CVE-2018-12860
Information
Out of bound write due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0x9D831 (id: 4b1, no function symbol available)
MPS.dll + 0x9B5CB (id: 4b7, no function symbol available)
MPS.dll + 0x6CE77 (no function symbol available)
MPS.dll + 0xA418D (no function symbol available)
MPS.dll + 0x6E9A5 (no function symbol available)
MPS.dll + 0x5E89F (no function symbol available)
MPS.dll + 0x5D8BC (no function symbol available)
ImageConversion.api + 0xA1F0 (no function symbol available)
ImageConversion.api + 0x18BD7 (no function symbol available)
ImageConversion.api + 0x1B61F (no function symbol available)
ImageConversion.api + 0xB58B (no function symbol available)
Acrobat.dll + 0x820A38 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=00000010 ebx=00cfcd34 ecx=21167000 edx=00000000 esi=00000009 edi=00cfcd0c
eip=29add831 esp=00cfc890 ebp=00cfc8b8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
fpcw=027F: rn 53 puozdi fpsw=4000: top=0 cc=1000 -------- fptw=FFFF
fopcode=0000 fpip=0000:51ea5769 fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 1.462100000000000000000e+0004
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=e474000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 -0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSRecognizeWMF+0x450e1:
29add831 8811 mov byte ptr [ecx],dl ds:002b:21167000=??
Disassembly of stack frame 1 at MPS.dll + 0x9D831
29add75d 8d45ff lea eax,[ebp-1]
29add760 50 push eax
29add761 e84ac2fcff call MPS!MPSRecognizeWMF+0x11260 (29aa99b0)
29add766 8bc8 mov ecx,eax
29add768 e843c2fcff call MPS!MPSRecognizeWMF+0x11260 (29aa99b0)
29add76d 8b45f8 mov eax,dword ptr [ebp-8]
29add770 33db xor ebx,ebx
29add772 8907 mov dword ptr [edi],eax
29add774 385dfe cmp byte ptr [ebp-2],bl
29add777 7632 jbe MPS!MPSRecognizeWMF+0x4505b (29add7ab)
29add779 8da42400000000 lea esp,[esp]
29add780 8b45f4 mov eax,dword ptr [ebp-0Ch]
29add783 8b5518 mov edx,dword ptr [ebp+18h]
29add786 ff37 push dword ptr [edi]
29add788 8b8094540900 mov eax,dword ptr [eax+95494h]
29add78e ffb2ec000000 push dword ptr [edx+0ECh]
29add794 50 push eax
29add795 8b08 mov ecx,dword ptr [eax]
29add797 ff5154 call dword ptr [ecx+54h]
29add79a 85c0 test eax,eax
29add79c 0f85f3000000 jne MPS!MPSRecognizeWMF+0x45145 (29add895)
29add7a2 0fb645fe movzx eax,byte ptr [ebp-2]
29add7a6 43 inc ebx
29add7a7 3bd8 cmp ebx,eax
29add7a9 7cd5 jl MPS!MPSRecognizeWMF+0x45030 (29add780)
29add7ab 0fb645ff movzx eax,byte ptr [ebp-1]
29add7af 03f0 add esi,eax
29add7b1 8d0476 lea eax,[esi+esi*2]
29add7b4 0107 add dword ptr [edi],eax
29add7b6 e9cefeffff jmp MPS!MPSRecognizeWMF+0x44f39 (29add689)
29add7bb 8b45f4 mov eax,dword ptr [ebp-0Ch]
29add7be be01000000 mov esi,1
29add7c3 8b55f8 mov edx,dword ptr [ebp-8]
29add7c6 8917 mov dword ptr [edi],edx
29add7c8 52 push edx
29add7c9 8b8094540900 mov eax,dword ptr [eax+95494h]
29add7cf ffb3ec000000 push dword ptr [ebx+0ECh]
29add7d5 50 push eax
29add7d6 8b08 mov ecx,dword ptr [eax]
29add7d8 ff5154 call dword ptr [ecx+54h]
29add7db 85c0 test eax,eax
29add7dd 0f84adfeffff je MPS!MPSRecognizeWMF+0x44f40 (29add690)
29add7e3 e99c000000 jmp MPS!MPSRecognizeWMF+0x45134 (29add884)
29add7e8 33c9 xor ecx,ecx
29add7ea 894df0 mov dword ptr [ebp-10h],ecx
29add7ed 84d2 test dl,dl
29add7ef 0f849bfeffff je MPS!MPSRecognizeWMF+0x44f40 (29add690)
29add7f5 eb09 jmp MPS!MPSRecognizeWMF+0x450b0 (29add800)
29add7f7 8da42400000000 lea esp,[esp]
29add7fe 8bff mov edi,edi
29add800 8b83f0000000 mov eax,dword ptr [ebx+0F0h]
29add806 0faf83f4000000 imul eax,dword ptr [ebx+0F4h]
29add80d 3bf0 cmp esi,eax
29add80f 0f877bfeffff ja MPS!MPSRecognizeWMF+0x44f40 (29add690)
29add815 8b7d0c mov edi,dword ptr [ebp+0Ch]
29add818 0fb645fe movzx eax,byte ptr [ebp-2]
29add81c 8b0487 mov eax,dword ptr [edi+eax*4]
29add81f 8b7d08 mov edi,dword ptr [ebp+8]
29add822 3b7704 cmp esi,dword ptr [edi+4]
29add825 8b7d14 mov edi,dword ptr [ebp+14h]
29add828 7f21 jg MPS!MPSRecognizeWMF+0x450fb (29add84b)
29add82a 8b0f mov ecx,dword ptr [edi]
29add82c 8bd0 mov edx,eax
29add82e c1ea10 shr edx,10h
MPS!MPSRecognizeWMF+0x450e1:
29add831 8811 mov byte ptr [ecx],dl // current instruction
29add833 8bd0 mov edx,eax
29add835 8b0f mov ecx,dword ptr [edi]
29add837 c1ea08 shr edx,8
29add83a 885101 mov byte ptr [ecx+1],dl
29add83d 8b0f mov ecx,dword ptr [edi]
29add83f 884102 mov byte ptr [ecx+2],al
29add842 830703 add dword ptr [edi],3
29add845 8a55ff mov dl,byte ptr [ebp-1]
29add848 8b4df0 mov ecx,dword ptr [ebp-10h]
29add84b 41 inc ecx
29add84c 0fb6c2 movzx eax,dl
29add84f 46 inc esi
29add850 894df0 mov dword ptr [ebp-10h],ecx
29add853 3bc8 cmp ecx,eax
29add855 7ca9 jl MPS!MPSRecognizeWMF+0x450b0 (29add800)
29add857 e934feffff jmp MPS!MPSRecognizeWMF+0x44f40 (29add690)
29add85c 8b45f4 mov eax,dword ptr [ebp-0Ch]
29add85f 8b55f8 mov edx,dword ptr [ebp-8]
29add862 8917 mov dword ptr [edi],edx
29add864 52 push edx
29add865 8b8094540900 mov eax,dword ptr [eax+95494h]
29add86b ffb3ec000000 push dword ptr [ebx+0ECh]
29add871 50 push eax
29add872 8b08 mov ecx,dword ptr [eax]
29add874 ff5154 call dword ptr [ecx+54h]
29add877 5f pop edi
29add878 5e pop esi
29add879 5b pop ebx
29add87a 85c0 test eax,eax
29add87c 7528 jne MPS!MPSRecognizeWMF+0x45156 (29add8a6)
29add87e 8be5 mov esp,ebp
PoC
attached
Attachments:
OOBW[0x18]@0x9D831.emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/