CVE-2018-12864
Information
Out of bound write due to corrpued TIF being parsed in ImageConversion.api.
Crash Dump:
Stack
MSVCR120.dll!memcpy + 0x2A (id: 72d) [[f:\dd\vctools\crt\crtw32\string\i386\memcpy.asm @ 188]]
ImageConversion.api + 0x9C276 (id: 786, no function symbol available)
ImageConversion.api + 0x7D122 (no function symbol available)
ImageConversion.api + 0x5E830 (no function symbol available)
ImageConversion.api + 0x4F251 (no function symbol available)
ImageConversion.api + 0x2799E (no function symbol available)
ImageConversion.api + 0x18498 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=1b92ec10 ebx=00000000 ecx=00000008 edx=00000010 esi=1b92ec08 edi=29ef0000
eip=7375f26d esp=00c3d958 ebp=00c3d978 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
fpcw=027F: rn 53 puozdi fpsw=4021: top=0 cc=1000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:260466ef fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 7.200000000000000000000e+0001
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=9000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=137.179 9.06664e-008 -2.838e+037 1.1831e-030
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MSVCR120!memcpy+0x2a:
7375f26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Disassembly of stack frame 1 at MSVCR120.dll!memcpy + 0x2A
7375f19f 8b44240c mov eax,dword ptr [esp+0Ch]
7375f1a3 5e pop esi
7375f1a4 5f pop edi
7375f1a5 c3 ret
MSVCR120!memmove [f:\dd\vctools\crt\crtw32\string\i386\MEMCPY.ASM @ 137]:
7375f1a6 57 push edi
7375f1a7 56 push esi
7375f1a8 8b742410 mov esi,dword ptr [esp+10h]
7375f1ac 8b4c2414 mov ecx,dword ptr [esp+14h]
7375f1b0 8b7c240c mov edi,dword ptr [esp+0Ch]
7375f1b4 8bc1 mov eax,ecx
7375f1b6 8bd1 mov edx,ecx
7375f1b8 03c6 add eax,esi
7375f1ba 3bfe cmp edi,esi
7375f1bc 7608 jbe MSVCR120!memmove+0x20 (7375f1c6)
7375f1be 3bf8 cmp edi,eax
7375f1c0 0f8283290000 jb MSVCR120!TrailUpVec+0x50 (73761b49)
7375f1c6 0fba25b4f7827301 bt dword ptr [MSVCR120!__favor (7382f7b4)],1
7375f1ce 0f82f7fcffff jb MSVCR120!memmove+0x2a (7375eecb)
7375f1d4 81f980000000 cmp ecx,80h
7375f1da 0f839c230000 jae MSVCR120!memmove+0x3d (7376157c)
7375f1e0 f7c703000000 test edi,3
7375f1e6 0f85f0290000 jne MSVCR120!memmove+0x228 (73761bdc)
7375f1ec c1e902 shr ecx,2
7375f1ef 83e203 and edx,3
7375f1f2 83f908 cmp ecx,8
7375f1f5 7315 jae MSVCR120!memmove+0x21e (7375f20c)
7375f1f7 ff248db0f07573 jmp dword ptr MSVCR120!UnwindUpVec (7375f0b0)[ecx*4]
7375f1fe ff2495d0f07573 jmp dword ptr MSVCR120!TrailUpVec (7375f0d0)[edx*4]
7375f205 8b44240c mov eax,dword ptr [esp+0Ch]
7375f209 5e pop esi
7375f20a 5f pop edi
7375f20b c3 ret
7375f20c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
7375f20e ff2495d0f07573 jmp dword ptr MSVCR120!TrailUpVec (7375f0d0)[edx*4]
7375f215 8b448efc mov eax,dword ptr [esi+ecx*4-4]
7375f219 89448ffc mov dword ptr [edi+ecx*4-4],eax
7375f21d 8d048d00000000 lea eax,[ecx*4]
7375f224 03f0 add esi,eax
7375f226 03f8 add edi,eax
7375f228 ebd4 jmp MSVCR120!UnwindUpVec+0x63 (7375f1fe)
7375f22a 8b448ef8 mov eax,dword ptr [esi+ecx*4-8]
7375f22e 89448ff8 mov dword ptr [edi+ecx*4-8],eax
7375f232 ebe1 jmp MSVCR120!UnwindUpVec+0x50 (7375f215)
7375f234 8b448ef4 mov eax,dword ptr [esi+ecx*4-0Ch]
7375f238 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax
7375f23c ebec jmp MSVCR120!UnwindUpVec+0x48 (7375f22a)
7375f23e 8b448ef0 mov eax,dword ptr [esi+ecx*4-10h]
7375f242 89448ff0 mov dword ptr [edi+ecx*4-10h],eax
7375f246 ebec jmp MSVCR120!UnwindUpVec+0x40 (7375f234)
7375f248 8b448eec mov eax,dword ptr [esi+ecx*4-14h]
7375f24c 89448fec mov dword ptr [edi+ecx*4-14h],eax
7375f250 ebec jmp MSVCR120!UnwindUpVec+0x38 (7375f23e)
7375f252 8b448ee8 mov eax,dword ptr [esi+ecx*4-18h]
7375f256 89448fe8 mov dword ptr [edi+ecx*4-18h],eax
7375f25a ebec jmp MSVCR120!UnwindUpVec+0x30 (7375f248)
7375f25c 8a06 mov al,byte ptr [esi]
7375f25e 8807 mov byte ptr [edi],al
7375f260 8a4601 mov al,byte ptr [esi+1]
7375f263 884701 mov byte ptr [edi+1],al
7375f266 8b44240c mov eax,dword ptr [esp+0Ch]
7375f26a 5e pop esi
7375f26b 5f pop edi
7375f26c c3 ret
MSVCR120!memcpy+0x2a [f:\dd\vctools\crt\crtw32\string\i386\memcpy.asm @ 188]:
7375f26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi] // current instruction
7375f26f e9d7030000 jmp MSVCR120!TrailUpVec+0x10 (7375f64b)
7375f274 f7c703000000 test edi,3
7375f27a 0f85a8040000 jne MSVCR120!memcpy+0x228 (7375f728)
7375f280 f7c603000000 test esi,3
7375f286 0f85a6030000 jne MSVCR120!memcpy+0x213 (7375f632)
7375f28c 0fbae702 bt edi,2
7375f290 730d jae MSVCR120!memcpy+0x8f (7375f29f)
7375f292 8b06 mov eax,dword ptr [esi]
7375f294 83e904 sub ecx,4
7375f297 8d7604 lea esi,[esi+4]
7375f29a 8907 mov dword ptr [edi],eax
7375f29c 8d7f04 lea edi,[edi+4]
7375f29f 0fbae703 bt edi,3
7375f2a3 7311 jae MSVCR120!memcpy+0xa6 (7375f2b6)
7375f2a5 f30f7e0e movq xmm1,mmword ptr [esi]
7375f2a9 83e908 sub ecx,8
7375f2ac 8d7608 lea esi,[esi+8]
7375f2af 660fd60f movq mmword ptr [edi],xmm1
7375f2b3 8d7f08 lea edi,[edi+8]
7375f2b6 f7c607000000 test esi,7
7375f2bc 7463 je MSVCR120!memcpy+0x111 (7375f321)
7375f2be 0fbae603 bt esi,3
7375f2c2 0f83b1000000 jae MSVCR120!memcpy+0x16a (7375f379)
7375f2c8 660f6f4ef4 movdqa xmm1,xmmword ptr [esi-0Ch]
7375f2cd 8d76f4 lea esi,[esi-0Ch]
7375f2d0 660f6f5e10 movdqa xmm3,xmmword ptr [esi+10h]
7375f2d5 83e930 sub ecx,30h
7375f2d8 660f6f4620 movdqa xmm0,xmmword ptr [esi+20h]
7375f2dd 660f6f6e30 movdqa xmm5,xmmword ptr [esi+30h]
7375f2e2 8d7630 lea esi,[esi+30h]
7375f2e5 83f930 cmp ecx,30h
PoC
attached
Attachments:
OOBW[0xFF010]@memcpy.tif
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/