Skip to content

PDF fuzzing and Adobe Reader 9.5.1 and 10.1.3 multiple critical vulnerabilities

(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind)

Several months ago, we started an internal Google Security Team effort to improve the general security posture of the Chrome embedded PDF reader, in an approach similar to the Flash fuzzing performed several months ago by Tavis Ormandy. During the course of a few weeks, we built a solid corpus of PDFł documents that we feel gets significant coverage of the Chrome PDF Reader’s code base and used it to shake out more than 50 low-to-high severity bugs. All of the high and critical severity bugs we discovered have been fixed in the stable channel [1] [2] [3] as of this posting; see examples:

[132585] [132694] [132861] High CVE-2012-2851: Integer overflows in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[134888] High CVE-2012-2855: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[134954] [135264] High CVE-2012-2856: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[136643] [137721] [137957] High CVE-2012-2862: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[136968] [137361] High CVE-2012-2863: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

Given the success of our corpus against Chrome’s PDF Reader, we decided to use it to test another widely-used PDF viewing application – Adobe Reader 9.5.1 for GNU/Linux (latest version available for the platform). Over 1,500 cores have been continuously feeding the application with malformed data for a few weeks, which ultimately resulted in a total of 46 reproducible crashes with unique stack traces. This initial batch of files was sent directly to Adobe on 21st of June.  A few days later, we came up with a slightly different mutation method with the potential of exposing additional software vulnerabilities and re-ran the fuzzer. As a direct outcome, 14 new unique crashes were identified and sent to Adobe for further evaluation on the 27th of June. In addition to sending information to the vendor, we also performed a cursory investigation of the crash logs and determined that 31 (roughly 50%) seemed to represent trivially exploitable problems, which we assess as critical bugs, and 9 test-cases as potentially exploitable for remote code execution.

Since our original disclosure, we have been in regular contact with the Adobe PSIRT team. They were immediately responsive to our report and have provided us with regular updates about their progress addressing these bugs and update plans. We appreciate the progress they’ve made on the multiple crashes reported.

Today, on 14th of August 2012, Adobe has released a new version of Reader for Windows and Mac OS X platforms, addressing around 25 of the reported critical crashes, see the APSB12-16 security bulletin. The issues were assigned twelve CVE’s in total (CVE-2012-4149 through CVE-2012-4160), indicating how many unique code changes it took to fix the problems. Fixing those and numerous other lower-severity bugs not mentioned here in less than two months is a great step forward in raising the bar for bug hunters and improving users’ safety worldwide.

Unfortunately, sixteen more crashes affecting Windows, OS X, or both systems remain unpatched. Considering that fixing the first twenty four crashes took twelve unique code fixes, it is expected that the remaining crashes might represent around eight more unique problems. Adobe plans to fix these remaining bugs and issue an update for the Linux version of Reader in an upcoming release. Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds.

Given this, we consider users of Adobe Reader to be exposed to serious risk. Using our thoughts on reasonable disclosure as a guide, we notified Adobe of our plans to publicly disclose information about any critical vulnerabilities which would remain unfixed 60 days beyond our initial contact. (Note: Adobe has confirmed they have no plans to issue additional out of band updates before August 27, which is 60 days after we disclosed all bugs. Since the Linux Reader version remains unpatched and the Windows / OS X patches are now available for diffing and reverse engineering, we have decided that it’s in the best interest of users to be aware of these security issues without additional delay.)

It is important to note that all discussed vulnerabilities were found using publicly available PDF documents, altered using conceptually trivial mutation algorithms such as bitflipping. Given that, we believe it is very possible that third-parties specializing in bug hunting and vulnerability research may already know of and/or be targeting many of our reported issues.

We plan to continue working with Adobe to verify additional fixes and test new releases to further improve the security of Reader.

To summarize:

  • Adobe Reader for Linux users are exposed to all critical vulnerabilities discussed here, until the patched Linux version is released.

  • Adobe Reader for Windows are currently vulnerable to up to 6 unpatched issues.

  • Adobe Reader for Mac OS X are currently vulnerable to up to 10 unpatched issues.

Vulnerability information

We have decided to publish the stack traces of all sixteen crashes affecting Windows and OS X, with the intention of demonstrating the existence and severity of the issues. The call stacks are, however, obfuscated in such a way that the 20 least-significant address bits are masked out together with function symbols and any other meaningful information that might be used by third parties to directly locate the vulnerable code path.

http://vexillium.org/dl.php?ar_callstack.txt

Workarounds and mitigation

Two of the discussed vulnerabilities affecting Reader for Linux have been confirmed to reside in the Annots.api and PPKLite.api plugins, respectively. Since no documented ways of disabling specific plugins are available, users are advised to remove these two files from their /path/to/Adobe/Reader9/Reader/intellinux/plug_ins directory as a workaround for the issues.

There are currently no known workarounds available against any of the remaining unpatched vulnerabilities. If you believe you may be affected, you may wish to do one of the following until the patches have been released:

  • Limit the use of Adobe Reader software.
  • Or at least, do not open any externally received PDF documents.
  • Disable the Adobe Reader browser extension for the time being.

Users of Adobe Reader 9.x for Windows who are aware of the risk are advised to upgrade to Adobe Reader X, which provides a sandbox feature, making it more difficult (although not impossible) to exploit these vulnerabilities. Unfortunately, the sandbox feature is not available for the newest versions of Adobe Reader for OS X or Linux.

Timeline

  • June 2012: discovery of the first set of crashes.
  • 21st of June 2012: first set of crashes reported to vendor.
  • 26th of June 2012: we notify Adobe that all critical crashes would be subject to the 60-day policy.
  • 27th of June 2012: second set of crashes reported to vendor.
  • July 2012: e-mails back and forth, we are notified not every critical issue would be fixed.
  • 14th of August 2012: new version for Windows and OS X released, we publish this post.

{ 3 } Comments

  1. Hanno | 14-Aug-12 at 14:00:40 | Permalink

    Have you tried the same fuzzing samples on poppler? It’d be interesting how it performs compared to other implementations.

  2. Fernando | 14-Aug-12 at 18:15:45 | Permalink

    +1 on running it on evince/poppler

  3. j00ru | 15-Aug-12 at 01:39:27 | Permalink

    @Hanno, @Fernando: We had the same idea and found a large stack of memory errors a few months ago. Unfortunately, the poppler developers don’t seem to rush to fix them: http://cgit.freedesktop.org/poppler/poppler/log/?qt=grep&q=j00ru.

{ 32 } Trackbacks

  1. [...] piszą badacze, ponad 1,500 corów pracowało przez kilka tygodni, dostarczając do testowanej aplikacji szereg [...]

  2. [...] a some-more technical credentials on a Adobe Reader vulnerabilities, take a demeanour during a blog post by Mateusz Jurczyk and Gynvael [...]

  3. [...] апдейта в Acrobat Reader остались «десятки уязвимостей», говорят специалисты из Google. Двое исследователей безопасности Матеуш Юржик (Mateusz [...]

  4. [...] A Adobe liberou uma nova versão para o Reader na terça-feira (14/8), na qual foram corrigidas cerca de 20 falhas das versões para Mac e Windows. Apesar do número elevado de defeitos abordados nos patches, outras vulnerabilidades continuaram intocadas, de acordo com uma análise feita por Mateusz Jurczyk e Gynvael Coldwind, do Google. [...]

  5. [...] A Adobe liberou uma nova versão para o Reader na terça-feira (14/8), na qual foram corrigidas cerca de 20 falhas das versões para Mac e Windows. Apesar do número elevado de defeitos abordados nos patches, outras vulnerabilidades continuaram intocadas, de acordo com uma análise feita por Mateusz Jurczyk e Gynvael Coldwind, do Google. [...]

  6. [...] A Adobe liberou uma nova versão para o Reader na terça-feira (14/8), na qual foram corrigidas cerca de 20 falhas das versões para Mac e Windows. Apesar do número elevado de defeitos abordados nos patches, outras vulnerabilidades continuaram intocadas, de acordo com uma análise feita por Mateusz Jurczyk e Gynvael Coldwind, do Google. [...]

  7. [...] Mateusz Jurczyk and Gynvael Coldwind have asserted that back in June, they reported 46 reproducible crashes in Reader to Adobe. Earlier this week, Adobe released new versions of Reader for Windows and Mac OS X that [...]

  8. [...] A Adobe liberou uma nova versão para o Reader na terça-feira (14/8), na qual foram corrigidas cerca de 20 falhas das versões para Mac e Windows. Apesar do número elevado de defeitos abordados nos patches, outras vulnerabilidades continuaram intocadas, de acordo com uma análise feita por Mateusz Jurczyk e Gynvael Coldwind, do Google. [...]

  9. [...] Mateusz Jurczyk and Gynvael Coldwind have asserted that back in June, they reported 46 reproducible crashes in Reader to Adobe. Earlier this week, Adobe released new versions of Reader for Windows and Mac OS X that [...]

  10. [...] Mateusz Jurczyk and Gynvael Coldwind have asserted that back in June, they reported 46 reproducible crashes in Reader to Adobe. Earlier this week, Adobe released new versions of Reader for Windows and Mac OS X that [...]

  11. [...] Jurczyk和Gynvael冷风的谷歌宣称,早在六月,他们46重现崩溃到Adobe Reader中。本周早些时候,Adobe发布了用于Windows和Mac OS [...]

  12. [...] Mateusz Jurczyk and Gynvael Coldwind have asserted that behind in June, they reported 46 reproducible crashes in Reader to Adobe. Earlier this week, Adobe expelled new versions of Reader for Windows and Mac OS X that [...]

  13. [...] weitere Aktualisierung für Reader vor dem 27. August, schreiben Jurczyk und Coldwind in einem Blogeintrag. Deswegen hätten sie sich entschlossen, mit den Informationen an die Öffentlichkeit zu gehen. [...]

  14. [...] keine weitere Aktualisierung für Reader vor dem 27. August, schreiben Jurczyk und Coldwind in einemBlog. Deswegen hätten sie sich entschlossen, mit den Informationen an die Öffentlichkeit zu gehen. [...]

  15. [...] Mateusz Jurczyk and Gynvael Coldwind have asserted that back in June, they reported 46 reproducible crashes in Reader to Adobe. Earlier this week, Adobe released new versions of Reader for Windows and Mac OS X that [...]

  16. [...] сотрудников компании Google предупредили пользователей Linux об опасности использования [...]

  17. [...] addressed in a patches, a series of vicious vulnerabilities remained untouched, according to an analysis expelled on Wednesday by Mateusz Jurczyk and Gynvael Coldwind of [...]

  18. [...] addressed in the patches, a number of serious vulnerabilities remained untouched, according to an analysis released on Wednesday by Mateusz Jurczyk and Gynvael Coldwind of [...]

  19. [...] addressed in the patches, a number of serious vulnerabilities remained untouched, according to an analysis released on Wednesday by Mateusz Jurczyk and Gynvael Coldwind of [...]

  20. [...] wurden einige Sicherheitslücken nicht geschlossen. Darauf weisen zwei Google-Mitarbeiter in einem Blog-Artikel [...]

  21. [...] сотрудников компании Google предупредили пользователей Linux об опасности использования [...]

  22. [...] el último boletín solo se corrigen alrededor de 25 de estos fallos en sus 12 CVEs. Así, los investigadores concluyen que existen unos 16 problemas no corregidos aún, que podrían representar quizás unas 8 [...]

  23. [...] addressed in the patches, a number of serious vulnerabilities remained untouched, according to an analysis released on Wednesday by Mateusz Jurczyk and Gynvael Coldwind of [...]

  24. [...] el último boletín solo se corrigen alrededor de 25 de estos fallos en sus 12 CVEs. Así, los investigadores concluyen que existen unos 16 problemas no corregidos aún, que podrían representar quizás unas 8 [...]

  25. [...] http://j00ru.vexillium.org/?p=1175 [...]

  26. [...] los investigadores concluyen que existen unos 16 problemas no corregidos aún, que podrían representar quizás unas 8 vulnerabilidades graves (puesto que 25 problemas [...]

  27. [...] PDF fuzzing and Adobe Reader 9.5.1 and 10.1.3 multiple critical vulnerabilities http://j00ru.vexillium.org/?p=1175 Fuzzing at scale http://googleonlinesecurity.blogspot.ch/2011/08/fuzzing-at-scale.html APSB12-16: [...]

  28. [...] A Adobe liberou uma nova versão para o Reader na terça-feira (14/8), na qual foram corrigidas cerca de 20 falhas das versões para Mac e Windows. Apesar do número elevado de defeitos abordados nos patches, outras vulnerabilidades continuaram intocadas, de acordo com uma análise feita por Mateusz Jurczyk e Gynvael Coldwind, do Google. [...]

  29. [...] сотрудников компании на Google предупреждать Linux пользователей об опасности с помощью приложения [...]

  30. [...] five months ago, Gynvael Coldwind and I wrote about an effort to improve the security of popular PDF parsing and rendering software; back then, [...]

  31. [...] From Google’s security team blog: [...]

  32. [...] based on knowledge derived from binary diffing of the old and newly patched Windows builds,” Mateusz Jurczyk and Gynvael Coldwind of Google wrote in an analysis of the [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *