CVE-2018-12862
Information
Out of bound write due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0xB2D4D (id: 7a9, no function symbol available)
MPS.dll + 0xBB1A3 (id: fd7, no function symbol available)
MPS.dll + 0x7091A (no function symbol available)
MPS.dll + 0x5F03E (no function symbol available)
MPS.dll + 0x5D8BC (no function symbol available)
ImageConversion.api + 0xA1F0 (no function symbol available)
ImageConversion.api + 0x18BD7 (no function symbol available)
ImageConversion.api + 0x1B61F (no function symbol available)
ImageConversion.api + 0xB58B (no function symbol available)
Acrobat.dll + 0x820A38 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=00000020 ebx=00ccdbc0 ecx=1eb0eddc edx=00003f6c esi=1eb0eddc edi=00000000
eip=29de2d4d esp=00ccdb78 ebp=00ccdb84 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:601a0a68 fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7=-4.002380371093750000000e-0001
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=ccec000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 -0 0
xmm7=0 0 1.75 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSRecognizeWMF+0x5a5fd:
29de2d4d 898432c4320000 mov dword ptr [edx+esi+32C4h],eax ds:002b:1eb1600c=????????
Disassembly of stack frame 1 at MPS.dll + 0xB2D4D
29de2c9b e89013fdff call MPS!MPSRecognizeWMF+0x2b8e0 (29db4030)
29de2ca0 8b07 mov eax,dword ptr [edi]
29de2ca2 53 push ebx
29de2ca3 50 push eax
29de2ca4 8b10 mov edx,dword ptr [eax]
29de2ca6 ff5214 call dword ptr [edx+14h]
29de2ca9 ff36 push dword ptr [esi]
29de2cab 8bcf mov ecx,edi
29de2cad e8ce070000 call MPS!MPSRecognizeWMF+0x5ad30 (29de3480)
29de2cb2 8d4d4c lea ecx,[ebp+4Ch]
29de2cb5 c745fcffffffff mov dword ptr [ebp-4],0FFFFFFFFh
29de2cbc e81f9d0a00 call MPS!MPSCT5NewServer+0x9580 (29e8c9e0)
29de2cc1 8b4df4 mov ecx,dword ptr [ebp-0Ch]
29de2cc4 64890d00000000 mov dword ptr fs:[0],ecx
29de2ccb 59 pop ecx
29de2ccc 5f pop edi
29de2ccd 5e pop esi
29de2cce 5b pop ebx
29de2ccf 8b4df0 mov ecx,dword ptr [ebp-10h]
29de2cd2 33cd xor ecx,ebp
29de2cd4 e86128f8ff call MPS!MPSToAGMColorSpace+0x1163a (29d6553a)
29de2cd9 8be5 mov esp,ebp
29de2cdb 5d pop ebp
29de2cdc c25c00 ret 5Ch
29de2cdf cc int 3
29de2ce0 55 push ebp
29de2ce1 8bec mov ebp,esp
29de2ce3 b801000000 mov eax,1
29de2ce8 c681c032000001 mov byte ptr [ecx+32C0h],1
29de2cef 6689816c320000 mov word ptr [ecx+326Ch],ax
29de2cf6 8b4510 mov eax,dword ptr [ebp+10h]
29de2cf9 8981b4320000 mov dword ptr [ecx+32B4h],eax
29de2cff 8b4514 mov eax,dword ptr [ebp+14h]
29de2d02 668981b8320000 mov word ptr [ecx+32B8h],ax
29de2d09 c78184320000ffffffff mov dword ptr [ecx+3284h],0FFFFFFFFh
29de2d13 c78188320000ffffffff mov dword ptr [ecx+3288h],0FFFFFFFFh
29de2d1d 5d pop ebp
29de2d1e c21000 ret 10h
29de2d21 cc int 3
29de2d22 cc int 3
29de2d23 cc int 3
29de2d24 cc int 3
29de2d25 cc int 3
29de2d26 cc int 3
29de2d27 cc int 3
29de2d28 cc int 3
29de2d29 cc int 3
29de2d2a cc int 3
29de2d2b cc int 3
29de2d2c cc int 3
29de2d2d cc int 3
29de2d2e cc int 3
29de2d2f cc int 3
29de2d30 55 push ebp
29de2d31 8bec mov ebp,esp
29de2d33 53 push ebx
29de2d34 8b5d0c mov ebx,dword ptr [ebp+0Ch]
29de2d37 56 push esi
29de2d38 8bf1 mov esi,ecx
29de2d3a 57 push edi
29de2d3b 33ff xor edi,edi
29de2d3d 0fb786d4660000 movzx eax,word ptr [esi+66D4h]
29de2d44 69d084000000 imul edx,eax,84h
29de2d4a 8b4508 mov eax,dword ptr [ebp+8]
MPS!MPSRecognizeWMF+0x5a5fd:
29de2d4d 898432c4320000 mov dword ptr [edx+esi+32C4h],eax // current instruction
29de2d54 8a0b mov cl,byte ptr [ebx]
29de2d56 84c9 test cl,cl
29de2d58 7427 je MPS!MPSRecognizeWMF+0x5a631 (29de2d81)
29de2d5a 33d2 xor edx,edx
29de2d5c 8d642400 lea esp,[esp]
29de2d60 0fb786d4660000 movzx eax,word ptr [esi+66D4h]
29de2d67 47 inc edi
29de2d68 69c084000000 imul eax,eax,84h
29de2d6e 03c2 add eax,edx
29de2d70 0fbfd7 movsx edx,di
29de2d73 888c30c8320000 mov byte ptr [eax+esi+32C8h],cl
29de2d7a 8a0c1a mov cl,byte ptr [edx+ebx]
29de2d7d 84c9 test cl,cl
29de2d7f 75df jne MPS!MPSRecognizeWMF+0x5a610 (29de2d60)
29de2d81 0fb786d4660000 movzx eax,word ptr [esi+66D4h]
29de2d88 69c884000000 imul ecx,eax,84h
29de2d8e 0fbfc7 movsx eax,di
29de2d91 5f pop edi
29de2d92 03ce add ecx,esi
29de2d94 c68408c832000000 mov byte ptr [eax+ecx+32C8h],0
29de2d9c 66ff86d4660000 inc word ptr [esi+66D4h]
29de2da3 5e pop esi
29de2da4 5b pop ebx
29de2da5 5d pop ebp
29de2da6 c20800 ret 8
29de2da9 cc int 3
29de2daa cc int 3
29de2dab cc int 3
29de2dac cc int 3
29de2dad cc int 3
29de2dae cc int 3
PoC
attached
Attachments:
OOBW[0x7B2C]@0xB2D4D.emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/