On June 29, 2010, Adobe has published its security updates for Adobe Reader and Adobe Acrobat (APSB10-15). Among many vulnerabilities fixed this time, the noticeable one is /Launch vulnerability (CVE-2010-1240), which is said to be found by Didier Stevens. However, it is pity that the patch is not working properly.
/Launch vulnerability was released by Didier on March 29, 2010. Since then, many viruses in the wild have taken advantage of the flaw:
It takes Adobe three months to release the patch. I think it is delayed for too long.
On the blog entry, Didier confirms that Adobe has completely fixed the flaw. Thus, I decide to check the patch carefully, and the patch turns out to be incomplete.
Firstly, I check the exploited PDF file with the latest version of Adobe Reader.
Before version 9.3.3
The patch seems to be working. Now, what would happen if I modify the exploit code a bit?
Specifically, I add the quotes to the parameters passed to /F.
Eg: /F(cmd.exe) becomes /F("cmd.exe")
With the quotes added, Adobe Reader will not block the execution and the warning becomes as follow:
After pressing Open, cmd.exe will be executed!!!
So, Adobe Reader version 9.3.3 has fixed the fake warning massage, but the threat of exploit code execution still remains.
You can verify by:
1. Update Adobe Reader to the latest version 9.3.3.
2. Download PoC (Run Cmd.exe /c "calc.exe")
Le Manh Tung
Senior Security Researcher