← Advisories

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

High
Advisory ID
ZSL-2010-4943
Release Date
29 June 2010
Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
9.3.1 and 9.3.2
CVE
CVE-2010-2204
Tested On
Microsoft Windows XP Professional SP3 (English), Microsoft Windows XP Professional SP2 (English), Microsoft Windows 7 Ultimate, GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit, GNU/Linux Fedora 10 (Cambridge) / 2.6.27.41-170.2.117.fc10.i686
Summary

Adobe Reader software is the global standard for electronic document sharing. It is the only PDF file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files.

Description

Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to crash while processing the malicious .PDF file. The issue is triggered when the reader tries to initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash. Talking about Blended Threat Vulnerabilities ;).

(bd0.e14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000 eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 CoolType!CTInit+0x2f827: 08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??
Proof of Concept
acrobat_poc.cTXT
thricer.pdfPDF
Disclosure Timeline
15.03.2010Vulnerability discovered.
18.04.2010Vendor informed.
18.04.2010Vendor replied.
07.05.2010Asked vendor for confirmation.
07.05.2010Vendor confirms vulnerability.
03.06.2010Asked vendor for status.
03.06.2010Vendor replied.
24.06.2010Vendor reveals patch release date.
29.06.2010Coordinated public advisory.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Wendy and David
References
[1]http://www.adobe.com/support/security/bulletins/apsb10-15.html
[2]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2204
[3]http://www.securityfocus.com/bid/41130
[4]http://www.securityfocus.com/bid/41231
[5]http://www.vupen.com/english/advisories/2010/1636
[6]http://www.exploit-db.com/exploits/14121/
[7]http://securitytracker.com/alerts/2010/Jun/1024159.html
[8]http://www.packetstormsecurity.org/filedesc/ZSL-2010-4943.txt.html
[9]http://securityreason.com/exploitalert/8377
[10]http://secunia.com/advisories/40034
[11]http://www.auscert.org.au/render.html?it=13010
[12]http://www.juniper.net/security/auto/vulnerabilities/vuln41231.html
[13]http://tools.cisco.com/security/center/viewAlert.x?alertId=20787
[14]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2204
[15]https://rhn.redhat.com/errata/RHSA-2010-0503.html
[16]https://www.redhat.com/security/data/cve/CVE-2010-2204.html
[17]http://www.scip.ch/?nasldb.47164
[18]http://www.cpni.gov.uk/products/alerts/3949.aspx
[19]http://www.alertra.com/security-checks.php?id=47165
[20]http://osvdb.org/show/osvdb/65915
Changelog
29.06.2010Initial release
30.06.2010Added reference [3], [4], [5], [6], [7], [8], [9] and [10]
01.07.2010Added reference [11], [12], [13], [14], [15], [16], [17], [18] and [19]
02.07.2010Added reference [20]