[Advisory Update]Adobe Reader/Acrobat Remote Vul
[UPDATE]Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability
by cocoruder([email protected])
http://ruder.cdut.net, updated on 2008.05.06
Summary:
A design error vulnerability exists in Adobe Reader and Adobe Acrobat Professional. A remote attacker who successfully exploit this vulnerability can control the printer without user’s permission.
Affected Software Versions:
Adobe Reader 8.1.1 and earlier versions
Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions
Details:
This vulnerablity due to the design error of the javascript fucntion “DOC.print()”, following are the annotates of the function in Adobe’s Javascript API Reference(named “js_api_reference.pdf”):
–START–
(Acrobat 7.0) Non-interactive printing can only be executed during batch, console, and menu events. Printing is made non-interactive by setting bUI to false or by setting the interactive property to silent, for example:
var pp = this.getPrintParams();
pp.interactive = pp.constants.interactionLevel.silent;
Outside of batch, console, and menu events, the values of bUI and of interactive are ignored and a print dialog box will always be presented.
–END–
But Adobe has not realized it in the current version, so we can call the printer silently without user’s permission. The attacker can build a vicious PDF document, once the victim view the document with Adobe Acrobat Professional or Adobe Reader, it will waste a lot of the victim’s printer resources. For example, attacker can build a PDF document including the following scripts:
var pp = this.getPrintParams();
pp.interactive = pp.constants.interactionLevel.silent;
for (var i=0;i<10000;i++)
{
this.print(pp);
}
It will print this document 1000 times without user’s permission.
Solution:
Adobe has released an advisory for this vulnerability and a patch for Adobe Acrobat/Reader 8 but not for Adobe Acrobat/Reader 7 which are available on:
http://www.adobe.com/support/security/advisories/apsa08-01.html
Right now Adobe released the final advisory and patch which are available on:
http://www.adobe.com/support/security/bulletins/apsb08-13.html
Fortinet advisory can be found at:
http://www.fortiguardcenter.com
CVE Information:
CVE-2008-0655
Disclosure Timeline:
2007.11.01 Vendor notified
2007.11.02 Vendor responded
2008.02.07 Initial coordinated disclosure
2008.05.06 Final coordinated disclosure
–EOF–
这是一个不错的洞洞