Hosting Provided By

Adobe Acrobat and PDF security: no improvements for 2 years

From: Vladimir Katalov <info(at)elcomsoft.com>
Date: Tue Jul 08 2003 - 06:38:57 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Adobe Acrobat and PDF security: no improvements for 2 years. Software released in 2003 contains vulnerabilities disclosured in 2001

July 8, 2003

SUMMARY

In early 2001, we have discovered a serious security flaw in Adobe Acrobat and Adobe Acrobat Reader. In July'2001, we've briefly described it in "eBook Security: Theory and Practice" speech on DefCon security conference. Since there was no reaction from Adobe (though Adobe representative has attended the conference), we have reported this vulnerability to CERT in September'2002 (after more than a year), still not disclosing technical details to the public. Only in March'2003, CERT Vulnerability Note (VU#549913) has been published, and after a week, Adobe has responded officially (for the first time) issuing the Vendor Statement (JSHA-5EZQGZ), promising to fix the problem in new versions of Adobe Acrobat and Adobe Reader software expected in the second quarter of 2003. When these versions became available, we have found that though some minor improvements have been made, the whole Adobe security model is still very vulnerable, and so sent a follow-up to both CERT and Adobe. Both parties failed to respond. Below is the full story.

CONTACT INFORMATION

 Name                   : ElcomSoft Co.Ltd.
 E-mail                 : info@elcomsoft.com
 Web                    : 
http://www.elcomsoft.com
 Phone / fax            : +1 866 448-2703

HISTORY

Adobe Systems Inc is referred as "Vendor" ElcomSoft Co.Ltd. is referred as "Reporter"

Do you need help?

07/16/2001: "eBook Security: Theory and Practice" presentation on

              DefCon 9:
              
http://www-2.cs.cmu.edu/~dst/Adobe/Gallery/defcon.ppt
  06/13/2002: Report sent to vendor
              (PASSKEY:75DF62C56A7DE9F888256BCB0001DF72)
  09/10/2002: Report sent to CERT
  10/08/2002: More detailed acknowledgment sent to reporter
  10/08/2002: Initial attempt to contact vendor via web feedback
  10/18/2002: Follow up to PR contact(s); point of contact initiated

10/21/2002: Authentication loop closed; technical details sent 10/29/2002: Ack asked for and received; further details sent

related to report

  11/21/2002: Reporter asks for status update
  11/26/2002: Ping from reporter
  11/26/2002: Follow up with vendor to get status of report
  11/27/2002: Ack from vendor PR contact asserting more info soon
  11/28/2002: Follow up to vendor again asking for confirmation of
              details;
              let the vendor know reporter is willing to wait if
              details and solution acknowledged
  12/02/2002: Conversation with vendor contact verifying details of
              issue; mention made of issue being resolved in next
              release
  12/04/2002: Initial date identified for potential publication of the
              report
  12/09/2002: Vendor replies that their response is undergoing legal
              review
  12/18/2002: Reporter asks for status update; notes 45-day disclosure
              period over
  12/18/2002: Ack reporter
  12/18/2002: Ping vendor for written response again
  01/05/2003: Reporter asks for status update
  01/14/2003: Ack reporter; tentatively set publication date for 01/20

01/20/2003: Reporter ack
01/21/2003: Private CERT Vulnerability Card published with draft

status
03/19/2003: CERT Vulnerability Note (VU#549913) published:

http://www.kb.cert.org/vuls/id/549913 03/25/2003: Vendor Statement (JSHA-5EZQGZ) published:

http://www.kb.cert.org/vuls/id/JSHA-5EZQGZ 07/02/2003: Updated vulnerability report by reporter to CERT 07/04/2003: Updated vulnerability report sent by reporter to vendor

TECHNICAL DETAILS

Description of the vulnerability

- --------------------------------

Adobe Acrobat Reader supports plug-ins, i.e. additional modules that extend the functionality of Adobe Acrobat and Adobe Acrobat Reader; plug-ins SDK and plug-ins certification (signing) mechanism are provided. By design, Adobe Acrobat (and Reader) should load only digitally signed plug-ins, while the key (for signing) is provided by Adobe itself -- to developers who has signed a special agreement with Adobe. Besides, some plug-ins are signed by Adobe using their own private Key, and there is a 'certified' (so-called 'trusted') mode in Acrobat, when only Adobe-certified plug-ins are being loaded.

Do you need more help?

However, the implementation of certification mechanism is weak, and it is easy to write a plug-in that will look like one certified by Adobe, and so will be loaded even in 'certified' mode. Such plug-in can execute ANY code -- i.e. perform file operations (read, write, execute etc), access Windows Registry etc.

At 03/25/2003, vendor (Adobe Systems Inc) issued "Vendor Statement", confirming the existence of the vulnerability: http://www.kb.cert.org/vuls/id/JSHA-5EZQGZ

There, vendor notes:

"The security mechanism for loading certified plug-ins will be updated in an upcoming release of Adobe Acrobat and Adobe Acrobat Reader available in the second quarter of 2003."

In June 2003, new versions of Adobe Reader (6.0) became available, but it is still vulnerable. The details are below.

There are two runtime modes for which they are enabled to load and execute:

Non-certified mode
Certified mode

Non-certified mode has not been changed: new versions of Adobe Acrobat and Adobe Reader still load all third party plug-ins that have old signatures, including "forged" ones (as described in VU#549913).

Certified mode has been improved, as promised: now the digital signatures (enabling key) uses stronger algorithms, and so cannot be forged. However, the whole Acrobat security model is still weak, as described below.

Can we help you?

Acrobat/Reader could be running in "Certified" mode in two cases:

"Certified plug-ins only" option was turned on when Acrobat starts. In this case Acrobat/Reader 6 loads only plug-ins with new tamper-resistant certificates, so plug-in with "forged" certificate could not be loaded.
"Certified plug-ins only" option was turned off, but there is no uncertified plug-ins available to be loaded. In this case Adobe Acrobat loads all available plug-ins (including plug-ins without digital signature at all). Adobe Reader requires all plug-ins to be signed, but does not reject plug-in if it has old-style signature. If all loaded plug-ins are certified by Adobe by new (Acrobat 6+) certification mechanism, Acrobat/Reader automatically switches to "Certified" mode.

Adobe Acrobat contains a special (internal) function that returns active "Certified" status (is all loaded plug-ins are certified or not). Let's call that function "CTIsCertifiedMode". Behavior of all Acrobat components that requires "Certified" mode is based on the value returned by this function.

Therefore, if plug-in with "forged" certificate is loaded, it can patch the code of CTIsCertifiedMode function in memory, and so force Acrobat to believe that it works in "Certified" mode.

It is not a big problem to find CTIsCertifiedMode in memory. Plug-ins gets access to Acrobat/Reader core functions through the set of tables called Host Function Tables (HFTs). One of such tables has the name "CoreTools". The functions referred by that table are not documented by Adobe, but one of the functions within CoreTools HFT is CTIsCertifiedMode.

The impact of this vulnerability is described below.

The impact of the vulnerability

- -------------------------------

There are many Adobe Acrobat and Adobe Reader plug-ins that can load (by design) only in certified mode. One example is all documents protected with "Adobe DRM" security handler (so-called eBooks). Certified more assures that all other plug-ins, loaded with those ones, have been also certified by Adobe.

However, using the vulnerability described above, the plug-in with forged signature can perform virtually everything, including but not limited to:

removing or modifying any restrictions (from copying text to Clipboard, printing etc) from the documents loaded into Adobe Acrobat or Adobe Reader;
remove any DRM (Digital Rights Management) schemes from PDF documents, regardless the encryption handler used -- WebBuy, InterTrust DocBox, Adobe DRM (EBX) etc;
modify or remove digital signatures used within a PDF document;
affect any/all other aspects of a document's confidentiality, integrity and authenticity.

Can't find what you're looking for?

Systems and configurations that are vulnerable

- ----------------------------------------------

  Software:           Adobe Acrobat 4.x
                      Adobe Acrobat 5.x
                      Adobe Acrobat 6.0
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
                      Adobe Acrobat Reader 4.x
                      Adobe Acrobat Reader 5.x
                      Adobe Reader 6.0

  Operating systems:  Windows 98
                      Windows ME
                      Windows 2000
                      Windows XP

Possible solutions

- ------------------

Adobe Acrobat and Adobe Reader should NOT be able to load ANY plug-ins that have old (designed for versions 4 and 5) certificates. All plug-ins for version 6 should use new, improved signatures. Besides, Acrobat/Reader should verify the integrity of its own executable code in memory, refusing to run (or just to load plug-ins) if the code has been modified.

CONCLUSION

Unfortunately, Adobe does not pay much attention to vulnerability report. The official response usually is:

"Adobe will evaluate this report, as we do any report we receive. For security reasons, Adobe can't discuss the measures we take as a result. Security is an ongoing effort. We are committed to strengthening the security of our products by using sophisticated, industry-standard levels of software encryption and working with the software community, including 'White Hat' security experts, to incorporate features to advance the quality of our products. However, no software is 100 percent secure from determined hackers."

To implement reliable and secure solutions, it is not enough just to "use sophisticated, industry-standard levels of software encryption" - - it is necessary to use them *properly*. It is well known that the chain is as weak as it's weakest link.

-----BEGIN PGP SIGNATURE-----
Version: 2.6

Confused? Frustrated?

iQEVAwUAPwqfHMGOU/F25e8NAQErmggAwtT8+afiS3rFvxX+7QAk4SINVDdZjEQz Dd2ZZgdLbq0zLWs37CX92F3V6JjvsFFbZXe+NHPZr4begdAnXeF/oV8j8C5rLfs2 YiBmO8SMoS7R/PKWjaJH7/XpCOLbSiyuVH2ndHZYM6U19fp1vE9zfP/6wMq5y24o FW5+63Bofn5o8V46my0uMPSQJTnrx8NZzprNVI4Jx0OddR6ULi5GF5qLDcOyaj4P 2L9l5pCMCzLZo0iTQb7qPujt+RSNOhmlk8mFfefJ6Pr8E/llY4uqhGLAv774be5m jfw/78G36PNrN2xGlFJ7ww2yxm/7RI7bBU6HLJpZ2EAhYkfnQwrZXQ== =O1wf
-----END PGP SIGNATURE----- Received on Tue Jul 8 18:19:24 2003

This message: [ Message body ]
Next message: Stephen Samuel: "Re: Red Hat 9: free tickets"
Previous message: Spybreak: "Generic way to exploit an insecure /tmp file creation - Red Hat 7,8,9 (Re: Red Hat 9: free tickets)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT