Wiki Navigation

MOAB #6, Multi-vendor PDF Vulnerability

Sploops, I missed posting this the other day cause I was working on setting up a HoneyClient at CMU, so you'll forgive me if it's a bit stale right? :P MOAB #6 is the result of LMH looking at the PDF spec with a security researcher's eye. The root level of a PDF document is a data structure called the "catalog dictionary", which holds references to other data structures which are meant to hold the actual document content. He lists 15 other objects that the catalog dictionary can point to, however only suggests that problems with the catalog dictionary itself or the "Pages" setting are what cause the problems described in the advisory.

Interestingly LMH makes the claim that this vulnerability constitutes a design flaw in the PDF newest version of the specification itself. He, references the design of the TIFF file format as an example of similar problems caused by a "defective-by-design" spec. There does seem to be a case for such an assertion, though it seems it could be fairly trivially addressed by a change in the spec to take into account invalid references.

According to the detailed notes, this vulnerability has been confirmed on

- Apple Mac OS X Preview.app 3.0.8 (409)
- Adobe Acrobat Reader 7.0 - 5.0 and previous.
  - 8.0.0 is not affected apparently.
  - GNU/Linux
  - Microsoft Windows
  - Mac OS X
- xpdf 3.0.1 (patch 2)
  - Note: Affects software based on it's source as well
    (gv, kpdf, poppler, etc).
(...)

so it's seemingly ubiquitous, but Acrobat Reader 8.0 does not seem to suffer from this problem. (Go get it btw, if you haven't, since it addresses other severe problems too.)

Separate CVEs have been assigned for
Preview - CVE-2007-0102
Acrobat Reader - CVE-2007-0103
and xpdf - CVE-2007-0104

Download in other formats:

Plain Text