COMMAND

    Acrobat

SYSTEMS AFFECTED

    - Acrobat Reader 3.0J for Windows95/98/NT/2000
    - Acrobat Reader 4.0J for Windows95/98/NT/2000
    - Acrobat Reader 4.05J for Windows95/98/NT/2000
    - Acrobat 3.0J for Windows95/98/NT/2000
    - Acrobat 4.0J for Windows95/98/NT/2000
    - Acrobat 4.05J for Windows95/98/NT/2000
    - Adobe Acrobat Business Tools for Windows95/98/NT/2000
    - Adobe Acrobat FillIn for Windows95/98/NT/2000

PROBLEM

    UNYUN found following.   He found the exploitable  buffer overflow
    problem in  Acrobat series  for windows.   Acrobat overflows  when
    reading the PDF  file which has  long Registry or  Ordering.  They
    are one of the  font CDI system information,  you can see them  in
    the PDF file which is generated by Acrobat.  This buffer  overflow
    overwrites the local buffer, EIP can be controled and can  execute
    prepared code written  in the font  CDI system information.   This
    overflow  contains  the  possibility  of  the  virus  and  trojans
    infection, sytsem destruction, intrusion, and so on.

    The problem in the handling of /Registry and /Ordering string.  We
    can control EIP by handling  of /Ordering, we describe about  this
    problem on the handling of /Ordering.

    Generally, the country  name is written  in /Ordering.   Following
    string is generated by Japanese Acrobat.

        /Ordering(Japanese1)

    If the long country name is specified as follows,

        /Ordering(DDDDDD... long 'D')

    you will  see the  following GPF  dialog box  (it is  the case  in
    Acrobat 3.0J)

        ACROEX32 Page fault
        Module : ACROEX32.EXE, Address : 0167:004e00f2
        Registers:
        EAX=88888888 CS=0167 EIP=004e00f2 EFLGS=00010a86
        EBX=00e38788 SS=016f ESP=007ee3b4 EBP=007ee518
        ECX=007ee4b0 DS=016f ESI=00fe393b FS=0edf
        EDX=00000006 ES=016f EDI=007ee3c4 GS=0000
        Bytes at CS:EIP:
        c6 44 05 98 00 e8 54 17 05 00 66 89 85 14 ff ff

    The page fault has been occurred by the following code.  (You  can
    see them in GPF dialog box)

        c6 44 05 98 00

    This is "mov byte ptr  [ebp+eax-68h],0".  EAX is 0x88888888,  this
    value is the total of two values which are stored in the  specific
    offset in the buffer.  They are stored in offset 83,91, EAX is set
    to  0xffffffff  if  0x80808080  and  0x7f7f7f7f are stored in each
    address.  The memory area of ebp-1-68h is writable, the page fault
    has not been occurred and the instructions are executed until  RET
    if EAX is -1.  RET is stored in offset 102.

    In Acrobat 4.0/4.05, EAX  is able to set  by the values which  are
    in the  offset 66,78,  EIP is  able to  set by  the value which is
    stored in offset 74 (we  could code an exploit which  explotis 3.0
    and 4.0/4.05 both).

    NULL,  '(',')'  are  not  be  able  to  use.  They are termination
    character for /Ordering and /Resitry.

SOLUTION

    Adobe Acrobat/reader/FillIn/BuinessTools 4.05c is OK.  The patches
    for this  problem has  already been  released on  26 July at adobe
    site:

        http://www.adobe.com/misc/pdfsecurity.html