by Tan Chew Keong
Release Date: 2007-10-09
A vulnerability has been found in Adobe PageMaker for Windows. When exploited, the vulnerability allows execution of arbitrary code when the user opens a specially-crafted PageMaker (PMD) file.
According to the vendor, the following version is also affected.
- Adobe PageMaker 7.0.1 for Windows (30-day TryOut version)
- Adobe PageMaker 7.0.2 (full version)
A stack-based buffer overflow occurs in Adobe PageMaker for Windows when a specially-crafted PageMaker (PMD) file that contains an overly long font-name is opened. This is due to a boundary error in MAIPM6.DLL when copying the font-name into a fixed-length stack buffer. This can be exploited to execute arbitrary code on the user's system when the user opens a malicious PMD file.
In order to exploit this vulnerability successfully, the user must be convinced to open a specially-crafted PMD file. Execution of arbitrary code using this vulnerability has been confirmed on English WinXP SP2 using the 30-day TryOut version of PageMaker 7.0.1.
The following screen capture shows that it is possible to overwrite the saved EIP using the vulnerability.
POC / Test Code
The following POC PMD files will exploit the vulnerability to run calc.exe or crash PageMaker. The code execution POC has been successfully tested on English WinXP SP2 with PageMaker 7.0.1 (TryOut version).
- pagemaker701-EXP.pmd (exploits the stack-based buffer overflow to run calc.exe on English WinXP SP2)
- pagemaker701-CRASH.pmd (crashes PageMaker by using the stack-based buffer overflow to overwrite the saved EIP)
Instructions to reproduce the vulnerability:
- Download the POC files and save them to the hard-disk.
- Make backup copies of the files as they will be modified by PageMaker after they are opened. The modified files may not trigger the vulnerability correctly the next time they are used.
- Run PageMaker.
- Open one of the POC files in PageMaker.
- Successful exploit will either run calc.exe after a short delay or crash PageMaker immediately. Note: calc.exe will run only after a delay of 1 to 2 minutes due to the use of shellcode hunter.
Patch / Workaround
Apply patch from vendor.
2007-07-16 - Vulnerability discovered.
2007-07-18 - Initial vendor notification.
2007-07-18 - Initial vendor reply.
2007-07-18 - Vulnerability description and POC files sent to vendor.
2007-07-21 - Received confirmation from vendor that full version of PageMaker 7.0.2 is also affected.
2007-08-29 - Received patch release schedule from vendor.
2007-09-27 - Received patch for testing.
2007-10-09 - Vendor releases patch and security bulletin.
2007-10-09 - Public disclosure.