Information

Out of bound read due to corrpued EMF being parsed in MPS.dll.

Crash Dump:

Stack

MPS.dll + 0x3676A (id: 02a, no function symbol available)
MPS.dll + 0xAE0AE (id: d50, no function symbol available)
MPS.dll + 0xB8CB0 (no function symbol available)
MPS.dll + 0x7077F (no function symbol available)
MPS.dll + 0xBBE9A (no function symbol available)
MPS.dll + 0x70A30 (no function symbol available)
MPS.dll + 0x5F09E (no function symbol available)
MPS.dll + 0x5ECCC (no function symbol available)
ImageConversion.api + 0xA101 (no function symbol available)
ImageConversion.api + 0x18B5A (no function symbol available)
ImageConversion.api + 0x1B517 (no function symbol available)
ImageConversion.api + 0xB427 (no function symbol available)
Acrobat.dll + 0x821A1E (no function symbol available)
Acrobat.dll + 0x7BD6AE (no function symbol available)
Acrobat.dll + 0x7BF924 (no function symbol available)
Acrobat.dll + 0x7BF8A5 (no function symbol available)
Acrobat.dll + 0xB8AD1 (no function symbol available)
Acrobat.dll + 0xB6F07 (no function symbol available)
Acrobat.dll + 0xB6790 (no function symbol available)
Acrobat.dll + 0xB46BD (no function symbol available)
Acrobat.dll + 0xB3526 (no function symbol available)
Acrobat.dll + 0xB2E14 (no function symbol available)
Acrobat.dll + 0x2F005 (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B

Registers

eax=1ca93446 ebx=1c803b30 ecx=00000446 edx=00000546 esi=1ca93000 edi=37b60eb8
eip=2d66676a esp=00cfc4f0 ebp=00cfc510 iopl=0         nv up ei pl nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
fpcw=027F: rn 53 puozdi  fpsw=4020: top=0 cc=1000 --p-----  fptw=FFFF
fopcode=0000  fpip=0000:2d8f67f2  fpdp=0000:00cfc3e8
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000  st7= 1.350000000000000000000e+0003
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=8000000000000000
mm6=0000000000000000  mm7=a8c0000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSToAGMColorSpace+0x126ea:
2d66676a f3a4            rep movs byte ptr es:[edi],byte ptr [esi] 

Disassembly of stack frame 1 at MPS.dll + 0x3676A

2d6666cd 8b16            mov     edx,dword ptr [esi]
2d6666cf 83c604          add     esi,4
2d6666d2 a900010181      test    eax,81010100h
2d6666d7 74dc            je      MPS!MPSToAGMColorSpace+0x12635 (2d6666b5)
2d6666d9 84d2            test    dl,dl
2d6666db 742c            je      MPS!MPSToAGMColorSpace+0x12689 (2d666709)
2d6666dd 84f6            test    dh,dh
2d6666df 741e            je      MPS!MPSToAGMColorSpace+0x1267f (2d6666ff)
2d6666e1 f7c20000ff00    test    edx,0FF0000h
2d6666e7 740c            je      MPS!MPSToAGMColorSpace+0x12675 (2d6666f5)
2d6666e9 f7c2000000ff    test    edx,0FF000000h
2d6666ef 75c4            jne     MPS!MPSToAGMColorSpace+0x12635 (2d6666b5)
2d6666f1 8917            mov     dword ptr [edi],edx
2d6666f3 eb18            jmp     MPS!MPSToAGMColorSpace+0x1268d (2d66670d)
2d6666f5 81e2ffff0000    and     edx,0FFFFh
2d6666fb 8917            mov     dword ptr [edi],edx
2d6666fd eb0e            jmp     MPS!MPSToAGMColorSpace+0x1268d (2d66670d)
2d6666ff 81e2ff000000    and     edx,0FFh
2d666705 8917            mov     dword ptr [edi],edx
2d666707 eb04            jmp     MPS!MPSToAGMColorSpace+0x1268d (2d66670d)
2d666709 33d2            xor     edx,edx
2d66670b 8917            mov     dword ptr [edi],edx
2d66670d 83c704          add     edi,4
2d666710 33c0            xor     eax,eax
2d666712 83e901          sub     ecx,1
2d666715 740c            je      MPS!MPSToAGMColorSpace+0x126a3 (2d666723)
2d666717 33c0            xor     eax,eax
2d666719 8907            mov     dword ptr [edi],eax
2d66671b 83c704          add     edi,4
2d66671e 83e901          sub     ecx,1
2d666721 75f6            jne     MPS!MPSToAGMColorSpace+0x12699 (2d666719)
2d666723 83e303          and     ebx,3
2d666726 0f8577ffffff    jne     MPS!MPSToAGMColorSpace+0x12623 (2d6666a3)
2d66672c 8b442410        mov     eax,dword ptr [esp+10h]
2d666730 5b              pop     ebx
2d666731 5e              pop     esi
2d666732 5f              pop     edi
2d666733 c3              ret
2d666734 cc              int     3
2d666735 cc              int     3
2d666736 cc              int     3
2d666737 cc              int     3
2d666738 cc              int     3
2d666739 cc              int     3
2d66673a cc              int     3
2d66673b cc              int     3
2d66673c cc              int     3
2d66673d cc              int     3
2d66673e cc              int     3
2d66673f cc              int     3
2d666740 57              push    edi
2d666741 56              push    esi
2d666742 8b742410        mov     esi,dword ptr [esp+10h]
2d666746 8b4c2414        mov     ecx,dword ptr [esp+14h]
2d66674a 8b7c240c        mov     edi,dword ptr [esp+0Ch]
2d66674e 8bc1            mov     eax,ecx
2d666750 8bd1            mov     edx,ecx
2d666752 03c6            add     eax,esi
2d666754 3bfe            cmp     edi,esi
2d666756 7608            jbe     MPS!MPSToAGMColorSpace+0x126e0 (2d666760)
2d666758 3bf8            cmp     edi,eax
2d66675a 0f8268030000    jb      MPS!MPSToAGMColorSpace+0x12a48 (2d666ac8)
2d666760 0fba253056a02d01 bt      dword ptr [MPS!MPSOptions+0x17f920 (2da05630)],1
2d666768 7307            jae     MPS!MPSToAGMColorSpace+0x126f1 (2d666771)
MPS!MPSToAGMColorSpace+0x126ea:
2d66676a f3a4            rep movs byte ptr es:[edi],byte ptr [esi] // current instruction
2d66676c e917030000      jmp     MPS!MPSToAGMColorSpace+0x12a08 (2d666a88)
2d666771 81f980000000    cmp     ecx,80h
2d666777 0f82ce010000    jb      MPS!MPSToAGMColorSpace+0x128cb (2d66694b)
2d66677d 8bc7            mov     eax,edi
2d66677f 33c6            xor     eax,esi
2d666781 a90f000000      test    eax,0Fh
2d666786 750e            jne     MPS!MPSToAGMColorSpace+0x12716 (2d666796)
2d666788 0fba25607a9c2d01 bt      dword ptr [MPS!MPSOptions+0x141d50 (2d9c7a60)],1
2d666790 0f82da040000    jb      MPS!MPSToAGMColorSpace+0x12bf0 (2d666c70)
2d666796 0fba253056a02d00 bt      dword ptr [MPS!MPSOptions+0x17f920 (2da05630)],0
2d66679e 0f83a7010000    jae     MPS!MPSToAGMColorSpace+0x128cb (2d66694b)
2d6667a4 f7c703000000    test    edi,3
2d6667aa 0f85b8010000    jne     MPS!MPSToAGMColorSpace+0x128e8 (2d666968)
2d6667b0 f7c603000000    test    esi,3
2d6667b6 0f8597010000    jne     MPS!MPSToAGMColorSpace+0x128d3 (2d666953)
2d6667bc 0fbae702        bt      edi,2
2d6667c0 730d            jae     MPS!MPSToAGMColorSpace+0x1274f (2d6667cf)
2d6667c2 8b06            mov     eax,dword ptr [esi]
2d6667c4 83e904          sub     ecx,4
2d6667c7 8d7604          lea     esi,[esi+4]
2d6667ca 8907            mov     dword ptr [edi],eax
2d6667cc 8d7f04          lea     edi,[edi+4]
2d6667cf 0fbae703        bt      edi,3
2d6667d3 7311            jae     MPS!MPSToAGMColorSpace+0x12766 (2d6667e6)
2d6667d5 f30f7e0e        movq    xmm1,mmword ptr [esi]
2d6667d9 83e908          sub     ecx,8
2d6667dc 8d7608          lea     esi,[esi+8]
2d6667df 660fd60f        movq    mmword ptr [edi],xmm1
2d6667e3 8d7f08          lea     edi,[edi+8]
2d6667e6 f7c607000000    test    esi,7 

PoC

attached


Attachments:
OOBR[0x100].emf

References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-34.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/