So, I’ve come across a lot more information regarding the no-longer-0day Adobe vulnerability (oh, wait, that’s right.. there have been like, 12 in the last 30 days.. I’m referring just to the SING table one).
Anyway, a penetration testing company named Ramz Afzar has released an unofficial patch to fix the Adobe vulnerability, because apparently Adobe has had a difficult time figuring one out on their own.
After reading their analysis of the vulnerable code, this jumped out at me the most:
After initial analysis we’ve discovered that exploit exists in insecure strcat call located in CoolType.dll:
(all addresses and names are from Latest Acrobat 9.3.4′s CoolType.dll)0803DDAB E8 483D1300 CALL JMP.&MSVCR80.strcat
So, what does ‘strcat’ do, exactly? It basically appends a copy of the source string to the destination string. Example:
main () { char adobe_rulez[20]; strcpy (adobe_rulez,"our "); strcat (adobe_rulez,"software "); strcat (adobe_rulez,"pwnz! "); } |
Pretty self explanatory. HOWEVER. What DOESN’T ‘strcat’ (or any of the other strc* functions, for that matter) do? Bounds checking! This is a classic overflow due to idiotic programming practices. Really, Adobe? The 15 years of hounding from security researchers haven’t been enough for you to ingrain it into your programmers that the use of strc* will get them fired, or lynched, or burned at the stake? Beyond that, your entire testing/debugging department missed this as well?
Heres’ what they SHOULD be doing:
#define MAXLEN(s) ( sizeof(s)/sizeof(s[0]) - 1 ) char buf[20]; void write( char data[], int n ) { strncat( buf, data, __min( n, MAXLEN(buf)-strlen(buf)) ); } main() { strcat(buf, "now it looks like "); write("we know what we're doing"); } |
Note: The above code is just an example – I don’t even know if it will compile or not. The idea is simple, though. You define the size of a buffer and you want to ensure that the data going in to that buffer doesn’t exceed the size of the buffer. What a concept. Bounds checking is nothing new, so there are plenty of resources out there to educate those who are unfamiliar with it. But, if you’re getting paid big bucks as a programmer for a company, you should know what the hell you’re doing. Sorry, that’s just my personal opinion. *cough*.
Anyway, So, first they’re writing code using functions that have been known to be vulnerable to exploitation for about 15 years and second, they’re now being shown up by little companies who are writing patches to fix the holes that they’re not. And apparently Adobe thinks it’s okay for this vulnerability to be left unpatched until the 4th of October?? Are you kidding me??
I caught some grief when I wrote the Open Letter to Microsoft post about how it’s difficult to write code in a team setting and that it’s difficult for large companies to meet deadlines and whatnot, but honestly, how do you argue with this?
And, whats more, is that a company that does not have access to the source code of the DLL was able to fix the issue, yet the company responsible for the software is not/wont/doesn’t care/can’t find a way to patch it on an expedited schedule? Seriously, this October 4th date is really feels like a, “Eh, we don’t mind that all of our customers are vulnerable to exploitation and corporate espionage.. we’ll patch it when we get around to it” kind of date.
Whats more, is that Adobe has apparently released a statement telling people to not install 3rd party patches or from “untrusted” publishers. So, instead, just remain vulnerable until we get off our ass and do something about it.
Tell you what, Adobe, if you can’t figure out how to simply add some bounds checking to a routine and release a patch, I think maybe you are the “untrusted publisher”.
So, here are your options:
1) Uninstall Adobe (highly recommended. Once this vulnerability is patched, there will be 6 more released, I’m sure – here’s a list of all the vulnerabilities and associated exploits against Adobe products. Look at how many came out in the past 60 days (granted, a chunk of them are DLL hijacking, but even ignoring those ones…)) Some options to replace Adobe include:
A) Install the Google Docs plugin and read your PDF’s from within Google Docs (this is what I do)
B) Install one of the many other software packages out there:
* Evince
* Foxit (Foxit is often vulnerable to the same issues as Adobe, though, so be a bit weary of this one)
* Okular
* GSView
* Xpdf
* NitroPDF
* SumatraPDF
* Please note that I haven’t used all of these, so if you have any input on them, please comment below
2) Install this patch
3) Or wait around for Adobe to do something about it, meanwhile leaving you vulnerable to attack. Though, I’m sure there’s nothing important on your computer that you wouldn’t mind being stolen, right?
Sorry about this rant, I’m just getting tired of these companies writing absolutely terrible code, laughing at us as they head off to the bank with our money and then not taking it seriously when they get flooded with vulnerability discoveries. I’m looking forward to the day when some big company gets pwned due to a vulnerability in a piece of software that a publisher has had ample time to patch and then gets sued for damages. That’s when the face of internet security will change, because I guarantee that if you assign a price tag to apathy, we will begin to see same-day patches.
Oh, wait, we do already see that.. with Linux. *plug*. 
Related posts:
Oh, wow, you found a C string buffer overflow in a PDF reader, how quaint
What I don’t really get is why you got so excited over it to rant endlessly about it in your blog.
@Tom: First, I didn’t find it, nor did I claim to. The fact that you haven’t heard about it, except for in my blog, makes me wonder if you pay any attention to the security world (Google “cooltype sing”). This issue is rather significant because it’s being exploited in the wild through automated (and non-automated) attacks. That, to me, raises its importance.
Second, did you even read the post? I’m going to assume not. I explain the reasoning for my “endless rant” in the post.
Third, do you work for Adobe?
[...] Attack Vector about the recent developments surrounding the new Adobe Reader 0day, here is the link to Matts excellent argument for all of us to sing the praises of open source or not so well known [...]
I have to totally agree with you Matt. In fact you got me fired up and I too have had to post on my blog in support of your comments.
http://pentestn00b.wordpress.com/
Here’s an article pointing out the risk of using patches from 3rd parties, which is a concern with there being many known malware and phishing scams trying to pretend they are an Adobe Reader or Adobe Flash upgrade:
http://www.infosecurity-magazine.com/blog/2010/9/17/the-risks-of-unofficial-patches/215.aspx
Also it points out part of the problem of someone like Adobe in getting patches out quickly is that they need to do a huge amount of testing on a very wide number of machines with different configurations to make sure the patch doesn’t break anything else.
@Matthew Fabb:
I appreciate your comment.. and I totally understand why you generally don’t want to use 3rd party patches under normal circumstances. But, I think in a case where the developer is dropping the ball on something as significant as this, we’re left with no other choice if we want to continue to use the software.
And, I do understand not wanting to rush a patch and the issues of testing, however… the first advisory for this issue went out on September 7th. Don’t you think 30 days is a bit much when it comes to releasing a patch for such a serious issue? I mean, even Microsoft does a better job than that in most cases, as hard as it is for me to praise Microsoft.
The fact of the matter is this. If it came down to Adobe making money off of patching this issue, I guarantee we would have seen a patch on the 8th. But, the fact of the matter is, they’re not treating this as a high priority issue because they’re not really going to profit from it.
Also, because of the solution to the problem (simply adding bounds checking in a single DLL), there is no way that you will be able to convince me that it will take a month to develop a fix, test it, and then release it. If it takes them that long to accomplish something as simple as this, maybe they’re in the wrong industry.
Hell, the patch itself could be as simple as the one that Ramz Afzar released, which simply changed the call from strcat to strncat and defined the allowed string size.
Here’s my question to you. I see that you’re a web designer/flash developer.. so let me ask you this.
If there was a flash vulnerability that was discovered on September 7th and there were worms crawling the web actively exploiting it, would you feel comfortable knowing that your site is vulnerable until the 4th of October because Adobe isn’t releasing a patch? Also, how is that going to reflect on you if one (or many) of your clients websites get owned?
I dunno, apparently I’m the only one who finds this inexcusable. I guess I get it, I mean.. a multi billion dollar company unable to release a patch in a timely manner.. sure.. makes sense to me.
i hopped on the “ditch adobe” bandwagon a while ago and totally agree, adobe has got to go at this point.
now, replacing adobe in an enterprise, that is a different story. so i did a write up on what we did to drop adobe acrobat reader on a large scale (plus, i didn’t see this product on your list of recommended replacements)
http://toastresearch.com/2010/03/19/replacing-adobe-acrobat-reader/
I have used SumatraPDF in the past, it works great and very light weight.
Hi Matt
I’ve also found Sumatra to be a good viewer but most of the time I just use my distributions built in viewer, you know, the one that’s with the operating system by default. Ah, I see the problem most people are running MS Windows and you don’t get anything for free from MS especially something as “fancy” as a document viewer for PDF files