the javascript?

    ReplyDelete