CVE-2018-12859
Information
Out of bound read due to corrpued TIF being parsed in ImageConversion.api.
Crash Dump:
Stack
ImageConversion.api + 0x5F40D (id: 2d4, no function symbol available)
ImageConversion.api + 0x5E9A5 (id: 5ad, no function symbol available)
ImageConversion.api + 0x4F251 (no function symbol available)
ImageConversion.api + 0x2799E (no function symbol available)
ImageConversion.api + 0x18498 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=004fd9e8 ebx=27f72400 ecx=00000000 edx=2ce49000 esi=00000008 edi=00000001
eip=25aff40d esp=004fd9c4 ebp=004fda4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
fpcw=027F: rn 53 puozdi fpsw=4021: top=0 cc=1000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:25b166ef fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 9.999847412109375000000e-0001
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=ffff000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=-1.52566e+028 9.57162e+015 -9.42146e+012 -8.49688e+030
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
ImageConversion!png_write_sig+0x19c74:
25aff40d 0fb602 movzx eax,byte ptr [edx] ds:002b:2ce49000=??
Disassembly of stack frame 1 at ImageConversion.api + 0x5F40D
---
25aff358 8bc8 mov ecx,eax
25aff35a c1e903 shr ecx,3
25aff35d 2507000080 and eax,80000007h
25aff362 7905 jns ImageConversion!png_write_sig+0x19bd0 (25aff369)
25aff364 48 dec eax
25aff365 83c8f8 or eax,0FFFFFFF8h
25aff368 40 inc eax
25aff369 0fb7c0 movzx eax,ax
25aff36c 8945c4 mov dword ptr [ebp-3Ch],eax
25aff36f 85c9 test ecx,ecx
25aff371 7e1a jle ImageConversion!png_write_sig+0x19bf4 (25aff38d)
25aff373 014dac add dword ptr [ebp-54h],ecx
25aff376 8b75dc mov esi,dword ptr [ebp-24h]
25aff379 8bc2 mov eax,edx
25aff37b c1e208 shl edx,8
25aff37e c1e818 shr eax,18h
25aff381 8806 mov byte ptr [esi],al
25aff383 46 inc esi
25aff384 49 dec ecx
25aff385 75f2 jne ImageConversion!png_write_sig+0x19be0 (25aff379)
25aff387 8955d0 mov dword ptr [ebp-30h],edx
25aff38a 8975dc mov dword ptr [ebp-24h],esi
25aff38d 8b45e0 mov eax,dword ptr [ebp-20h]
25aff390 6a08 push 8
25aff392 59 pop ecx
25aff393 8b33 mov esi,dword ptr [ebx]
25aff395 80be3801000000 cmp byte ptr [esi+138h],0
25aff39c 0f8583000000 jne ImageConversion!png_write_sig+0x19c8c (25aff425)
25aff3a2 668b7df4 mov di,word ptr [ebp-0Ch]
25aff3a6 6603be04010000 add di,word ptr [esi+104h]
25aff3ad 66897df4 mov word ptr [ebp-0Ch],di
25aff3b1 663bf9 cmp di,cx
25aff3b4 726f jb ImageConversion!png_write_sig+0x19c8c (25aff425)
25aff3b6 0fb7c7 movzx eax,di
25aff3b9 8bd0 mov edx,eax
25aff3bb c1ea03 shr edx,3
25aff3be 2507000080 and eax,80000007h
25aff3c3 7905 jns ImageConversion!png_write_sig+0x19c31 (25aff3ca)
25aff3c5 48 dec eax
25aff3c6 83c8f8 or eax,0FFFFFFF8h
25aff3c9 40 inc eax
25aff3ca 0fb7c0 movzx eax,ax
25aff3cd 8d7d9c lea edi,[ebp-64h]
25aff3d0 8945f4 mov dword ptr [ebp-0Ch],eax
25aff3d3 8bca mov ecx,edx
25aff3d5 8b45f0 mov eax,dword ptr [ebp-10h]
25aff3d8 c1e103 shl ecx,3
25aff3db 89559c mov dword ptr [ebp-64h],edx
25aff3de d320 shl dword ptr [eax],cl
25aff3e0 8d4598 lea eax,[ebp-68h]
25aff3e3 8b8e8c000000 mov ecx,dword ptr [esi+8Ch]
25aff3e9 2b4dec sub ecx,dword ptr [ebp-14h]
25aff3ec 3bca cmp ecx,edx
25aff3ee 894d98 mov dword ptr [ebp-68h],ecx
25aff3f1 0f43c7 cmovae eax,edi
25aff3f4 8b38 mov edi,dword ptr [eax]
25aff3f6 85ff test edi,edi
25aff3f8 7e28 jle ImageConversion!png_write_sig+0x19c89 (25aff422)
25aff3fa 017dec add dword ptr [ebp-14h],edi
25aff3fd 8d0cfdf8ffffff lea ecx,[edi*8-8]
25aff404 8b55f8 mov edx,dword ptr [ebp-8]
25aff407 8b5df0 mov ebx,dword ptr [ebp-10h]
25aff40a 6a08 push 8
25aff40c 5e pop esi
ImageConversion!png_write_sig+0x19c74:
25aff40d 0fb602 movzx eax,byte ptr [edx] // current instruction
25aff410 d3e0 shl eax,cl
25aff412 2bce sub ecx,esi
25aff414 0903 or dword ptr [ebx],eax
25aff416 42 inc edx
25aff417 4f dec edi
25aff418 75f3 jne ImageConversion!png_write_sig+0x19c74 (25aff40d)
25aff41a 8b5dd8 mov ebx,dword ptr [ebp-28h]
25aff41d 8955f8 mov dword ptr [ebp-8],edx
25aff420 8b33 mov esi,dword ptr [ebx]
25aff422 8b45e0 mov eax,dword ptr [ebp-20h]
25aff425 40 inc eax
25aff426 8d8e08010000 lea ecx,[esi+108h]
25aff42c 8945e0 mov dword ptr [ebp-20h],eax
25aff42f 894dc0 mov dword ptr [ebp-40h],ecx
25aff432 663b01 cmp ax,word ptr [ecx]
25aff435 0f82e1fdffff jb ImageConversion!png_write_sig+0x19a83 (25aff21c)
25aff43b 8b4df4 mov ecx,dword ptr [ebp-0Ch]
25aff43e 8b33 mov esi,dword ptr [ebx]
25aff440 8975e0 mov dword ptr [ebp-20h],esi
25aff443 80be3801000000 cmp byte ptr [esi+138h],0
25aff44a 0f8429010000 je ImageConversion!png_write_sig+0x19de0 (25aff579)
25aff450 0fb78604010000 movzx eax,word ptr [esi+104h]
25aff457 03c8 add ecx,eax
25aff459 6a08 push 8
25aff45b 668bf9 mov di,cx
25aff45e 894df4 mov dword ptr [ebp-0Ch],ecx
25aff461 5a pop edx
25aff462 663bfa cmp di,dx
25aff465 0f820e010000 jb ImageConversion!png_write_sig+0x19de0 (25aff579)
25aff46b 8d8e08010000 lea ecx,[esi+108h]
25aff471 894dc0 mov dword ptr [ebp-40h],ecx
```
PoC
attached
Attachments:
OOBR[0x4D98001]0x5F40D.tif
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/