Signature Detail

HTTP: Adobe Acrobat Reader ActiveX Component NULL Byte Filename

This signature detects attempts to exploit a known vulnerability against the Adobe Acrobat Reader ActiveX component. Attackers can include a null byte in an overly long URL that, when interpreted by Adobe Acrobat, enables attackers to execute arbitrary code on the target host.

Extended Description

Adobe Acrobat/Acrobat Reader ActiveX control (pdf.ocx) is reported prone to a heap-based buffer overrun vulnerability, the issue presents itself due to a lack of sufficient boundary checking performed on URI data of GET requests. It is reported that Microsoft IIS and Netscape Enterprise servers employ NULL bytes as URI terminators and so these HTTP servers may be used to launch an attack. When a malicious URI is followed, the URI is copied into heap-based memory of the affected software without sufficient boundary checks. This results in heap-based memory management chunks being trampled by attacker-supplied URI data. Ultimately this vulnerability may be exploited by a remote attacker to execute arbitrary code in the context of the user who is running the vulnerable software.

Affected Products

• Adobe Acrobat 5.0.0
• Adobe Acrobat 5.0.5
• Adobe Acrobat 6.0.0
• Adobe Acrobat 6.0.1
• Adobe Reader 5.0.0
• Adobe Reader 5.0.5
• Adobe Reader 5.1.0
• Adobe Reader 6.0.0
• Adobe Reader 6.0.1

References

• BugTraq: 10947
• CVE: CVE-2004-0629
• URL: http://www.idefense.com/application/poi/display?id=126&type=vulnerabilities&flashstatus=true