Local Privilege Escalation in Adobe Reader Installer

Adobe has investigated the local privilege escalation issue with Adobe Reader that was recently posted to milw0rm and is working with the third party responsible for this component to develop a schedule for a fix. Affected versions are the full installer for Adobe Reader 9.1.0 and 8.1.3 for Windows (CVE-2009-2564). Please note that this is not related to CVE-2009-1862.
Here are some details based on our investigation:

  • In the described exploit, an attacker could replace the getPlus_HelperSvc.exe file with malicious files that could potentially be executed in the context of Local System, resulting in a privilege escalation.
  • The issue is only locally exploitable. This means that an attacker would have to already have access to the target computer.
  • getPlus binaries are only used in the installation of Adobe Reader. The binaries delete themselves after reboot. Therefore, most users will not have these binaries present on their machine and will not be vulnerable.
  • The attacker would have to be able to start the getPlus helper service, which is stopped after installation is complete, and can only be restarted manually by an Administrator or Power User.

We rate this vulnerability as ‘Moderate’ according to our Severity Rating System because:

  • The vulnerable getPlus binaries will not exist on most machines since they are deleted after the first reboot after installation of Adobe Reader.
  • The attacker must have local access to the machine to perform the attack.
  • To perform the exploit, the attacker would have to be able to start the getPlus helper service, which is stopped after installation is complete, and can only be restarted manually by an Administrator or Power User.

Users can verify they are not vulnerable to this attack by checking the following:

  • Ensure that the C:\Program Files\NOS folder and its contents are not present on your system
  • Click “Start” > “Run” and type “services.msc”. Ensure that “getPlus(R) Helper” is not in the list of services

If the NOS files are found, the issue can be mitigated by:

  • Deleting the C:\Program Files\NOS folder and its contents
  • Click “Start” > “Run” and type “services.msc”. Delete “getPlus(R) Helper” from the list of services

Comments are closed.