CVE-2018-12863
Information
Out of bound read due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0x5199 (id: 57a, no function symbol available)
MPS.dll + 0x18792 (id: da7, no function symbol available)
MPS.dll + 0x1779A (no function symbol available)
MPS.dll + 0x178D0 (no function symbol available)
MPS.dll + 0x168D4 (no function symbol available)
MPS.dll + 0x14EBC (no function symbol available)
MPS.dll + 0x855CD (no function symbol available)
MPS.dll + 0xB4A31 (no function symbol available)
MPS.dll + 0xB45C6 (no function symbol available)
MPS.dll + 0xBAFE1 (no function symbol available)
MPS.dll + 0x7091A (no function symbol available)
MPS.dll + 0x5F03E (no function symbol available)
MPS.dll + 0x5D8BC (no function symbol available)
ImageConversion.api + 0xA1F0 (no function symbol available)
ImageConversion.api + 0x18BD7 (no function symbol available)
ImageConversion.api + 0x1B61F (no function symbol available)
ImageConversion.api + 0xB58B (no function symbol available)
Acrobat.dll + 0x820A38 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=3a4c0000 ebx=0000001d ecx=0136d090 edx=1f2cae84 esi=0136d090 edi=1f2ce854
eip=29fa5199 esp=0136d058 ebp=0136d05c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:2a0547f4 fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 3.600000000000000000000e+0001
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=9000000000000000
xmm0=0 0 0 2.00624e-022
xmm1=1 0 0 1
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 8
xmm7=0 0 0 8
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS+0x5199:
29fa5199 8b00 mov eax,dword ptr [eax] ds:002b:3a4c0000=????????
Disassembly of stack frame 1 at MPS.dll + 0x5199
29fa50fc 5e pop esi
29fa50fd c70000000000 mov dword ptr [eax],0
29fa5103 b80e000000 mov eax,0Eh
29fa5108 ff0db034372a dec dword ptr [MPS!MPSOptions+0x25ccf0 (2a3734b0)]
29fa510e 8be5 mov esp,ebp
29fa5110 5d pop ebp
29fa5111 c20c00 ret 0Ch
29fa5114 cc int 3
29fa5115 cc int 3
29fa5116 cc int 3
29fa5117 cc int 3
29fa5118 cc int 3
29fa5119 cc int 3
29fa511a cc int 3
29fa511b cc int 3
29fa511c cc int 3
29fa511d cc int 3
29fa511e cc int 3
29fa511f cc int 3
29fa5120 55 push ebp
29fa5121 8bec mov ebp,esp
29fa5123 83ec08 sub esp,8
29fa5126 8b450c mov eax,dword ptr [ebp+0Ch]
29fa5129 8945fc mov dword ptr [ebp-4],eax
29fa512c a1b034372a mov eax,dword ptr [MPS!MPSOptions+0x25ccf0 (2a3734b0)]
29fa5131 8bc8 mov ecx,eax
29fa5133 c1e106 shl ecx,6
29fa5136 40 inc eax
29fa5137 81c1b834372a add ecx,offset MPS!MPSOptions+0x25ccf8 (2a3734b8)
29fa513d c745f800000000 mov dword ptr [ebp-8],0
29fa5144 6a00 push 0
29fa5146 51 push ecx
29fa5147 a3b034372a mov dword ptr [MPS!MPSOptions+0x25ccf0 (2a3734b0)],eax
29fa514c e8ef0c0300 call MPS!MPSToAGMColorSpace+0x11f40 (29fd5e40)
29fa5151 83c408 add esp,8
29fa5154 85c0 test eax,eax
29fa5156 7525 jne MPS+0x517d (29fa517d)
29fa5158 8b4508 mov eax,dword ptr [ebp+8]
29fa515b 8d4dfc lea ecx,[ebp-4]
29fa515e 51 push ecx
29fa515f 83c018 add eax,18h
29fa5162 6a00 push 0
29fa5164 6a02 push 2
29fa5166 50 push eax
29fa5167 8b00 mov eax,dword ptr [eax]
29fa5169 ffd0 call eax
29fa516b 8b45f8 mov eax,dword ptr [ebp-8]
29fa516e 83c410 add esp,10h
29fa5171 ff0db034372a dec dword ptr [MPS!MPSOptions+0x25ccf0 (2a3734b0)]
29fa5177 8be5 mov esp,ebp
29fa5179 5d pop ebp
29fa517a c20800 ret 8
29fa517d b80e000000 mov eax,0Eh
29fa5182 ff0db034372a dec dword ptr [MPS!MPSOptions+0x25ccf0 (2a3734b0)]
29fa5188 8be5 mov esp,ebp
29fa518a 5d pop ebp
29fa518b c20800 ret 8
29fa518e cc int 3
29fa518f cc int 3
29fa5190 55 push ebp
29fa5191 8bec mov ebp,esp
29fa5193 8b4508 mov eax,dword ptr [ebp+8]
29fa5196 56 push esi
29fa5197 8bf1 mov esi,ecx
MPS+0x5199:
29fa5199 8b00 mov eax,dword ptr [eax] // current instruction
29fa519b 50 push eax
29fa519c 8906 mov dword ptr [esi],eax
29fa519e ff15d42e372a call dword ptr [MPS!MPSOptions+0x25c714 (2a372ed4)]
29fa51a4 83c404 add esp,4
29fa51a7 85c0 test eax,eax
29fa51a9 8bc6 mov eax,esi
29fa51ab 7506 jne MPS+0x51b3 (29fa51b3)
29fa51ad c70600000000 mov dword ptr [esi],0
29fa51b3 5e pop esi
29fa51b4 5d pop ebp
29fa51b5 c20400 ret 4
29fa51b8 cc int 3
29fa51b9 cc int 3
29fa51ba cc int 3
29fa51bb cc int 3
29fa51bc cc int 3
29fa51bd cc int 3
29fa51be cc int 3
29fa51bf cc int 3
29fa51c0 55 push ebp
29fa51c1 8bec mov ebp,esp
29fa51c3 8b4508 mov eax,dword ptr [ebp+8]
29fa51c6 56 push esi
29fa51c7 8bf1 mov esi,ecx
29fa51c9 50 push eax
29fa51ca 8906 mov dword ptr [esi],eax
29fa51cc ff15d42e372a call dword ptr [MPS!MPSOptions+0x25c714 (2a372ed4)]
29fa51d2 83c404 add esp,4
29fa51d5 85c0 test eax,eax
29fa51d7 8bc6 mov eax,esi
29fa51d9 7506 jne MPS+0x51e1 (29fa51e1)
PoC
attached
Attachments:
AVR@Unallocated@0x5199.emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/