Adobe Reader (formerly Acrobat Reader) is a ubiquitous application for viewing PDF (Portable Document Format) documents.

Since version 4.0, Acrobat includes JavaScript functionality allowing for customization and extensibility. Acrobat JavaScript is an extension of the core JavaScript which adds Acrobat-specific classes that enable the author to manage document related tasks. These classes include app, dbg, console, SOAP, ADBC, util, etc.

The util object provides the printf method which takes as argument, a format string specifier and values to be formatted; then it returns the corresponding formatted string. For example:

   var num = 12345
   util.printf(“%.2f”, num)

We get 12345.00.

There exists a stack buffer overflow in Adobe Reader when parsing specially crafted PDF files. Specifically, the vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the “util.printf()” JavaScript function. If the format string contains specific width for a floating point number, the code will copy the padding spaces (0x20) to a stack-allocated buffer with fixed length. Supplying an overly large width will overflow the buffer with spaces and overwrite SEH. For Example:

   var num = 1.2
   util.printf(“%5000f”, num)

This causes the byte 0x20 to be copied 5000 times on the stack and overflows the buffer.

An attacker can exploit this vulnerability by enticing a user to open a PDF document, which contains a malformed floating point specifier in the “util.printf()” JavaScript function. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

To evade the detection of the attack an attacker might use obfuscate techniques. For example, one of the PDF files exploiting this vulnerability contains the following FlateDecode stream:

x48x89xACx57x6Dx8Bx14x31x0CxFEx2ExF8x27x0Ex06xEE
x10x64xB6x69xD3x19xFCxE4xEEx9ExFFx43x8Ex05x05xF1
xC4x53x7FxBFx4DxFAx96xA4x5DxCFx13x61x76xE8xA6xE9
xD3xE4xC9x4Bx3Bx97x5Fx1FxBFxDCxFExFCx7Ax79x7AxF8
xF8xEDx72x7Bx73xF3xE6x66x49xBFx88x0Bx1Ex78xE0x16
[…truncated]
xE3xC3xEDx8FxEFx3Fx2Fx77xEFx7Ex0Bx30x00xDAxDAxDC
xBB

Which would be decoded as:

function main() {

var sccs = unescape(“%u03eb%ueb59%ue805%ufff8[…truncated]“);

app.setTimeOut(“main()”, 5000);

SonicWALL Gateway AntiVirus provides protection against this vulnerability via GAV: PDF.util.printf.AS (Exploit) and PDF.util.printf.AS_2 (Exploit) signatures.

Oracle BEA WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle BEA WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

Normally an HTTP POST request is sent in one stream, unless the HTTP header Transfer-Encoding is specified. A common value of the Transfer-Encoding header is “chunked”.

There exists a buffer overflow vulnerability in Oracle BEA WebLogic Server’s connector software for Apache HTTP server. Specifically, the vulnerability is due to improper parsing of HTTP Transfer-Encoding headers sent to the Apache Web server. When a Transfer-Encoding header containing unrecognized value is received, the connector software of WebLogic Server copies the header value into a stack buffer of fixed size using a sprintf() function. It has been observed that the vulnerable code does not verify the length of the string before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request containing overly long Transfer-Encoding value to the vulnerable WebLogic connector software. Successful exploitation would result in code injection and execution with the privileges of the service, normally “System” on Windows platform.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

• 3596 WEB-ATTACKS Transfer-Encoding HTTP Header BO Attempt

A vulnerability has been reported in the Server service of most versions of Microsoft Windows. This service facilitates file, print, and named-pipe sharing over the network for Windows-based computers. These remote access facilities are often utilized for Remote Procedure Calls (RPC).

Calling RPC methods on a remote machine entails opening a named pipe as a file and accessing the RPC interface through a Universally Unique Identifier (UUID). Some Microsoft operating systems do not require authentication to access several named pipes. The srvsvc pipe is an alias to the ntsvcs named pipe and can be accessed by several other aliases. The srvsvc interface is registered with the UUID “4B324FC8-1670-01D3-1278-5A47BF6EE188”. The interface exposes a set of functions that enumerate and configure shares, sessions and other resources on the server. Two RPC functions that are provided by the SRVSVC interface are listed below:

• NetprPathCanonicalize
• NetprPathCompare

The function NetprPathCanonicalize, with opcode 31, normalizes a path name by converting slash characters to backslash characters and removing directory traversal sequences. Another RPC function, NetprPathCompare, with opcode 32, internally calls the NetprPathCanonicalize function to normalize path names before comparing them. Thus RPC calls to NetprPathCompare also invoke NetprPathCanonicalize.

The server side implementation of NetprPathCanonicalize RPC function is provided by the library NETAPI32.DLL. The calling syntax of this function is as follows:

long NetprPathCanonicalize(
[in] [string] [unique] wchar_t *ServerName,
[in] [string] [ref] wchar_t *PathName,
[in] long OutBufLen;
[in] [string] [ref] wchar_t *Prefix,
[in] [out] [ref] long *PathType;
[in] long PathFlags;
);

A stack buffer overflow vulnerability exists in the way the Server service processes the PathName argument to the NetprPathCanonicalize function. The affected code fails to properly handle cases where directory traversal sequences result in traversing past the root path as in the following case:

/pathpart1/../../pathpart2

In such cases, the code will internally copy the string, less the traversal sequence and the path which precedes it into a calculated destination buffer. The destination buffer for the copied string is found by searching for the first slash character which precedes the traversal sequence. Normally, this ends up as being the beginning of the source string. Such that the process of normalizing the first traversal in the above example will end up with the following string:

/../pathpart2

Since the next traversal sequence that is to be normalized is not preceded by a path, the search for the first slash character preceding this sequence will incorrectly end up at a memory location in front of the designated buffer. Such that, if a slash character happens to exist on the stack in a vulnerable location, then the source string will be copied into that location.

It has been observed that the stack can be manipulated in a favourable way by the attacker by calling the affected RPC function twice wherein the second time it is called, the copy will overwrite the designated stack buffer.

A remote attacker can exploit this vulnerability by sending specially crafted RPC requests to an affected system. Successful exploitation may result in execution of arbitrary code on the target host with System privileges. A denial of service condition may ensue in cases of unsuccessful attacks.

SonicWALL has released two signatures which will detect and block generic exploitation attempts of this vulnerability. The following IPS signatures have been deployed to address this issue:

• 1160 – SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
• 1161 – SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
• 1174 – SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
• 1178 – SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
• 1186 – SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)

The SQL Injection Attack is not new to the SonicWALL customers, but it is still popular. An article about it was released by SonicWALL UTM team two months ago. In that article, we have explained the details of this type of attacking. Also, we provided statistics data about the attacks around that time.

During the past two months, there are more SQL Injection Attack waves happened. The following figure shows the hits statistics of all the SQL Injection related signatures from June 2008 on. And it indicates there were three waves of attacks, and two of them happened in August 2008.

To provide more protection to the SonicWALL customers from being affected by the SQL Injection Attacks, the SonicWALL UTM team re-classified the SQL related signatures, and created a new category called SQL-Injection. There are 36 signatures re-classified into the new category. The detailed signature names can be found here. With this new category, the customers can easily manage the SQL Injection related signatures, no matter the signatures are in low or high priority.

Note that the figure is more accurate than the one from the last article because it shows all the 36 SQL Injection signatures instead of 11 signatures for the last time.