CVE-2018-12849
Information
Out of bound read due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0x3676A (id: 02a, no function symbol available)
MPS.dll + 0xAE0AE (id: d50, no function symbol available)
MPS.dll + 0xB8CB0 (no function symbol available)
MPS.dll + 0x7077F (no function symbol available)
MPS.dll + 0xBBE9A (no function symbol available)
MPS.dll + 0x70A30 (no function symbol available)
MPS.dll + 0x5F09E (no function symbol available)
MPS.dll + 0x5ECCC (no function symbol available)
ImageConversion.api + 0xA101 (no function symbol available)
ImageConversion.api + 0x18B5A (no function symbol available)
ImageConversion.api + 0x1B517 (no function symbol available)
ImageConversion.api + 0xB427 (no function symbol available)
Acrobat.dll + 0x821A1E (no function symbol available)
Acrobat.dll + 0x7BD6AE (no function symbol available)
Acrobat.dll + 0x7BF924 (no function symbol available)
Acrobat.dll + 0x7BF8A5 (no function symbol available)
Acrobat.dll + 0xB8AD1 (no function symbol available)
Acrobat.dll + 0xB6F07 (no function symbol available)
Acrobat.dll + 0xB6790 (no function symbol available)
Acrobat.dll + 0xB46BD (no function symbol available)
Acrobat.dll + 0xB3526 (no function symbol available)
Acrobat.dll + 0xB2E14 (no function symbol available)
Acrobat.dll + 0x2F005 (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=1ca93446 ebx=1c803b30 ecx=00000446 edx=00000546 esi=1ca93000 edi=37b60eb8
eip=2d66676a esp=00cfc4f0 ebp=00cfc510 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:2d8f67f2 fpdp=0000:00cfc3e8
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 1.350000000000000000000e+0003
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=a8c0000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSToAGMColorSpace+0x126ea:
2d66676a f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Disassembly of stack frame 1 at MPS.dll + 0x3676A
2d6666cd 8b16 mov edx,dword ptr [esi]
2d6666cf 83c604 add esi,4
2d6666d2 a900010181 test eax,81010100h
2d6666d7 74dc je MPS!MPSToAGMColorSpace+0x12635 (2d6666b5)
2d6666d9 84d2 test dl,dl
2d6666db 742c je MPS!MPSToAGMColorSpace+0x12689 (2d666709)
2d6666dd 84f6 test dh,dh
2d6666df 741e je MPS!MPSToAGMColorSpace+0x1267f (2d6666ff)
2d6666e1 f7c20000ff00 test edx,0FF0000h
2d6666e7 740c je MPS!MPSToAGMColorSpace+0x12675 (2d6666f5)
2d6666e9 f7c2000000ff test edx,0FF000000h
2d6666ef 75c4 jne MPS!MPSToAGMColorSpace+0x12635 (2d6666b5)
2d6666f1 8917 mov dword ptr [edi],edx
2d6666f3 eb18 jmp MPS!MPSToAGMColorSpace+0x1268d (2d66670d)
2d6666f5 81e2ffff0000 and edx,0FFFFh
2d6666fb 8917 mov dword ptr [edi],edx
2d6666fd eb0e jmp MPS!MPSToAGMColorSpace+0x1268d (2d66670d)
2d6666ff 81e2ff000000 and edx,0FFh
2d666705 8917 mov dword ptr [edi],edx
2d666707 eb04 jmp MPS!MPSToAGMColorSpace+0x1268d (2d66670d)
2d666709 33d2 xor edx,edx
2d66670b 8917 mov dword ptr [edi],edx
2d66670d 83c704 add edi,4
2d666710 33c0 xor eax,eax
2d666712 83e901 sub ecx,1
2d666715 740c je MPS!MPSToAGMColorSpace+0x126a3 (2d666723)
2d666717 33c0 xor eax,eax
2d666719 8907 mov dword ptr [edi],eax
2d66671b 83c704 add edi,4
2d66671e 83e901 sub ecx,1
2d666721 75f6 jne MPS!MPSToAGMColorSpace+0x12699 (2d666719)
2d666723 83e303 and ebx,3
2d666726 0f8577ffffff jne MPS!MPSToAGMColorSpace+0x12623 (2d6666a3)
2d66672c 8b442410 mov eax,dword ptr [esp+10h]
2d666730 5b pop ebx
2d666731 5e pop esi
2d666732 5f pop edi
2d666733 c3 ret
2d666734 cc int 3
2d666735 cc int 3
2d666736 cc int 3
2d666737 cc int 3
2d666738 cc int 3
2d666739 cc int 3
2d66673a cc int 3
2d66673b cc int 3
2d66673c cc int 3
2d66673d cc int 3
2d66673e cc int 3
2d66673f cc int 3
2d666740 57 push edi
2d666741 56 push esi
2d666742 8b742410 mov esi,dword ptr [esp+10h]
2d666746 8b4c2414 mov ecx,dword ptr [esp+14h]
2d66674a 8b7c240c mov edi,dword ptr [esp+0Ch]
2d66674e 8bc1 mov eax,ecx
2d666750 8bd1 mov edx,ecx
2d666752 03c6 add eax,esi
2d666754 3bfe cmp edi,esi
2d666756 7608 jbe MPS!MPSToAGMColorSpace+0x126e0 (2d666760)
2d666758 3bf8 cmp edi,eax
2d66675a 0f8268030000 jb MPS!MPSToAGMColorSpace+0x12a48 (2d666ac8)
2d666760 0fba253056a02d01 bt dword ptr [MPS!MPSOptions+0x17f920 (2da05630)],1
2d666768 7307 jae MPS!MPSToAGMColorSpace+0x126f1 (2d666771)
MPS!MPSToAGMColorSpace+0x126ea:
2d66676a f3a4 rep movs byte ptr es:[edi],byte ptr [esi] // current instruction
2d66676c e917030000 jmp MPS!MPSToAGMColorSpace+0x12a08 (2d666a88)
2d666771 81f980000000 cmp ecx,80h
2d666777 0f82ce010000 jb MPS!MPSToAGMColorSpace+0x128cb (2d66694b)
2d66677d 8bc7 mov eax,edi
2d66677f 33c6 xor eax,esi
2d666781 a90f000000 test eax,0Fh
2d666786 750e jne MPS!MPSToAGMColorSpace+0x12716 (2d666796)
2d666788 0fba25607a9c2d01 bt dword ptr [MPS!MPSOptions+0x141d50 (2d9c7a60)],1
2d666790 0f82da040000 jb MPS!MPSToAGMColorSpace+0x12bf0 (2d666c70)
2d666796 0fba253056a02d00 bt dword ptr [MPS!MPSOptions+0x17f920 (2da05630)],0
2d66679e 0f83a7010000 jae MPS!MPSToAGMColorSpace+0x128cb (2d66694b)
2d6667a4 f7c703000000 test edi,3
2d6667aa 0f85b8010000 jne MPS!MPSToAGMColorSpace+0x128e8 (2d666968)
2d6667b0 f7c603000000 test esi,3
2d6667b6 0f8597010000 jne MPS!MPSToAGMColorSpace+0x128d3 (2d666953)
2d6667bc 0fbae702 bt edi,2
2d6667c0 730d jae MPS!MPSToAGMColorSpace+0x1274f (2d6667cf)
2d6667c2 8b06 mov eax,dword ptr [esi]
2d6667c4 83e904 sub ecx,4
2d6667c7 8d7604 lea esi,[esi+4]
2d6667ca 8907 mov dword ptr [edi],eax
2d6667cc 8d7f04 lea edi,[edi+4]
2d6667cf 0fbae703 bt edi,3
2d6667d3 7311 jae MPS!MPSToAGMColorSpace+0x12766 (2d6667e6)
2d6667d5 f30f7e0e movq xmm1,mmword ptr [esi]
2d6667d9 83e908 sub ecx,8
2d6667dc 8d7608 lea esi,[esi+8]
2d6667df 660fd60f movq mmword ptr [edi],xmm1
2d6667e3 8d7f08 lea edi,[edi+8]
2d6667e6 f7c607000000 test esi,7
PoC
attached
Attachments:
OOBR[0x100].emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-34.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/