
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

              Adobe Reader 5.1 XFDF Buffer Overflow Vulnerability
                  [NGS Software Advisory number #NISR03022004]

March 4, 2004 20:00 GMT                                           Number O-091
______________________________________________________________________________
PROBLEM:       A vulnerability exists in Adobe Reader 5.1 when parsing an XFDF 
               document. XFDF is a format for representing forms data and 
               annotations in a PDF document. XFDF files have a .xfdf 
               extension and are rendered automatically on downloading when 
               using applications such as Internet Explorer. 
SOFTWARE:      Adobe Reader 5.1 
               (on Windows platforms only)
DAMAGE:        Parsing the xfdf file causes an unsafe call to sprintf which 
               then prepares for an output debug message using 
               OutputDebugString. A buffer overflow occurs when rendering the 
               xfdf file. A user would need to be enticed to a web site that 
               hosts a malicious xfdf file or sent one via email. 
SOLUTION:      Upgrade to the current version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A buffer overflow occurs. This software is 
ASSESSMENT:    a widely used application. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-091.shtml 
 ORIGINAL BULLETIN:  http://www.nextgenss.com/advisories/adobexfdf.txt
______________________________________________________________________________

[***** Start NGS Software Advisory number #NISR03022004 *****]

[VulnWatch] Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability

From: NGSSoftware Insight Security Research (nisrnextgenss.com)
Date: Wed Mar 03 2004 - 17:18:54 CST 

NGSSoftware Insight Security Research Advisory 

Name: Adobe Acrobat Reader XML Forms Data Format Buffer Overflow 
Systems Affected: Adobe Acrobat Reader version 5.1 
Severity: High Risk 
Vendor URL: http://www.adobe.com/ 
Author: David Litchfield [ davidngssoftware.com ] 
Date Vendor Notified: 7th February 2004 
Date of Public Advisory: 3rd March 2004 
Advisory number: #NISR03022004 
Advisory URL: http://www.ngssoftware.com/advisories/adobexfdf.txt 


Description 
*********** 
Adobe Acrobat Reader is a viewer that renders PDF documents. The Reader can 
be extended using the XML Forms Data Format or XFDF. XFDF is a format for 
representing forms data and annotations in a PDF document. XFDF files have a 
.xfdf extention and are rendered automatically on downloaded when using 
applications such as Internet Explorer. Also note that, regardless of the 
file extention if the MIME type is set to "application/vnd.adobe.xfdf" the 
file will be treated as a XFDF. When parsing an XFDF document the Adobe 
Reader suffers from a classic stack based buffer overflow vulnerability. 



Details 
******* 
When the xfdf file is parsed an unsafe call to sprintf is made in 
preparation for outputting a debug message using OutputDebugString. Whether 
the process is being debugged or not the vulnerable code is still called. 
Rendering the file will tigger the overflow. A user would need to be enticed 
to a web site that hosted a malicious xfdf file or sent one via e-mail. 


Fix Information 
*************** 
On contacting Adobe, they confirmed that the current version is no longer 
vulnerable and NGSSoftware urgently advises users of Adobe Reader to 
upgrade. 
http://www.adobe.com/support/downloads/main.html 


About NGSSoftware 
***************** 
NGSSoftware design, research and develop intelligent, advanced application 
security assessment scanners. Based in the United Kingdom, NGSSoftware have 
offices in the South of London and the East Coast of Scotland. NGSSoftware's 
sister company NGSConsulting, offers best of breed security consulting 
services, specialising in application, host and network security 
assessments. 


http://www.ngssoftware.com/ 


Telephone +44 208 401 0070 
Fax +44 208 401 0076 


enquiriesngssoftware.com 


[***** End NGS Software Advisory number #NISR03022004 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of NGS Software for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-081: Red Hat Updated XFree86 Packages Fix Privilege Escalation Vulnerability
O-082: Red Hat Updated Kernel Packages Resolve Security Vulnerabilities
O-083: Red Hat Updated Metamail Packages Fix Vulnerabilities
O-084: Zone Labs SMTP Processing Vulnerability
O-085: Vulnerability in SMB Parsing in ISS Products
O-086: Red Hat Updated libxml2 Packages Fix Security Vulnerability
O-087: Red Hat Updated util-linux  Packages Fix Information Leak
O-088: Sun passwd(1) Command Vulnerability
O-089: Sun Security Vulnerability in "/usr/lib/print/conv_fix"
O-090: Vulnerability in Novell Client Firewall Tray Icon