CVE-2018-12848
Information
Out of bound write due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0x3676A (id: 02a, no function symbol available)
MPS.dll + 0x69B16 (id: adc, no function symbol available)
MPS.dll + 0xA2273 (no function symbol available)
MPS.dll + 0xB662C (no function symbol available)
MPS.dll + 0x7047A (no function symbol available)
MPS.dll + 0xBB7E1 (no function symbol available)
MPS.dll + 0x70A1C (no function symbol available)
MPS.dll + 0x5F09E (no function symbol available)
MPS.dll + 0x5ECCC (no function symbol available)
ImageConversion.api + 0xA101 (no function symbol available)
ImageConversion.api + 0x18B5A (no function symbol available)
ImageConversion.api + 0x1B517 (no function symbol available)
ImageConversion.api + 0xB427 (no function symbol available)
Acrobat.dll + 0x821A1E (no function symbol available)
Acrobat.dll + 0x7BD6AE (no function symbol available)
Acrobat.dll + 0x7BF924 (no function symbol available)
Acrobat.dll + 0x7BF8A5 (no function symbol available)
Acrobat.dll + 0xB8AD1 (no function symbol available)
Acrobat.dll + 0xB6F07 (no function symbol available)
Acrobat.dll + 0xB6790 (no function symbol available)
Acrobat.dll + 0xB46BD (no function symbol available)
Acrobat.dll + 0xB3526 (no function symbol available)
Acrobat.dll + 0xB2E14 (no function symbol available)
Acrobat.dll + 0x2F005 (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=00a5e0c9 ebx=00000399 ecx=00000002 edx=00000002 esi=00a5e0c7 edi=00000000
eip=2d2c676a esp=00a5dd94 ebp=00a5ddbc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
fpcw=027F: rn 53 puozdi fpsw=4000: top=0 cc=1000 -------- fptw=FFFF
fopcode=0000 fpip=0000:2cac2979 fpdp=0000:00a5d738
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 -0 0
xmm7=0 0 1.875 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSToAGMColorSpace+0x126ea:
2d2c676a f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Disassembly of stack frame 1 at MPS.dll + 0x3676A
2d2c66cd 8b16 mov edx,dword ptr [esi]
2d2c66cf 83c604 add esi,4
2d2c66d2 a900010181 test eax,81010100h
2d2c66d7 74dc je MPS!MPSToAGMColorSpace+0x12635 (2d2c66b5)
2d2c66d9 84d2 test dl,dl
2d2c66db 742c je MPS!MPSToAGMColorSpace+0x12689 (2d2c6709)
2d2c66dd 84f6 test dh,dh
2d2c66df 741e je MPS!MPSToAGMColorSpace+0x1267f (2d2c66ff)
2d2c66e1 f7c20000ff00 test edx,0FF0000h
2d2c66e7 740c je MPS!MPSToAGMColorSpace+0x12675 (2d2c66f5)
2d2c66e9 f7c2000000ff test edx,0FF000000h
2d2c66ef 75c4 jne MPS!MPSToAGMColorSpace+0x12635 (2d2c66b5)
2d2c66f1 8917 mov dword ptr [edi],edx
2d2c66f3 eb18 jmp MPS!MPSToAGMColorSpace+0x1268d (2d2c670d)
2d2c66f5 81e2ffff0000 and edx,0FFFFh
2d2c66fb 8917 mov dword ptr [edi],edx
2d2c66fd eb0e jmp MPS!MPSToAGMColorSpace+0x1268d (2d2c670d)
2d2c66ff 81e2ff000000 and edx,0FFh
2d2c6705 8917 mov dword ptr [edi],edx
2d2c6707 eb04 jmp MPS!MPSToAGMColorSpace+0x1268d (2d2c670d)
2d2c6709 33d2 xor edx,edx
2d2c670b 8917 mov dword ptr [edi],edx
2d2c670d 83c704 add edi,4
2d2c6710 33c0 xor eax,eax
2d2c6712 83e901 sub ecx,1
2d2c6715 740c je MPS!MPSToAGMColorSpace+0x126a3 (2d2c6723)
2d2c6717 33c0 xor eax,eax
2d2c6719 8907 mov dword ptr [edi],eax
2d2c671b 83c704 add edi,4
2d2c671e 83e901 sub ecx,1
2d2c6721 75f6 jne MPS!MPSToAGMColorSpace+0x12699 (2d2c6719)
2d2c6723 83e303 and ebx,3
2d2c6726 0f8577ffffff jne MPS!MPSToAGMColorSpace+0x12623 (2d2c66a3)
2d2c672c 8b442410 mov eax,dword ptr [esp+10h]
2d2c6730 5b pop ebx
2d2c6731 5e pop esi
2d2c6732 5f pop edi
2d2c6733 c3 ret
2d2c6734 cc int 3
2d2c6735 cc int 3
2d2c6736 cc int 3
2d2c6737 cc int 3
2d2c6738 cc int 3
2d2c6739 cc int 3
2d2c673a cc int 3
2d2c673b cc int 3
2d2c673c cc int 3
2d2c673d cc int 3
2d2c673e cc int 3
2d2c673f cc int 3
2d2c6740 57 push edi
2d2c6741 56 push esi
2d2c6742 8b742410 mov esi,dword ptr [esp+10h]
2d2c6746 8b4c2414 mov ecx,dword ptr [esp+14h]
2d2c674a 8b7c240c mov edi,dword ptr [esp+0Ch]
2d2c674e 8bc1 mov eax,ecx
2d2c6750 8bd1 mov edx,ecx
2d2c6752 03c6 add eax,esi
2d2c6754 3bfe cmp edi,esi
2d2c6756 7608 jbe MPS!MPSToAGMColorSpace+0x126e0 (2d2c6760)
2d2c6758 3bf8 cmp edi,eax
2d2c675a 0f8268030000 jb MPS!MPSToAGMColorSpace+0x12a48 (2d2c6ac8)
2d2c6760 0fba253056662d01 bt dword ptr [MPS!MPSOptions+0x17f920 (2d665630)],1
2d2c6768 7307 jae MPS!MPSToAGMColorSpace+0x126f1 (2d2c6771)
MPS!MPSToAGMColorSpace+0x126ea:
2d2c676a f3a4 rep movs byte ptr es:[edi],byte ptr [esi] // current instruction
2d2c676c e917030000 jmp MPS!MPSToAGMColorSpace+0x12a08 (2d2c6a88)
2d2c6771 81f980000000 cmp ecx,80h
2d2c6777 0f82ce010000 jb MPS!MPSToAGMColorSpace+0x128cb (2d2c694b)
2d2c677d 8bc7 mov eax,edi
2d2c677f 33c6 xor eax,esi
2d2c6781 a90f000000 test eax,0Fh
2d2c6786 750e jne MPS!MPSToAGMColorSpace+0x12716 (2d2c6796)
2d2c6788 0fba25607a622d01 bt dword ptr [MPS!MPSOptions+0x141d50 (2d627a60)],1
2d2c6790 0f82da040000 jb MPS!MPSToAGMColorSpace+0x12bf0 (2d2c6c70)
2d2c6796 0fba253056662d00 bt dword ptr [MPS!MPSOptions+0x17f920 (2d665630)],0
2d2c679e 0f83a7010000 jae MPS!MPSToAGMColorSpace+0x128cb (2d2c694b)
2d2c67a4 f7c703000000 test edi,3
2d2c67aa 0f85b8010000 jne MPS!MPSToAGMColorSpace+0x128e8 (2d2c6968)
2d2c67b0 f7c603000000 test esi,3
2d2c67b6 0f8597010000 jne MPS!MPSToAGMColorSpace+0x128d3 (2d2c6953)
2d2c67bc 0fbae702 bt edi,2
2d2c67c0 730d jae MPS!MPSToAGMColorSpace+0x1274f (2d2c67cf)
2d2c67c2 8b06 mov eax,dword ptr [esi]
2d2c67c4 83e904 sub ecx,4
2d2c67c7 8d7604 lea esi,[esi+4]
2d2c67ca 8907 mov dword ptr [edi],eax
2d2c67cc 8d7f04 lea edi,[edi+4]
2d2c67cf 0fbae703 bt edi,3
2d2c67d3 7311 jae MPS!MPSToAGMColorSpace+0x12766 (2d2c67e6)
2d2c67d5 f30f7e0e movq xmm1,mmword ptr [esi]
2d2c67d9 83e908 sub ecx,8
2d2c67dc 8d7608 lea esi,[esi+8]
2d2c67df 660fd60f movq mmword ptr [edi],xmm1
2d2c67e3 8d7f08 lea edi,[edi+8]
2d2c67e6 f7c607000000 test esi,7
PoC
attached
Attachments:
AVW@NULL@mps.emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-34.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/