[30755] in bugtraq
ezmlm warning
daemon@ATHENA.MIT.EDU (bugtraq-help@securityfocus.com)
Tue Jul 15 17:27:31 2003
Date: 15 Jul 2003 21:27:26 -0000
Message-ID: <1058304446.18960.ezmlm-warn@securityfocus.com>
From: bugtraq-help@securityfocus.com
To: bugtraq-redist@mit.edu
Content-type: text/plain; charset=us-ascii
Hi! This is the ezmlm program. I'm managing the
bugtraq@securityfocus.com mailing list.
I'm working for my owner, who can be reached
at bugtraq-owner@securityfocus.com.
Messages to you from the bugtraq mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.
If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the bugtraq mailing list,
without further notice.
I've kept a list of which messages from the bugtraq mailing list have
bounced from your address.
Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
<bugtraq-get.123_145@securityfocus.com>
To receive a subject and author list for the last 100 or so messages,
send an empty message to:
<bugtraq-index@securityfocus.com>
Here are the message numbers:
9979
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 8748 invoked from network); 4 Jul 2003 02:48:49 -0000
Received: from mail.securityfocus.com (205.206.231.9)
by lists.securityfocus.com with SMTP; 4 Jul 2003 02:48:49 -0000
Received: (qmail 25912 invoked by alias); 4 Jul 2003 02:48:17 -0000
Received: (qmail 24065 invoked from network); 4 Jul 2003 02:47:55 -0000
Received: from outgoing2.securityfocus.com (205.206.231.26)
by mail.securityfocus.com with SMTP; 4 Jul 2003 02:47:55 -0000
Received: by outgoing2.securityfocus.com (Postfix)
id 9CF3D8F3B6; Thu, 3 Jul 2003 20:48:22 -0600 (MDT)
Date: Thu, 3 Jul 2003 20:48:22 -0600 (MDT)
From: MAILER-DAEMON@securityfocus.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: bugtraq-return-9979-bugtraq-redist=mit.edu@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="A319E8F511.1057286901/outgoing2.securityfocus.com"
Message-Id: <20030704024822.9CF3D8F3B6@outgoing2.securityfocus.com>
This is a MIME-encapsulated message.
--A319E8F511.1057286901/outgoing2.securityfocus.com
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host outgoing2.securityfocus.com.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
<bugtraq-redist@mit.edu>: host FORT-POINT-STATION.mit.edu[18.7.7.76] said: 550
5.5.0 Possible virus (badname), rejecting (in reply to end of DATA command)
--A319E8F511.1057286901/outgoing2.securityfocus.com
Content-Description: Delivery error report
Content-Type: message/delivery-status
Reporting-MTA: dns; outgoing2.securityfocus.com
Arrival-Date: Tue, 1 Jul 2003 15:00:31 -0600 (MDT)
Final-Recipient: rfc822; bugtraq-redist@mit.edu
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; host FORT-POINT-STATION.mit.edu[18.7.7.76] said:
550 5.5.0 Possible virus (badname), rejecting (in reply to end of DATA
command)
--A319E8F511.1057286901/outgoing2.securityfocus.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
by outgoing2.securityfocus.com (Postfix) with QMQP
id A319E8F511; Tue, 1 Jul 2003 15:00:31 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7582 invoked from network); 1 Jul 2003 13:04:35 -0000
Date: Tue, 1 Jul 2003 15:08:30 +0000
From: sec-labs team <team@sec-labs.hack.pl>
To: bugtraq@securityfocus.com
Subject: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow
Vulnerability + PoC code
Message-Id: <20030701150830.66c08e24.team@sec-labs.hack.pl>
Organization: sec-labs
X-Mailer: Sylpheed version 0.9.2 (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="pgp-sha1"; boundary="=.)f:ahZGJ081Iij"
--=.)f:ahZGJ081Iij
Content-Type: multipart/mixed;
boundary="Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580"
--Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
sec-labs team proudly presents:
Buffer overflow vulnerability in Adobe Acrobat Reader 5.0.7 and earlier
by mcbethh
29/06/2003
I. BACKGROUND
quote from documentation:
'The Acrobat Reader allows anyone to view, navigate, and print documents
in the Adobe Portable Document Format (PDF).'
However there is Acrobat Reader 6.0 for windows nad MacOS, version 5.0.7
is last for unix.
II. DESCRIPTION
There is buffer overflow vulnerability in WWWLaunchNetscape function. It
copies link address to 256 bytes (in 5.0.5 version) buffer until '\0' is
found. If link is longer than 256 bytes return address is overwritten.
Notice that user have to execute (click on it) our link to exploit this
vulnerability. User also have to have netscape browser in preferences,
but it is default setting.
III. IMPACT
If somebody click on a link from .pdf file specialy prepared by attacker,
malicious code can be executed with his privileges.
IV. PROOF OF CONCEPT
Proof of concept exploit is attached. It doesn't contain shellcode nor
valid return address. It just shows that return address can be overwriten
with any value. Use gdb to see it, because acroread will not crash.
--
sec-labs team [http://sec-labs.hack.pl]
--Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580
Content-Type: application/octet-stream;
name="seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2"
Content-Disposition: attachment;
filename="seclabs-poc-adobe-acrobat-reader-29-06-2003.tar.bz2"
Content-Transfer-Encoding: base64
QlpoOTFBWSZTWQLp8bAAAOh/rMiQAgB45//ZOA3XxH/v3+oABAEAAAEACFADPeBQAAHNGTEwATEY
EaYEGIwTJgEYc0ZMTABMRgRpgQYjBMmARhzRkxMAExGBGmBBiMEyYBGDJTKPUAANMjQAAA0ANAAB
VITRNMhMieJo0JpppBiempk0M1MT0an6o+domzg3+EBjNAgpEJIIW6IZdKKRxSOSkWWAzDYTgKR0
uZI4mhreKS8+D8NySMjjSSVYxKMHzTfSKul61XgSScy9oSyM7Q29mdV9WC5cokq8U3IqtUWnyet8
1ptfQtZDlaVjB/lv3vZZ2WTpKarsfZofRYqotRzv1N4cFGZV1Ni5V4JFEnY7fd7T0MItfZ3Nqwm3
OGnh2P0S9MpSlJKSUpSl14tUel1rHequjILmRMj1QNFoGBscBCKyWAAJoRRVFCwFhwsfCBRQrBYV
RVdOKx0Wd6i6JVkKpRf/GTPRbBnjcGTCkl2RkugrF8Th2uVzpNzed6JtCLYan1dywj4xJZIWElrt
HBJWOg7nkuOxJ7Y7XvUc72R717uNTFR4Od8GuIeLCH4cSR7mhqXB72qHseSMjkbm5lbl7euXsESf
FQ5iqcNTKca5xOVgk2JuJtWRYxeK0qVWoqYM7kRcxfyzI5jgvLYmysWMPFoUWDWkzqMzrZ3BcsVT
cZsTNajTDexVJQ72ttcSM7U87FeoqztTBNVmaE1FrOjYk2LFjkWM7FvcSxGVQ8x1MFWRV5jFe9EZ
WVFrQuLk01FhxqNBJYSRJqPVDIbYjQEkXGC50qNKxNlUdrFnfh2PBa7mWFkn3lE5J4szLGJ1pDna
mlesNTldCjjbFhSDJHMzMyTM2sWt5JmERlZE41movdCpgWptKsVUTMTZSUpHUxYw0ptyjFJyr01E
2B5P+L0YupaxeUb3CNi50pmk3OI1pHB6+9Khnbzztx4rGx1rlXmLVrMk9K1KA/8XckU4UJAC6fGw
--Multipart_Tue__1_Jul_2003_15:08:30_+0000_08234580--
--=.)f:ahZGJ081Iij
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE/AaP3Z4yD+a7QMvgRAg8JAKCe/J8uAm5HuOEol6oSeI6Rebo0XgCfd9CW
tbVBG/P0C+urR678bIWk0F8=
=sw6q
-----END PGP SIGNATURE-----
--=.)f:ahZGJ081Iij--
--A319E8F511.1057286901/outgoing2.securityfocus.com--
