Thursday, November 4, 2010

Unconfirmed Adobe PDF zeroday with this.printSeps

Reports on twitter are circulating that a new adobe PDF zero day PoC was posted to Full Disclosure (Nov 3rd, 2010). The file xpl_pdf.bin (MD5 d000e74163e34fc65914676674776284) contains a small JavaScript heap spray and call to this.printSeps which in tests does crash Adobe, it's not clear if this is further vulnerable to exploitation or what version of OS and Acrobat are affected. The exploit itself requires an Adobe version between 8 and 10.

A blog post from earlier this year (April 9th 2010) from a russian blog details the memory access error of using this.printSeps(), which is described as a denial of service bug. Interesting that this bug didn't pop up to a wider audience over the 7 months it was public.

Added initial detection for this potential exploit to PDF Examiner. You can analyze the file in PDF Examiner here. Bad JavaScript is available here.

Adobe PSIRT has reported they are investigating the issue. Mitigation advice has been posted here (such as disable JavaScript in Acrobat).

VUPEN has reported code execution is possible, working PoC still unpublished.

Update: Adobe has received a CVE number CVE-2010-4091 and is reporting a patch will be available Nov 15, 2010.

No comments:

Post a Comment