CVE-2018-12850
Information
Out of bound read due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0x5139 (id: d10, no function symbol available)
MPS.dll + 0x18902 (id: 80d, no function symbol available)
MPS.dll + 0x1790A (no function symbol available)
MPS.dll + 0x17A40 (no function symbol available)
MPS.dll + 0x16A54 (no function symbol available)
MPS.dll + 0x1504C (no function symbol available)
MPS.dll + 0x855FD (no function symbol available)
MPS.dll + 0xB46F1 (no function symbol available)
MPS.dll + 0xB42FD (no function symbol available)
MPS.dll + 0xBAD3D (no function symbol available)
MPS.dll + 0x709EA (no function symbol available)
MPS.dll + 0x5F09E (no function symbol available)
MPS.dll + 0x5ECCC (no function symbol available)
ImageConversion.api + 0xA101 (no function symbol available)
ImageConversion.api + 0x18B5A (no function symbol available)
Registers
eax=3dd0d000 ebx=0000001d ecx=00afe7d0 edx=3d35be84 esi=00afe7d0 edi=3d35f854
eip=6c625139 esp=00afe798 ebp=00afe79c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6c6d44b4 fpdp=0000:00afefe0
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 1.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 1.600000000000000000000e+0001 st7= 1.200000000000000000000e+0001
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=8000000000000000 mm5=8000000000000000
mm6=8000000000000000 mm7=c000000000000000
xmm0=0 0 0 3.63346e+031
xmm1=1 0 0 1
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 8
xmm7=0 0 0 8
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS+0x5139:
6c625139 8b00 mov eax,dword ptr [eax] ds:002b:3dd0d000=????????
Disassembly of stack frame 1 at MPS.dll + 0x5139
6c62509c 5e pop esi
6c62509d c70000000000 mov dword ptr [eax],0
6c6250a3 b80e000000 mov eax,0Eh
6c6250a8 ff0db0349f6c dec dword ptr [MPS!MPSOptions+0x17d7a0 (6c9f34b0)]
6c6250ae 8be5 mov esp,ebp
6c6250b0 5d pop ebp
6c6250b1 c20c00 ret 0Ch
6c6250b4 cc int 3
6c6250b5 cc int 3
6c6250b6 cc int 3
6c6250b7 cc int 3
6c6250b8 cc int 3
6c6250b9 cc int 3
6c6250ba cc int 3
6c6250bb cc int 3
6c6250bc cc int 3
6c6250bd cc int 3
6c6250be cc int 3
6c6250bf cc int 3
6c6250c0 55 push ebp
6c6250c1 8bec mov ebp,esp
6c6250c3 83ec08 sub esp,8
6c6250c6 8b450c mov eax,dword ptr [ebp+0Ch]
6c6250c9 8945fc mov dword ptr [ebp-4],eax
6c6250cc a1b0349f6c mov eax,dword ptr [MPS!MPSOptions+0x17d7a0 (6c9f34b0)]
6c6250d1 8bc8 mov ecx,eax
6c6250d3 c1e106 shl ecx,6
6c6250d6 40 inc eax
6c6250d7 81c1b8349f6c add ecx,offset MPS!MPSOptions+0x17d7a8 (6c9f34b8)
6c6250dd c745f800000000 mov dword ptr [ebp-8],0
6c6250e4 6a00 push 0
6c6250e6 51 push ecx
6c6250e7 a3b0349f6c mov dword ptr [MPS!MPSOptions+0x17d7a0 (6c9f34b0)],eax
6c6250ec e86f0d0300 call MPS!MPSToAGMColorSpace+0x11de0 (6c655e60)
6c6250f1 83c408 add esp,8
6c6250f4 85c0 test eax,eax
6c6250f6 7525 jne MPS+0x511d (6c62511d)
6c6250f8 8b4508 mov eax,dword ptr [ebp+8]
6c6250fb 8d4dfc lea ecx,[ebp-4]
6c6250fe 51 push ecx
6c6250ff 83c018 add eax,18h
6c625102 6a00 push 0
6c625104 6a02 push 2
6c625106 50 push eax
6c625107 8b00 mov eax,dword ptr [eax]
6c625109 ffd0 call eax
6c62510b 8b45f8 mov eax,dword ptr [ebp-8]
6c62510e 83c410 add esp,10h
6c625111 ff0db0349f6c dec dword ptr [MPS!MPSOptions+0x17d7a0 (6c9f34b0)]
6c625117 8be5 mov esp,ebp
6c625119 5d pop ebp
6c62511a c20800 ret 8
6c62511d b80e000000 mov eax,0Eh
6c625122 ff0db0349f6c dec dword ptr [MPS!MPSOptions+0x17d7a0 (6c9f34b0)]
6c625128 8be5 mov esp,ebp
6c62512a 5d pop ebp
6c62512b c20800 ret 8
6c62512e cc int 3
6c62512f cc int 3
6c625130 55 push ebp
6c625131 8bec mov ebp,esp
6c625133 8b4508 mov eax,dword ptr [ebp+8]
6c625136 56 push esi
6c625137 8bf1 mov esi,ecx
MPS+0x5139:
6c625139 8b00 mov eax,dword ptr [eax] // current instruction
6c62513b 50 push eax
6c62513c 8906 mov dword ptr [esi],eax
6c62513e ff15d42e9f6c call dword ptr [MPS!MPSOptions+0x17d1c4 (6c9f2ed4)]
6c625144 83c404 add esp,4
6c625147 85c0 test eax,eax
6c625149 8bc6 mov eax,esi
6c62514b 7506 jne MPS+0x5153 (6c625153)
6c62514d c70600000000 mov dword ptr [esi],0
6c625153 5e pop esi
6c625154 5d pop ebp
6c625155 c20400 ret 4
6c625158 cc int 3
6c625159 cc int 3
6c62515a cc int 3
6c62515b cc int 3
6c62515c cc int 3
6c62515d cc int 3
6c62515e cc int 3
6c62515f cc int 3
6c625160 55 push ebp
6c625161 8bec mov ebp,esp
6c625163 8b4508 mov eax,dword ptr [ebp+8]
6c625166 56 push esi
6c625167 8bf1 mov esi,ecx
6c625169 50 push eax
6c62516a 8906 mov dword ptr [esi],eax
6c62516c ff15d42e9f6c call dword ptr [MPS!MPSOptions+0x17d1c4 (6c9f2ed4)]
6c625172 83c404 add esp,4
6c625175 85c0 test eax,eax
6c625177 8bc6 mov eax,esi
6c625179 7506 jne MPS+0x5181 (6c625181)
PoC
attached
Attachments:
OOBR@MPS+0x5139.emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-34.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/