 |
|
|
|
| Vulnerability details : |
| |
 |
|
Adobe Download Manager AOM File Handling Section Name Overflow |
|
|
Fiche créée le 2006-12-06 12:48:25, dernière mise à jour le 2010-03-19 04:11:41
Adobe Download Manager is affected by a remote buffer-overflow vulnerability.
An attacker can exploit this issue by crafting a malicious AOM file and enticing a user to view a webpage containing the file. A successful attack may result in arbitrary code execution.
This issue affects Adobe Download Manager 2.1 and prior versions.
The AdobeDownloadManager.exe are extracting download instructions from AOM files, which are essentially XML with an appended CRC32 in decimal, and committing the instructions to the file "%APPDATA%\dm.ini" for later processing. For instance, opening the following AOM file:
WelcomeToMyHumbleAdobe
3871966612
Will generate the following lines in "dm.ini":
[STARTUP]
Status=IncompleteDownload
[WelcomeToMyHumbleAdobe]
StoreID=0
TransactionID=0
When launched, whether or not it is supplied with an AOM file, AdobeDownloadManager.exe reads the entries from "dm.ini" and handles each described download according to its properties. It begins by reading a list of section names into a 400h-byte buffer using GetPrivateProfileStringA, then copies each section name into a 108h-byte stack buffer using strncpy with a length limit equal to the length of the section name string. The result is a relatively straightforward stack buffer overflow, with the only complication being the character restrictions.
|
| |
| Adobe Systems Incorporated 2.1 Affected | | | Attack Type : Race Condition
symlink. | Découvert le 2006-12-06 12:48:52
| Attack Type : Input Manipulation
XSS, SQL injection, file retrieval, directory traversal, overflows, URL encoding. | | | | Disclosure : OSVDB Verified | Confirmé le 2006-12-06 12:48:52
| | Disclosure : Vendor Verified | | | Exploit : Exploit Unknown
Unsure of exploit status. | Exploit découvert le 1970-01-01 07:00:00
| | Exploit : Exploit Private | | | Impact : Loss of Confidentiality
Assurance that data is protected and not disclosed to an unauthorized party.
Examples: password disclosures, server information, environment variables, confirmation of file existence, path disclosure, file content access, some SQL injection. | | | Impact : Loss of Integrity
Assurance that data is unaltered by unauthorized persons.
Examples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc. | | | Impact : Loss of Availability
Assurance of timely and reliable access to data.
Examples: any DoS attack of any kind, unauthorized file deletion, etc. anything that can cause the availability of a service or information to be impacted. | | | Location : Remote / Network Access
If network access if required and exploit can be done remotely. | | | Location : Local Access Required
Requires a local account, shell access, etc. Any vulnerability that doesn't require network layer to exploit. | | |
| |
| External refs : |
| OSVDB 31055 | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
| |
| |
| |
|
|
|
|
| Free consultation (search) |
|
|
|
|
|
| |
|
|
|
