-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
Find attached the detailed information about the bugs/vulnerabilities
we have found in The Adobe eBook Library.
- --
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Russian Cryptology Association
mailto:info@elcomsoft.com
http://www.elcomsoft.com (Corporate site)
http://www.crackpassword.com (Password Recovery Software)
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQEVAwUAPS7D14avf/iY3ldlAQFtbQf/TAvucVkcbkK63KOg/bVUXRzg8I106UaT
kROzh9GoqJPxh9Gp5xFJASg5cGPrHaNeDq6kMksHBL4EBpsUtjheCaZGBk0w66GK
+Kj6A0X1QW28/vTo9GKcBlLB3TGkVQrrCod7ofluIJHe9Jcd+ca85s9BfiEm02B+
MplH5hkQGrE2G4M+UPRATpzXAgvyu1eW+IA5l3aNmDOQNrXsAZchR8mZm7KY3E2H
sjTS9rnDkH8CdjV04WB8C7D7d/yoWVdL/MG0ghRekw1TUeyFjtFEKv62EsU6zBMV
+1gNk56LXEWMJHKsMU81kPRrmCQNwtL7zM+ApHIu6sXqMQ+fsJEc4Q==
=iwne
-----END PGP SIGNATURE-----
CONTACT INFORMATION
===============================================================================
Name : Vladimir Katalov
E-mail : info@elcomsoft.com
Phone / fax : +7 095 216-7937
+1 866 448-2703 (fax; US, toll-free)
Affiliation and address: 2-171 generala Antonova st.
Moscow 117279
Russia
TECHNICAL INFO
===============================================================================
Description
-----------
Adobe Systems Incorporated (http://www.adobe.com) recently opened
a special web site to demonstrate the new library features of
Adobe Content Server 3.0 (http://www.adobe.com/products/contentserver).
According to Adobe description, "The Adobe eBook Library uses Adobe
Content Server as a secure repository for the eBooks". The library
is located at:
http://librarydemo.adobe.com/library/
There are a few books available -- 5 copies of each. The customer
can borrow any book for a fixed period of time (one or three days);
when one customer gets a book, the counter ("number of books
available") is decreased, and when it reaches zero, this book
becomes not available until at least one other customer will return
it to the library, or loan period will expire. However, there are three
bugs/vulnerabilities there:
1. It is possible to get all available copies of any book --
Adobe Acrobat eBook Reader doesn't check if you have borrowed the
given book already.
2. The loan period (one or three days) is not verified. It is implemented
in the script using the following
<FORM id=form2 name="form2" ACTION="http://librarydemo.adobe.com/library/download.asp"; METHOD="POST">
<INPUT type=hidden value=133 name=bookid>
<INPUT type=radio CHECKED value=1440 name=loanMin> Borrow for 1 day<BR>
<INPUT type=radio value=4320 name=loanMin> Borrow for 3 days<BR>
...
The value of loanMin is the loan period in minutes (1440 for one
day, and 4320 for three days). It is possible to save the form to
the local disk, change one of the values to the one you need (i.e.
525600 for one year), load the updated form into the browser, and
by pressing the "Add to bookbag" button borrow this book for the
selected ("fake") period.
3. When the book counter reaches zero, the user can see a note near the
book description:
There are currently none available.
Please check back later.
However, the "Add to bookbag" button is still available and working
just fine, i.e. it is still possible to get another copy (copies) of
the book. And the "Number of Books" counter (on the library page)
becomes negative.
The impact
----------
By combining bugs [1] and [2], it is very easy to implement something
like "Denial-of-service" attack for the library: just get all copies of
all books from the library (for very large period of time -- e.g. a few
years). So no books will be available to anybody else.
Besides, there is ability to borrow the books for unlimited time.
Possible workaround/fixes
-------------------------
The script should verify 'loanMin' input value, and should
not allow to borrow the book if it does not match pre-defined
values, or if number of books available is already zero.
OTHER INFORMATION
===========================================================================
Some time ago we have found much more serious problem with another
Adobe software and reported it to the vendor; however, there was no
response at all, and so we decided not to waste our time reporting
this one (about the library) to Adobe.
