TITLE: Adobe Document/Graphics Server File URI Resource Access SECUNIA ADVISORY ID: SA19229 VERIFY ADVISORY: http://secunia.com/advisories/19229/ CRITICAL: Moderately critical IMPACT: Manipulation of data, Exposure of sensitive information, System access WHERE: >From local network SOFTWARE: Adobe Graphics Server 2.x http://secunia.com/product/5397/ Adobe Document Server 5.x http://secunia.com/product/8714/ Adobe Document Server 6.x http://secunia.com/product/1224/ DESCRIPTION: Secunia Research has discovered a vulnerability in Adobe Document Server and Adobe Graphics Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information, overwrite arbitrary files, or compromise a vulnerable system. The vulnerability is caused due to the "loadContent", "saveContent", and "saveOptimized" ADS (Adobe Document Server) commands allowing graphics or PDF files to be retrieved from or saved to arbitrary locations on the server using File URIs via the AlterCast web service running on port 8019. Files can be saved with arbitrary extensions. This can be exploited by sending a specially-crafted SOAP request to write a graphics file (with HTA extension) containing malicious JavaScript as metadata to e.g. the server's "All Users" startup folder. This file will be executed the next time any user logs in. Successful exploitation requires that the service is configured to run with SYSTEM privileges (default) or with privileges of a normal user that has been granted interactive logon rights. The vulnerability has been confirmed in Document Server 6.0 (p026) and Graphics Server 2.1 (d013). Other versions may also be affected. SOLUTION: The vendor has published additional hardening steps to prevent exploitation of the vulnerability (see vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2005-28/ Adobe: http://www.adobe.com/support/techdocs/332989.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------