Information Assurance

Tucker Barbour


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Adobe Reader Integer/Buffer Overflow

back to bugtraq analyses page

Adobe Reader Heap Smash Used To Run Arbitrary Code

Method of attack

  • An attacker gets a target to open a malicious PDF file in Adobe Reader.
  • In the malicious PDF a variable named “ParamX” is set to a very large value.
  • This variable is used in a function to compute the amount of memory on the heap for a buffer
  • The large value of the variable causes an integer overflow, allocating a buffer size too small, which leads to a buffer overflow when data is inserted in the buffer.
  • Further, a function is called which manipulates items in the buffer depending on a bit stream in the malicious PDF.
  • One of the items in the buffer is a pointer to a structure of function pointers also on the heap.
  • The previously mentioned function shifts the items in the buffer by one or zero bytes depending on the values in the attacker provided bit stream.
  • Knowing information about the pointers in the buffer, the attacker can specify in the bit stream that the struct pointer be incremented by one, thus shifting all the values in the struct by one byte.
  • By shifting the function pointer one byte, the flow of execution will branch to the new location pointed to by the shifted function pointer.
  • This location resides somewhere else in the heap.
  • The attack is able to know generally the branch location on the heap and inject shell code by heap spraying.
  • Heap spraying is where you apply a long string of NOPs (0x90) followed by your shell code onto the heap.
  • When the program branches to the location in the heap pointed to by the shifted function pointer, it hits the NOP sled and then slides down to the attacker provided shellcode.

This could have been prevented is a check was done on the variable to make sure it wasn't too big before using it to allocate memory. The only thing to be done to fix it, is patching the vulnerable software. In the future, software programmers should make sure they always check user input before using it. Always to bounds checking on your buffers as to not overflow them, or read from an overflowed buffer.

Resources
Smashing Adobe's Heap Memory Management