CVE-2018-12768
Information
Out of bound read due to malformed JBIG2 stream while being parsed in AcroRd32.dll.
Crash Dump:
Stack
AcroRd32.dll + 0x5F3EE4 (id: eef, no function symbol available)
AcroRd32.dll + 0x6132CE (id: be0, no function symbol available)
AcroRd32.dll + 0x604165 (no function symbol available)
AcroRd32.dll + 0x602B77 (no function symbol available)
AcroRd32.dll + 0x5F8D2F (no function symbol available)
Registers
eax=0af25000 ebx=00000001 ecx=0af25000 edx=0b1be000 esi=0af2bfdc edi=00000000
eip=6dcd3ee4 esp=008ff550 ebp=008ff56c iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010213
fpcw=027F: rn 53 puozdi fpsw=0021: top=0 cc=0000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:733f282b fpdp=0000:7343c4a0
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 1.107148717794090502970e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=8000000000000000 mm7=8db70c975df22363
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=5.2503e+028 -2.0748e+033 8.25439e+036 -1.6483e-033
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
AcroRd32!AX_PDXlateToHostEx+0x25f143:
6dcd3ee4 8a01 mov al,byte ptr [ecx] ds:002b:0af25000=??
Disassembly of stack frame 1 at AcroRd32.dll + 0x5F3EE4
6dcd3e4d 48 dec eax
6dcd3e4e 7410 je AcroRd32!AX_PDXlateToHostEx+0x25f0bf (6dcd3e60)
6dcd3e50 48 dec eax
6dcd3e51 750d jne AcroRd32!AX_PDXlateToHostEx+0x25f0bf (6dcd3e60)
6dcd3e53 e87e230100 call AcroRd32!CTJPEGTiledContentWriter::operator=+0x56eb (6dce61d6)
6dcd3e58 eb02 jmp AcroRd32!AX_PDXlateToHostEx+0x25f0bb (6dcd3e5c)
6dcd3e5a 8bc6 mov eax,esi
6dcd3e5c 85c0 test eax,eax
6dcd3e5e 7541 jne AcroRd32!AX_PDXlateToHostEx+0x25f100 (6dcd3ea1)
6dcd3e60 8b4dfc mov ecx,dword ptr [ebp-4]
6dcd3e63 8b4318 mov eax,dword ptr [ebx+18h]
6dcd3e66 33d2 xor edx,edx
6dcd3e68 42 inc edx
6dcd3e69 8b04b8 mov eax,dword ptr [eax+edi*4]
6dcd3e6c 66895024 mov word ptr [eax+24h],dx
6dcd3e70 47 inc edi
6dcd3e71 3b7b14 cmp edi,dword ptr [ebx+14h]
6dcd3e74 0f8221ffffff jb AcroRd32!AX_PDXlateToHostEx+0x25effa (6dcd3d9b)
6dcd3e7a 51 push ecx
6dcd3e7b e89ebda3ff call AcroRd32!AcroWinMainSandbox+0x5c9a (6d70fc1e)
6dcd3e80 59 pop ecx
6dcd3e81 39730c cmp dword ptr [ebx+0Ch],esi
6dcd3e84 7619 jbe AcroRd32!AX_PDXlateToHostEx+0x25f0fe (6dcd3e9f)
6dcd3e86 8bfe mov edi,esi
6dcd3e88 8b4b10 mov ecx,dword ptr [ebx+10h]
6dcd3e8b 03cf add ecx,edi
6dcd3e8d e81fe30000 call AcroRd32!CTJPEGTiledContentWriter::operator=+0x16c6 (6dce21b1)
6dcd3e92 85c0 test eax,eax
6dcd3e94 750b jne AcroRd32!AX_PDXlateToHostEx+0x25f100 (6dcd3ea1)
6dcd3e96 46 inc esi
6dcd3e97 83c714 add edi,14h
6dcd3e9a 3b730c cmp esi,dword ptr [ebx+0Ch]
6dcd3e9d 72e9 jb AcroRd32!AX_PDXlateToHostEx+0x25f0e7 (6dcd3e88)
6dcd3e9f 33c0 xor eax,eax
6dcd3ea1 5f pop edi
6dcd3ea2 5e pop esi
6dcd3ea3 5b pop ebx
6dcd3ea4 8be5 mov esp,ebp
6dcd3ea6 5d pop ebp
6dcd3ea7 c3 ret
6dcd3ea8 56 push esi
6dcd3ea9 8bf1 mov esi,ecx
6dcd3eab ff7620 push dword ptr [esi+20h]
6dcd3eae 8b4e2c mov ecx,dword ptr [esi+2Ch]
6dcd3eb1 ff7628 push dword ptr [esi+28h]
6dcd3eb4 e8b2db0000 call AcroRd32!CTJPEGTiledContentWriter::operator=+0xf80 (6dce1a6b)
6dcd3eb9 8b4e2c mov ecx,dword ptr [esi+2Ch]
6dcd3ebc 6a04 push 4
6dcd3ebe e84ddb0000 call AcroRd32!CTJPEGTiledContentWriter::operator=+0xf25 (6dce1a10)
6dcd3ec3 894644 mov dword ptr [esi+44h],eax
6dcd3ec6 33c0 xor eax,eax
6dcd3ec8 5e pop esi
6dcd3ec9 c3 ret
6dcd3eca 56 push esi
6dcd3ecb 8bf1 mov esi,ecx
6dcd3ecd 8b06 mov eax,dword ptr [esi]
6dcd3ecf 3b4604 cmp eax,dword ptr [esi+4]
6dcd3ed2 720e jb AcroRd32!AX_PDXlateToHostEx+0x25f141 (6dcd3ee2)
6dcd3ed4 68e8e8566e push offset AcroRd32!PDMediaQuerySetMediaType+0x1551a8 (6e56e8e8)
6dcd3ed9 6aff push 0FFFFFFFFh
6dcd3edb e86986b7ff call AcroRd32!PDAlternatesGetCosObj+0x40b9 (6d84c549)
6dcd3ee0 59 pop ecx
6dcd3ee1 59 pop ecx
6dcd3ee2 8b0e mov ecx,dword ptr [esi]
AcroRd32!AX_PDXlateToHostEx+0x25f143:
6dcd3ee4 8a01 mov al,byte ptr [ecx] // current instruction
6dcd3ee6 88460c mov byte ptr [esi+0Ch],al
6dcd3ee9 8d4101 lea eax,[ecx+1]
6dcd3eec 8906 mov dword ptr [esi],eax
6dcd3eee 8a460c mov al,byte ptr [esi+0Ch]
6dcd3ef1 5e pop esi
6dcd3ef2 c3 ret
6dcd3ef3 53 push ebx
6dcd3ef4 56 push esi
6dcd3ef5 8bf1 mov esi,ecx
6dcd3ef7 33db xor ebx,ebx
6dcd3ef9 395e0c cmp dword ptr [esi+0Ch],ebx
6dcd3efc 743a je AcroRd32!AX_PDXlateToHostEx+0x25f197 (6dcd3f38)
6dcd3efe 57 push edi
6dcd3eff 8bfb mov edi,ebx
6dcd3f01 391e cmp dword ptr [esi],ebx
6dcd3f03 7626 jbe AcroRd32!AX_PDXlateToHostEx+0x25f18a (6dcd3f2b)
6dcd3f05 8b460c mov eax,dword ptr [esi+0Ch]
6dcd3f08 8b0cb8 mov ecx,dword ptr [eax+edi*4]
6dcd3f0b 85c9 test ecx,ecx
6dcd3f0d 7417 je AcroRd32!AX_PDXlateToHostEx+0x25f185 (6dcd3f26)
6dcd3f0f e82c070100 call AcroRd32!CTJPEGTiledContentWriter::operator=+0x3b55 (6dce4640)
6dcd3f14 8b460c mov eax,dword ptr [esi+0Ch]
6dcd3f17 ff34b8 push dword ptr [eax+edi*4]
6dcd3f1a e8ffbca3ff call AcroRd32!AcroWinMainSandbox+0x5c9a (6d70fc1e)
6dcd3f1f 8b460c mov eax,dword ptr [esi+0Ch]
6dcd3f22 59 pop ecx
6dcd3f23 891cb8 mov dword ptr [eax+edi*4],ebx
6dcd3f26 47 inc edi
6dcd3f27 3b3e cmp edi,dword ptr [esi]
6dcd3f29 72da jb AcroRd32!AX_PDXlateToHostEx+0x25f164 (6dcd3f05)
6dcd3f2b ff760c push dword ptr [esi+0Ch]
PoC
attached
Attachments:
OOBR@0x5F3EE4.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-21.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/