Adobe Acrobat thumbnail release Vulnerability

Release date:
Updated on:

Affected Systems:
Adobe Acrobat 9.x
Adobe Acrobat 8.x
Adobe Reader 9.x
Adobe Reader 8.x
Unaffected system:
Adobe Acrobat 9.4
Adobe Acrobat 8.2.5
Adobe Reader 9.4
Adobe Reader 8.2.5
Description:
--------------------------------------------------------------------------------
Bugtraq id: 43746
Cve id: CVE-2010-3627

Adobe Reader and Acrobat are popular pdf file readers.

The release vulnerability is caused by invalid use of released memory blocks. pdf files containing special flash code can trigger ACCESS_VIOLATION at address 0x00000030. By forcibly allocating processes to re-use the blocks pointed to by ESI, arbitrary code can be executed.

/-----
00EE10F8 mov ecx, dword ptr ds: [ESI + 1C] <-- ESI points to a previusly released memory chunk.
00EE10FB mov dword ptr ss: [EBP + 78], EAX
00EE10FE mov eax, dword ptr ds: [ESI + 18]
00EE1101 PUSH EAX
00EE1102 call dword ptr ds: [ECX + 30] <-- The execution flow depends on the content of ECX. (ECX dependes on ESI)

------/

CPU register content when 0x00EE1102 triggers ACCESS_VIOLATION read:

/-----

EAX 00000000
ECX 00000000
EDX 014D0A40
EBX 00000000
ESP 0013F1BC
EBP 0013F24C
ESI 02D5782C
EDI 10A7C3D0
EIP 00EE1102

------/

<* Source: Ricardo Narvaja

Link: http://secunia.com/advisories/41435
Http://marc.info /? L = bugtraq & m = 128639140127317 & w = 2
Http://www.us-cert.gov/cas/techalerts/TA10-279A.html
Https://www.redhat.com/support/errata/RHSA-2010-0743.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Adobe
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.adobe.com/support/security/bulletins/apsb10-21.html

RedHat
------
For this reason, RedHat has released a Security Bulletin (RHSA-2010: 0743-01) and patch:
RHSA-2010: 0743-01: Critical: Internal read security update
Link: https://www.redhat.com/support/errata/RHSA-2010-0743.html