[Advisory Update]Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Advisory Update]Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability
From: cocoruder <cocoruder@xxxxxxxxx>
Date: Wed, 7 May 2008 09:53:53 +0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=llewy+YG9pruQCadj76MmxZ6trFpaTiV91z5qq1UngQ=; b=qUvLL7pYIs9AAoEfTF6vFqaalyjC4CcURZ0aAgdULNpVCO1DcQz6oJ967sMv47qIkJPOZPZfob2pVCEbpETQcn5pUXsqWyu760xeak4yVSwl7TFzwdVGpKUTf/Dbgy7TtssOFRkwtTHEodEZmZEItUlsLw63mmdbOk25UyN0tzA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=fmcnkzSycAT5CXRo2jxXdfnjPyylj5TNm68Py3gOQkhldDaV7SdY6oHDAx3fXVW5sT5yRocRSu79ZatoIUqOZtdB4aQdIqfzfp19VzrS8bldjTaO9FgnunmOMypqwW5ljZSnRza65T9qgycYoUgLklFAC3Eb6EQTvUr3uV5pcjA=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: frankruder@xxxxxxxxxxx

[UPDATE]Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability

by cocoruder(frankruder@xxxxxxxxxxx)
http://ruder.cdut.net, updated on 2008.05.06


Summary:

    A design error vulnerability exists in Adobe Reader and Adobe
Acrobat Professional. A remote attacker who successfully exploit this
vulnerability can control the printer without user's permission.



Affected Software Versions:

    Adobe Reader 8.1.1 and earlier versions
    Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions



Details:

    This vulnerablity due to the design error of the javascript
fucntion "DOC.print()", following are the annotates of the function in
Adobe's Javascript API Reference(named "js_api_reference.pdf"):

        --START--

        (Acrobat 7.0) Non-interactive printing can only be executed during
batch, console, and menu events. Printing is made non-interactive by
setting bUI to false or by setting the interactive property to silent,
for example:

          var pp = this.getPrintParams();
          pp.interactive = pp.constants.interactionLevel.silent;

        Outside of batch, console, and menu events, the values of bUI and of
interactive are ignored and a print dialog box will always be
presented.

        --END--

    But Adobe has not realized it in the current version, so we can
call the printer silently without user's permission. The attacker can
build a vicious PDF document, once the victim view the document with
Adobe Acrobat Professional or Adobe Reader, it will waste a lot of the
victim's printer resources. For example, attacker can build a PDF
document including the following scripts:

        var pp = this.getPrintParams();
        pp.interactive = pp.constants.interactionLevel.silent;

        for (var i=0;i<10000;i++)
        {
                this.print(pp);
        }

    It will print this document 1000 times without user's permission.



Solution:

    Adobe has released an advisory for this vulnerability and a patch
for Adobe Acrobat/Reader 8 but not for Adobe Acrobat/Reader 7 which
are available on:

    http://www.adobe.com/support/security/advisories/apsa08-01.html

    Right now Adobe released the final advisory and patch which are
available on:

    http://www.adobe.com/support/security/bulletins/apsb08-13.html

    Fortinet advisory can be found at:

    http://www.fortiguardcenter.com



CVE Information:

    CVE-2008-0655



Disclosure Timeline:

    2007.11.01        Vendor notified
    2007.11.02        Vendor responded
    2008.02.07        Initial coordinated disclosure
    2008.05.06        Final coordinated disclosure



--EOF--

Prev by Date: [ MDVSA-2008:098 ] - Updated openssh packages fix vulnerability
Next by Date: rPSA-2008-0157-1 kernel
Previous by thread: [ MDVSA-2008:098 ] - Updated openssh packages fix vulnerability
Next by thread: Adobe Acrobat Professional Javascript For PDF Security Feature Bypass and Memory Corruption Vulnerabilities
Index(es):
- Date
- Thread