Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream

EDB-ID:

47274




Platform:

Windows

Date:

2019-08-15


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:

--- cut ---
(50a8.4100): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ff3a0000 ebx=00003f11 ecx=00002000 edx=00000001 esi=0077bdfc edi=8c9e5000
eip=64b40fb5 esp=0077bdc0 ebp=0077be18 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
CoolType!CTCleanup+0x26ba7:
64b40fb5 894704          mov     dword ptr [edi+4],eax ds:002b:8c9e5004=????????

0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0077be18 64b05405 64d48440 8605cdcc 00000001 CoolType!CTCleanup+0x26ba7
01 0077be34 64b04548 64d48284 27618cb0 0077c5e8 CoolType!CTInit+0x6267e
02 0077be44 64b10fa7 0077be94 64d50130 0077be88 CoolType!CTInit+0x617c1
03 0077c5e8 64b107bf 8605cdcc 0077c60c 0077c6a8 CoolType!CTInit+0x6e220
04 0077c6a0 64b10736 8d3a8ff8 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6da38
05 0077c6b4 64b106c3 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d9af
06 0077c6c8 64b1051c 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d93c
07 0077c70c 64b10398 0077c7ec 5f8bc1ec 0077c7b0 CoolType!CTInit+0x6d795
08 0077c738 64b1032b 0077c7ec 5f8bc1b4 0077c7b0 CoolType!CTInit+0x6d611
09 0077c760 64b10208 8c3c8ff0 0077c7ec 5f8bc144 CoolType!CTInit+0x6d5a4
0a 0077c790 64adb3c0 8c3c8ff0 0077c7ec 5f8bcf58 CoolType!CTInit+0x6d481
0b 0077c98c 64ac036d 8605cd70 0077c9c4 5f8bcf3c CoolType!CTInit+0x38639
0c 0077c9e8 64ac1c20 64d31918 00000001 00000000 CoolType!CTInit+0x1d5e6
0d 0077ca18 64ac5eff 8605cd70 64d31918 00000001 CoolType!CTInit+0x1ee99
0e 0077ca54 64ac036d 8605cd70 0077ca8c 5f8bcc64 CoolType!CTInit+0x23178
0f 0077cab0 64ac1c20 64d319d0 00000001 00000000 CoolType!CTInit+0x1d5e6
10 0077cae0 64ac2229 8605cd70 64d319d0 00000001 CoolType!CTInit+0x1ee99
11 0077cb14 64ac5c4d 64d319d0 92280fc8 00000004 CoolType!CTInit+0x1f4a2
12 0077cb4c 64ac32ba 8ce40fc0 5f8bd684 0077d138 CoolType!CTInit+0x22ec6
13 0077d050 64ac31b3 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x20533
14 0077d088 64ac2ef7 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x2042c
15 0077d0cc 64ac2d85 0077d1a0 00000000 8605cd00 CoolType!CTInit+0x20170
16 0077d10c 64acdad7 0077d1a0 8ce40fc0 00000000 CoolType!CTInit+0x1fffe
17 0077d168 64acd96f 0077d1a0 8ce40fc0 91bbb002 CoolType!CTInit+0x2ad50
18 0077d1b8 123bf455 8cae2f08 64d32280 91bbb002 CoolType!CTInit+0x2abe8
19 0077d1dc 123be4e2 91bbb002 00000007 00000000 AcroRd32!DllCanUnloadNow+0x176495
1a 0077e544 123ba692 0077e690 8b972f68 00000004 AcroRd32!DllCanUnloadNow+0x175522
1b 0077e72c 123ba2fe 0077e740 91b7ea98 00000000 AcroRd32!DllCanUnloadNow+0x1716d2
1c 0077e780 123b655c 0077e810 8b972f68 00000000 AcroRd32!DllCanUnloadNow+0x17133e
1d 0077e838 123a93ed b7e1e317 78d62f78 00000000 AcroRd32!DllCanUnloadNow+0x16d59c
1e 0077e918 123a81e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
1f 0077e964 1239b383 78d62f78 00000000 00000000 AcroRd32!DllCanUnloadNow+0x15f228
20 0077ead8 1239ac97 9096fdbc 00000001 870c2ef8 AcroRd32!DllCanUnloadNow+0x1523c3
21 0077eb40 12398590 b7e1e1cf 96476e74 870c2ef8 AcroRd32!DllCanUnloadNow+0x151cd7
22 0077ebc0 1239825a 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f5d0
23 0077ebfc 12416099 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f29a
24 0077ecd4 124157f9 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2b209
25 0077ed14 12415717 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2a969
26 0077ed4c 12415669 00000000 8de26f40 0077eecc AcroRd32!CTJPEGDecoderRelease+0x2a887
27 0077ed68 124151ec 8de26f40 0077eecc 0077eee4 AcroRd32!CTJPEGDecoderRelease+0x2a7d9
28 0077ef30 12414a8c 00000009 00000000 ffffffff AcroRd32!CTJPEGDecoderRelease+0x2a35c
29 0077f150 124147d4 124147a0 8991cf90 0077f1a8 AcroRd32!CTJPEGDecoderRelease+0x29bfc
2a 0077f160 1226ed79 8d2061b8 b7e1fba7 8b612ff8 AcroRd32!CTJPEGDecoderRelease+0x29944
2b 0077f1a8 1226e83d 00000744 b7e1f817 15861fd8 AcroRd32!DllCanUnloadNow+0x25db9
2c 0077f218 1226e5d4 b7e1f84f 15861fd8 1226e560 AcroRd32!DllCanUnloadNow+0x2587d
2d 0077f240 12204709 000004d3 00000000 12204270 AcroRd32!DllCanUnloadNow+0x25614
2e 0077f25c 7460e0bb 00bc0f52 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0x8909
2f 0077f288 74618849 12204270 00bc0f52 00000113 USER32!_InternalCallWinProc+0x2b
30 0077f2ac 7461b145 00000113 000004d3 00000000 USER32!InternalCallWinProc+0x20
31 0077f37c 746090dc 12204270 00000000 00000113 USER32!UserCallWinProcCheckWow+0x1be
32 0077f3e8 74608c20 1a382cee 0077f40c 1226da8b USER32!DispatchMessageWorker+0x4ac
33 0077f3f4 1226da8b 0077f428 1583ddd8 1583ddd8 USER32!DispatchMessageW+0x10
34 0077f40c 1226d81e 0077f428 b7e1fe8f 1583ddd8 AcroRd32!DllCanUnloadNow+0x24acb
35 0077f480 1226d6b4 b7e1feb7 1583ddd8 00000000 AcroRd32!DllCanUnloadNow+0x2485e
36 0077f4b8 121fc556 b7e1ff27 1458cff8 00000000 AcroRd32!DllCanUnloadNow+0x246f4
37 0077f528 121fbf81 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x756
38 0077f948 00af783d 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x181
39 0077fd14 00bffd2a 00af0000 00000000 0b6db3ba AcroRd32_exe+0x783d
3a 0077fd60 73cf8674 0041d000 73cf8650 be42f918 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
3b 0077fd74 77285e17 0041d000 11e63d34 00000000 KERNEL32!BaseThreadInitThunk+0x24
3c 0077fdbc 77285de7 ffffffff 772aadae 00000000 ntdll!__RtlUserThreadStart+0x2f
3d 0077fdcc 00000000 00af1390 0041d000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---

Notes:

- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more consistently with PageHeap, though).

- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of an allocated buffer.

- It seems to be an off-by-one error, leading to an 8-byte overflow.

- Attached samples: poc.pdf (crashing file), original.pdf (original file).

- We have minimized the difference between the original and mutated files down to two bytes at offsets 0x3f523 and 0x40123 (0x65 => 0x75 and 0x15 => 0x05). These bytes reside inside of a Type 1 font stream.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47274.zip