Adobe Acrobat Reader是非常流行的PDF文件阅读器。 Adobe产品在渲染特制的PDF文件时存在堆溢出漏洞,远程攻击者可能通过利用此漏洞诱骗用户打开恶意文件控制用户机器。 相关的代码段如下: ----// SNIP SNIP //------------------------------------------------- 0:000> u 08009d3f CoolType+0x9d3f: 08009d3f 83e904 sub ecx,0x4 08009d42 890da07a1d08 mov [CoolType!CTCleanup+0xb393b (081d7aa0)],ecx 08009d48 ffb49070feffff push dword ptr [eax+edx*4-0x190] 08009d4f 8b09 mov ecx,[ecx] 08009d51 51 push ecx 08009d52 ff506c call dword ptr [eax+0x6c] ; (*) 08009d55 59 pop ecx 08009d56 59 pop ecx ----// SNIP SNIP //------------------------------------------------- 0x08009d52处的指令调用了地址储存在[eax+0x6c]的位置,eax的值指向了已分配堆内存块中,如下所示: ----// SNIP SNIP //------------------------------------------------- ... K: 199 -> [*] HeapAlloc(0x3E0000,0x0,0x4(4))=0x16F6FF8 end at: 0x16F6FFC K: 200 -> [*] HeapAlloc(0x3E0000,0x0,0x4F4(1268))=0x16F6958 end at: 0x16F6E4C K: 201 -> [*] HeapAlloc(0x3E0000,0x0,0xFE30(65072))=0x16F6E58 end at: 0x1706C88 K: 202 -> [*]...
Adobe Acrobat Reader是非常流行的PDF文件阅读器。 Adobe产品在渲染特制的PDF文件时存在堆溢出漏洞,远程攻击者可能通过利用此漏洞诱骗用户打开恶意文件控制用户机器。 相关的代码段如下: ----// SNIP SNIP //------------------------------------------------- 0:000> u 08009d3f CoolType+0x9d3f: 08009d3f 83e904 sub ecx,0x4 08009d42 890da07a1d08 mov [CoolType!CTCleanup+0xb393b (081d7aa0)],ecx 08009d48 ffb49070feffff push dword ptr [eax+edx*4-0x190] 08009d4f 8b09 mov ecx,[ecx] 08009d51 51 push ecx 08009d52 ff506c call dword ptr [eax+0x6c] ; (*) 08009d55 59 pop ecx 08009d56 59 pop ecx ----// SNIP SNIP //------------------------------------------------- 0x08009d52处的指令调用了地址储存在[eax+0x6c]的位置,eax的值指向了已分配堆内存块中,如下所示: ----// SNIP SNIP //------------------------------------------------- ... K: 199 -> [*] HeapAlloc(0x3E0000,0x0,0x4(4))=0x16F6FF8 end at: 0x16F6FFC K: 200 -> [*] HeapAlloc(0x3E0000,0x0,0x4F4(1268))=0x16F6958 end at: 0x16F6E4C K: 201 -> [*] HeapAlloc(0x3E0000,0x0,0xFE30(65072))=0x16F6E58 end at: 0x1706C88 K: 202 -> [*] HeapAlloc(0x3E0000,0x0,0x304(772))=0x1706C90 end at: 0x1706F94 K: 203 -> [*] HeapAlloc(0x3E0000,0x0,0xFE24(65060))=0x1706FA0 end at: 0x1716DC4 <- THIS ONE ----// SNIP SNIP //------------------------------------------------- [EAX+0x6c]执行从最后堆内存块开始起0x222C偏移处。 在渲染特制的PDF文件时,内存破坏可能导致覆盖[eax+0x6c]处的子例程地址。 以下是调用了被覆盖的[eax+0x6c]后的调试代码段: ----// SNIP SNIP //------------------------------------------------- (25a0.2170): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=016f4320 ebx=00000000 ecx=baadf00d edx=00000069 esi=016f4ab9 edi=016f14b4 eip=baadf00d esp=0012deec ebp=0012df80 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll - baadf00d ?? ??? ----// SNIP SNIP //------------------------------------------------- 攻击者可以控制EIP寄存器,导致以当前用户的权限执行任意代码。 Adobe Acrobat Reader <= 7.0.8 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://www.adobe.com/go/getreader" target="_blank">http://www.adobe.com/go/getreader</a>
