CVE-2018-12766
Information
Out of bound write due to malformed JBIG2 stream while being parsed in AcroRd32.dll.
Crash Dump:
Stack
AcroRd32.dll + 0x6026BE (id: db5, no function symbol available)
AcroRd32.dll + 0x602587 (id: 2f3, no function symbol available)
AcroRd32.dll + 0x6063BC (no function symbol available)
AcroRd32.dll + 0x602375 (no function symbol available)
AcroRd32.dll + 0x5F8D2F (no function symbol available)
Registers
eax=803f0000 ebx=0af8b400 ecx=00000001 edx=00000007 esi=00000100 edi=0000000d
eip=6dce26be esp=006ffa7c ebp=006ffa88 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
fpcw=027F: rn 53 puozdi fpsw=0021: top=0 cc=0000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:733f282b fpdp=0000:7343c4a0
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 1.107148717794090502970e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=8000000000000000 mm7=8db70c975df22363
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=-3.10041e-035 -1.16138e-010 336.491 7.72851e+020
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
AcroRd32!CTJPEGTiledContentWriter::operator=+0x1bd3:
6dce26be 66890c18 mov word ptr [eax+ebx],cx ds:002b:8b37b400=????
Disassembly of stack frame 1 at AcroRd32.dll + 0x6026BE
6dce2628 59 pop ecx
6dce2629 85db test ebx,ebx
6dce262b 7504 jne AcroRd32!CTJPEGTiledContentWriter::operator=+0x1b46 (6dce2631)
6dce262d 33c0 xor eax,eax
6dce262f eb23 jmp AcroRd32!CTJPEGTiledContentWriter::operator=+0x1b69 (6dce2654)
6dce2631 53 push ebx
6dce2632 ff750c push dword ptr [ebp+0Ch]
6dce2635 ff75fc push dword ptr [ebp-4]
6dce2638 ff7508 push dword ptr [ebp+8]
6dce263b 57 push edi
6dce263c e83e010000 call AcroRd32!CTJPEGTiledContentWriter::operator=+0x1c94 (6dce277f)
6dce2641 8a45fc mov al,byte ptr [ebp-4]
6dce2644 57 push edi
6dce2645 891e mov dword ptr [esi],ebx
6dce2647 884604 mov byte ptr [esi+4],al
6dce264a e8cfd5a2ff call AcroRd32!AcroWinMainSandbox+0x5c9a (6d70fc1e)
6dce264f 83c418 add esp,18h
6dce2652 8bc6 mov eax,esi
6dce2654 5f pop edi
6dce2655 5b pop ebx
6dce2656 5e pop esi
6dce2657 8be5 mov esp,ebp
6dce2659 5d pop ebp
6dce265a c3 ret
6dce265b 55 push ebp
6dce265c 8bec mov ebp,esp
6dce265e 8a4d10 mov cl,byte ptr [ebp+10h]
6dce2661 33c0 xor eax,eax
6dce2663 53 push ebx
6dce2664 8b5d2c mov ebx,dword ptr [ebp+2Ch]
6dce2667 33d2 xor edx,edx
6dce2669 56 push esi
6dce266a 8d7001 lea esi,[eax+1]
6dce266d d3e6 shl esi,cl
6dce266f 57 push edi
6dce2670 85f6 test esi,esi
6dce2672 7413 je AcroRd32!CTJPEGTiledContentWriter::operator=+0x1b9c (6dce2687)
6dce2674 8bc3 mov eax,ebx
6dce2676 8bce mov ecx,esi
6dce2678 33ff xor edi,edi
6dce267a 668938 mov word ptr [eax],di
6dce267d 8d401c lea eax,[eax+1Ch]
6dce2680 668978f2 mov word ptr [eax-0Eh],di
6dce2684 49 dec ecx
6dce2685 75f1 jne AcroRd32!CTJPEGTiledContentWriter::operator=+0x1b8d (6dce2678)
6dce2687 8b7d28 mov edi,dword ptr [ebp+28h]
6dce268a 85ff test edi,edi
6dce268c 0f84aa000000 je AcroRd32!CTJPEGTiledContentWriter::operator=+0x1c51 (6dce273c)
6dce2692 8b450c mov eax,dword ptr [ebp+0Ch]
6dce2695 eb05 jmp AcroRd32!CTJPEGTiledContentWriter::operator=+0x1bb1 (6dce269c)
6dce2697 3bd7 cmp edx,edi
6dce2699 7309 jae AcroRd32!CTJPEGTiledContentWriter::operator=+0x1bb9 (6dce26a4)
6dce269b 42 inc edx
6dce269c 803c0200 cmp byte ptr [edx+eax],0
6dce26a0 74f5 je AcroRd32!CTJPEGTiledContentWriter::operator=+0x1bac (6dce2697)
6dce26a2 3bd7 cmp edx,edi
6dce26a4 0f8492000000 je AcroRd32!CTJPEGTiledContentWriter::operator=+0x1c51 (6dce273c)
6dce26aa 8b4508 mov eax,dword ptr [ebp+8]
6dce26ad 8b0490 mov eax,dword ptr [eax+edx*4]
6dce26b0 3bc6 cmp eax,esi
6dce26b2 0f8da6000000 jge AcroRd32!CTJPEGTiledContentWriter::operator=+0x1c73 (6dce275e)
6dce26b8 6bc01c imul eax,eax,1Ch
6dce26bb 33c9 xor ecx,ecx
6dce26bd 41 inc ecx
AcroRd32!CTJPEGTiledContentWriter::operator=+0x1bd3:
6dce26be 66890c18 mov word ptr [eax+ebx],cx // current instruction
6dce26c2 8b4514 mov eax,dword ptr [ebp+14h]
6dce26c5 0fb60c02 movzx ecx,byte ptr [edx+eax]
6dce26c9 8b4508 mov eax,dword ptr [ebp+8]
6dce26cc 6b04901c imul eax,dword ptr [eax+edx*4],1Ch
6dce26d0 894c1804 mov dword ptr [eax+ebx+4],ecx
6dce26d4 8b4508 mov eax,dword ptr [ebp+8]
6dce26d7 6b0c901c imul ecx,dword ptr [eax+edx*4],1Ch
6dce26db 8b4518 mov eax,dword ptr [ebp+18h]
6dce26de 8b0490 mov eax,dword ptr [eax+edx*4]
6dce26e1 89441908 mov dword ptr [ecx+ebx+8],eax
6dce26e5 8b4d08 mov ecx,dword ptr [ebp+8]
6dce26e8 6b04911c imul eax,dword ptr [ecx+edx*4],1Ch
6dce26ec 89541810 mov dword ptr [eax+ebx+10h],edx
6dce26f0 6b04911c imul eax,dword ptr [ecx+edx*4],1Ch
6dce26f4 89541814 mov dword ptr [eax+ebx+14h],edx
6dce26f8 8b450c mov eax,dword ptr [ebp+0Ch]
6dce26fb 0fb60c02 movzx ecx,byte ptr [edx+eax]
6dce26ff 8b4508 mov eax,dword ptr [ebp+8]
6dce2702 6b04901c imul eax,dword ptr [eax+edx*4],1Ch
6dce2706 894c1818 mov dword ptr [eax+ebx+18h],ecx
6dce270a 33c9 xor ecx,ecx
6dce270c 8b4508 mov eax,dword ptr [ebp+8]
6dce270f 6b04901c imul eax,dword ptr [eax+edx*4],1Ch
6dce2713 66894c180e mov word ptr [eax+ebx+0Eh],cx
6dce2718 8b4518 mov eax,dword ptr [ebp+18h]
6dce271b 8b4d1c mov ecx,dword ptr [ebp+1Ch]
6dce271e 390c90 cmp dword ptr [eax+edx*4],ecx
6dce2721 0f9cc0 setl al
6dce2724 0fb6c8 movzx ecx,al
6dce2727 8b4508 mov eax,dword ptr [ebp+8]
6dce272a 6b04901c imul eax,dword ptr [eax+edx*4],1Ch
PoC
attached
Attachments:
AVW@Reserved@0x6026BE.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-21.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/