Thank you, Mario, but our printSeps() is in another castle!Fri 26 November 2010 by julien
This post details the way Adobe patched the printSeps() vulnerability in Adobe Reader (CVE-2010-4091). You'll see that the way Adode fixed the vulnerability is quite surprising...
push offset printSepsWithParamsHandler ; offset of native handler push offset aPrintsepswithp ; "printSepsWithParams" : offset of method name push esi ; int call RegisterMethod ; function responsible for method registration push offset scrollHandler ; int push offset aScroll ; "scroll" push esi ; int call RegisterMethod push offset mailDocHandler ; int push offset aMaildoc ; "mailDoc" push esi ; int call RegisterMethod
mov [ebp+var_30], edi jnz short loc_2382EB7C push [ebp+FunctionName] ; gives the method name as argument lea ebx, [ebp+var_30] mov eax, edi call RetrieveHandlerByName ; function returns the native handler address if it is found pop ecx ... mov esi, [ebp+var_30] push edi push [ebp+FunctionName] ; gives the method name as argument push 2 call IsMethodCallable ; function returns a boolean to indicate if the user has suffiscient rights to call the method add esp, 10h test al, al ... push esi push [ebp+var_24] push [ebp+FunctionName] push [ebp+var_28] call [ebp+HandlerFunc] ; calls the native handler whose address has just been resolved
call sub_23825DDD test ax, ax jnz short loc_23802D71 push offset sub_2383904D ; int push offset aPrintseps ; "printSeps" push esi ; int call RegisterMethod loc_23802D71:
The printSeps method is added to the Doc object or not depending on the result of the function at offset 0x23825DDD. This function is equivalent to the following C code:
if (strcmpw( ProductName , L”Reader” ) == 0) return 1; else return 0;