Home / vulnerabilitiesPDF  

Adobe Reader 11.0.03 Insecure Third Party Components

Posted on 11 July 2013
Source : packetstormsecurity.org Link

 

Hi @ll,

the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd party)
components:

1. Adobe Flash Player Plugin 11.5.502.110

| X:>filever.exe /S "%ProgramFiles%Adobe
pswf*.dll"
| x:program filesadobe
eader 11.0
eader
pswf*.dll
| --a-- W32i DLL ENU 11.5.502.110 shp 14,588,632 05-11-2013 npswf32.dll

Cf. <http://www.adobe.com/support/security/bulletins/apsb13-17.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-16.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-14.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-11.html>
<http://www.adobe.com/support/security/bulletins/apsb13-09.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-08.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-05.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-04.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-01.html>
and <http://www.adobe.com/support/security/bulletins/apsb12-27.html>

The wise guys at Adobe missed 10 security updates of their own product!

2. MSVC++ 2008 runtime libraries 9.0.21022.8

| X:>filever.exe /S "%SystemRoot%WinSxSmsvc?90.dll"
| x:windowswinsxsx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375msvc?90.dll
| --a-- W32i DLL ENU 9.0.21022.8 shp 224,768 11-06-2007 msvcm90.dll
| --a-- W32i DLL ENU 9.0.21022.8 shp 568,832 11-07-2007 msvcp90.dll
| --a-- W32i DLL ENU 9.0.21022.8 shp 655,872 11-07-2007 msvcr90.dll

These DLLs have been updated several times since 2007-11-07, cf.
<http://support.microsoft.com/kb/973551> and
<http://support.microsoft.com/kb/973552> alias
<http://www.microsoft.com/technet/security/bulletin/ms09-035>
as well as <http://support.microsoft.com/kb/2467174> and
<http://support.microsoft.com/kb/2538243> alias
<http://www.microsoft.com/technet/security/bulletin/ms11-025>

JFTR: Adobe Reader XI was released 2012-09-24, more than one year after
MS11-025!

3. MSVC++ 2010 runtime libraries 10.0.40219.1

| X:>filever.exe /S "%SystemRoot%System32msvc?100.dll"
| x:windowssystem32msvcp100.dll
| --a-- W32i DLL ENU 10.0.40219.1 shp 421,200 02-19-2011 msvcp100.dll
| x:windowspsystem32msvcr100.dll
| --a-- W32i DLL ENU 10.0.40219.1 shp 773,968 02-19-2011 msvcr100.dll

Cf. <http://support.microsoft.com/kb/24671743> and
<http://support.microsoft.com/kb/2565063> alias
<http://www.microsoft.com/technet/security/bulletin/ms11-025>

JFTR: Adobe Reader XI was released 2012-09-24, more than one year after
MS11-025!

Unfortunately, the wise guys at Adobe don't know the platform on which their
product runs and include the MSVC++ 2008 and 2010 runtimes via MSI merge module.

Due to a well-known idiosyncrasy of Windows Update Agent M$FT components
installed via MSI merge module are NOT detected and thus not updated by M$FT ...
although M$FT advises their users to do so!

>From the FAQ section of
<http://www.microsoft.com/technet/security/bulletin/ms11-025>

| In the case where a system has no MFC applications currently installed but
| does have the vulnerable Visual Studio or Visual C++ runtimes installed,
| Microsoft recommends that users install this update as a defense-in-depth
| measure, in case of an attack vector being introduced or becoming known at
| a later time.

4. Additionally, the following dangling references to Acrobat.exe are created:

[HKEY_LOCAL_MACHINESOFTWAREClasses.acrobatsecuritysettingsOpenWithListAcrobat.exe]
@=""

[HKEY_LOCAL_MACHINESOFTWAREClasses.pdfxmlOpenWithListAcrobat.exe]
@=""

[HKEY_LOCAL_MACHINESOFTWAREClassesAcroExch.Document.11protocolStdFileEditingserver]
@=""Acrobat.exe""

The latter allows the execution of a rogue program named "Acrobat.exe" from
CWD via OLE in the security context of the logged on user.

Cf. <http://technet.microsoft.com/security/advisory/2269637>

5. On Window XP the following superfluous registry entries are created:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow Rights]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{15B3FB63-66F4-4EFC-B717-BB283B85E79B}]
"Policy"=dword:00000003
"AppPath"="X:\Program Files\Adobe\Reader 11.0\Reader\"
"AppName"="AcroBroker.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{358E6F10-DE8A-4602-8424-179CA217F8EE}]
"Policy"=dword:00000003
"AppPath"="X:\Program Files\Adobe\Reader 11.0\Reader"
"AppName"="AcroRd32Info.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}]
"Policy"=dword:00000003
"AppPath"="X:\Program Files\Common Files\Adobe\ARM\1.0\"
"AppName"="AdobeARM.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}]
"Policy"=dword:00000003
"AppName"="AdobeCollabSync.exe"
"AppPath"="X:\Program Files\Adobe\Reader 11.0\Reader"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{9C6A861C-B233-4994-AFB1-C158EE4FC578}]
"Policy"=dword:00000003
"AppPath"="X:\Program Files\Adobe\Reader 11.0\Reader"
"AppName"="AcroRd32.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{A2397324-4D73-4870-A795-995C56F49FBD}]
"Policy"=dword:00000001
"AppPath"="X:\Program Files\Adobe\Reader 11.0\Reader"
"AppName"="arh.exe"

If the wise guys at Adobe know the platform on which their product runs
a little better they'd probably know that "Low RightsElevation Policy"
is supported on Windows Vista and later only.

Stefan Kanthak

PS: the "PDF Preview Handlers" which are installed unconditionally on
Windows XP are superfluous too (at least when Outlook 2007 is not
installed).
Cf. <http://msdn.microsoft.com/library/cc144143.aspx>

[HKEY_LOCAL_MACHINESOFTWAREClasses.pdfShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{49400A7C-81A8-4F52-8CCE-D54739EE87EC}]
"AppID"="{5D238751-7E51-4F24-9E7D-93C58881B20B}"
"DisplayName"="@"X:\Program Files\Adobe\Reader 11.0\Reader\pdfprevhndlrshim.exe",-101"
@="Adobe PDF Preview Handler"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{49400A7C-81A8-4F52-8CCE-D54739EE87EC}LocalServer32]
@=""X:\Program Files\Adobe\Reader 11.0\Reader\pdfprevhndlrshim.exe""

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{49400A7C-81A8-4F52-8CCE-D54739EE87EC}ProgID]
@="PDFPrevHndlrShim.PDFPrevHndlrShim.1"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{49400A7C-81A8-4F52-8CCE-D54739EE87EC}Programmable]

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{49400A7C-81A8-4F52-8CCE-D54739EE87EC}TypeLib]
@="{A58FB5B3-CF96-4C63-B0D2-232A1AEA1A1B}"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{49400A7C-81A8-4F52-8CCE-D54739EE87EC}VersionIndependentProgID]
@="PDFPrevHndlrShim.PDFPrevHndlrShim"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{DC6EFB56-9CFA-464D-8880-44885D7DC193}]
"AppID"="{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"
@="Adobe PDF Preview Handler for Vista"
"DisplayName"="@X:\Program Files\Adobe\Reader 11.0\Reader\pdfprevhndlr.dll,-101"
"DisableLowILProcessIsolation"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{DC6EFB56-9CFA-464D-8880-44885D7DC193}InprocServer32]
@="X:\Program Files\Adobe\Reader 11.0\Reader\pdfprevhndlr.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{DC6EFB56-9CFA-464D-8880-44885D7DC193}ProgID]
@="PDFPrevHndlr.PDFPreviewHandler.1"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{DC6EFB56-9CFA-464D-8880-44885D7DC193}TypeLib]
@="{0F6D3808-7974-4B1A-94C2-3200767EACE8}"

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{DC6EFB56-9CFA-464D-8880-44885D7DC193}VersionIndependentProgID]
@="PDFPrevHndlr.PDFPreviewHandler"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlr.PDFPreviewHandler]
@="Adobe PDF Preview Handler for Vista"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlr.PDFPreviewHandlerCLSID]
@="{DC6EFB56-9CFA-464D-8880-44885D7DC193}"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlr.PDFPreviewHandlerCurVer]
@="PDFPrevHndlr.PDFPreviewHandler.1"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlr.PDFPreviewHandler.1]
@="Adobe PDF Preview Handler for Vista"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlr.PDFPreviewHandler.1CLSID]
@="{DC6EFB56-9CFA-464D-8880-44885D7DC193}"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlrShim.PDFPrevHndlrShim]
@="Adobe PDF Preview Handler"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlrShim.PDFPrevHndlrShimCLSID]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlrShim.PDFPrevHndlrShimCurVer]
@="PDFPrevHndlrShim.PDFPrevHndlrShim.1"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlrShim.PDFPrevHndlrShim.1]
@="Adobe PDF Preview Handler"

[HKEY_LOCAL_MACHINESOFTWAREClassesPDFPrevHndlrShim.PDFPrevHndlrShim.1CLSID]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPreviewHandlers]
"{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"="Adobe PDF Preview Handler"
"{DC6EFB56-9CFA-464D-8880-44885D7DC193}"="Adobe PDF Preview Handler for Vista"

 

TOP

Malware :

Exploits :