Rule: 

--
Sid: 
100000101

-- 
Summary: 
This event is generated when an attempt is made to exploit a buffer overflow vulnerability present in the Adobe Acrobat/Acrobat Reader ActiveX control, pdf.ocx.

-- 

Impact: 
By using properly crafted packets, attackers may execute arbitrary code of their choosing with the privileges of the user running the affected software.

--
Detailed Information:
This rule detects attempts to overflow the heap of the Adobe Acrobat/Acrobat Reader ActiveX control, pdf.ocx. URI requests of 1,050 bytes or greater which are received by this control will cause a buffer overflow and allow arbitrary code execution with the privileges of the affected user. This rule is used in conjunction with SID 100000100.

--
Affected Systems:
Adobe Acrobat 5.0
Adobe Acrobat 5.0.5
Adobe Acrobat 6.0
Adobe Acrobat 6.0.1
Adobe Acrobat Reader 5.0
Adobe Acrobat Reader 5.0.5
Adobe Acrobat Reader 5.1
Adobe Acrobat Reader 6.0
Adobe Acrobat Reader 6.0.1

--

Attack Scenarios: 
A web browser or automated script may be used to exploit this vulnerability.

-- 

Ease of Attack: 
Simple, as simply typing a long URI into a web browser will suffice.

-- 

False Positives:
None Known.

--
False Negatives:
None Known.

-- 

Corrective Action: 
Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2.
An alternate workaround is available: disable "Display PDF in browser" under Edit -> Preferences.

--
Contributors: 
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
Alex Kirk <alex.kirk@sourcefire.com>

-- 
Additional References:
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433

--
