CVE-2018-12865
Information
Out of bound write due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0x9D716 (id: 282, no function symbol available)
MPS.dll + 0x9B5CB (id: 4b7, no function symbol available)
MPS.dll + 0x6CE77 (no function symbol available)
MPS.dll + 0xA418D (no function symbol available)
MPS.dll + 0x6E9A5 (no function symbol available)
MPS.dll + 0x5E89F (no function symbol available)
MPS.dll + 0x5D8BC (no function symbol available)
ImageConversion.api + 0xA1F0 (no function symbol available)
ImageConversion.api + 0x18BD7 (no function symbol available)
ImageConversion.api + 0x1B61F (no function symbol available)
ImageConversion.api + 0xB58B (no function symbol available)
Acrobat.dll + 0x820A38 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=2b381760 ebx=004fcd90 ecx=19793000 edx=00002b38 esi=00000009 edi=004fcd68
eip=2a20d716 esp=004fc8ec ebp=004fc914 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
fpcw=027F: rn 53 puozdi fpsw=4000: top=0 cc=1000 -------- fptw=FFFF
fopcode=0000 fpip=0000:51ea5769 fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 1.418500000000000000000e+0004
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=dda4000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 -0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSRecognizeWMF+0x44fc6:
2a20d716 8811 mov byte ptr [ecx],dl ds:002b:19793000=??
Disassembly of stack frame 1 at MPS.dll + 0x9D716
2a20d662 06 push es
2a20d663 05cccccccc add eax,0CCCCCCCCh
2a20d668 cc int 3
2a20d669 cc int 3
2a20d66a cc int 3
2a20d66b cc int 3
2a20d66c cc int 3
2a20d66d cc int 3
2a20d66e cc int 3
2a20d66f cc int 3
2a20d670 55 push ebp
2a20d671 8bec mov ebp,esp
2a20d673 83ec1c sub esp,1Ch
2a20d676 53 push ebx
2a20d677 56 push esi
2a20d678 57 push edi
2a20d679 8b7d14 mov edi,dword ptr [ebp+14h]
2a20d67c be01000000 mov esi,1
2a20d681 894df4 mov dword ptr [ebp-0Ch],ecx
2a20d684 8b07 mov eax,dword ptr [edi]
2a20d686 8945f8 mov dword ptr [ebp-8],eax
2a20d689 8b5d18 mov ebx,dword ptr [ebp+18h]
2a20d68c 8d642400 lea esp,[esp]
2a20d690 8b4d10 mov ecx,dword ptr [ebp+10h]
2a20d693 8d45fe lea eax,[ebp-2]
2a20d696 50 push eax
2a20d697 8d45ff lea eax,[ebp-1]
2a20d69a 50 push eax
2a20d69b e810c3fcff call MPS!MPSRecognizeWMF+0x11260 (2a1d99b0)
2a20d6a0 8bc8 mov ecx,eax
2a20d6a2 e809c3fcff call MPS!MPSRecognizeWMF+0x11260 (2a1d99b0)
2a20d6a7 8a55ff mov dl,byte ptr [ebp-1]
2a20d6aa 84d2 test dl,dl
2a20d6ac 0f8536010000 jne MPS!MPSRecognizeWMF+0x45098 (2a20d7e8)
2a20d6b2 8a55fe mov dl,byte ptr [ebp-2]
2a20d6b5 0fb6ca movzx ecx,dl
2a20d6b8 8bc1 mov eax,ecx
2a20d6ba 83e800 sub eax,0
2a20d6bd 0f84f8000000 je MPS!MPSRecognizeWMF+0x4506b (2a20d7bb)
2a20d6c3 48 dec eax
2a20d6c4 0f8492010000 je MPS!MPSRecognizeWMF+0x4510c (2a20d85c)
2a20d6ca 48 dec eax
2a20d6cb 0f8485000000 je MPS!MPSRecognizeWMF+0x45006 (2a20d756)
2a20d6d1 c745f000000000 mov dword ptr [ebp-10h],0
2a20d6d8 85c9 test ecx,ecx
2a20d6da 7e60 jle MPS!MPSRecognizeWMF+0x44fec (2a20d73c)
2a20d6dc 8d642400 lea esp,[esp]
2a20d6e0 8b83f0000000 mov eax,dword ptr [ebx+0F0h]
2a20d6e6 0faf83f4000000 imul eax,dword ptr [ebx+0F4h]
2a20d6ed 3bf0 cmp esi,eax
2a20d6ef 774b ja MPS!MPSRecognizeWMF+0x44fec (2a20d73c)
2a20d6f1 8b4d10 mov ecx,dword ptr [ebp+10h]
2a20d6f4 8d45ff lea eax,[ebp-1]
2a20d6f7 50 push eax
2a20d6f8 e8b3c2fcff call MPS!MPSRecognizeWMF+0x11260 (2a1d99b0)
2a20d6fd 8b4d0c mov ecx,dword ptr [ebp+0Ch]
2a20d700 0fb645ff movzx eax,byte ptr [ebp-1]
2a20d704 8b0481 mov eax,dword ptr [ecx+eax*4]
2a20d707 8b4d08 mov ecx,dword ptr [ebp+8]
2a20d70a 3b7104 cmp esi,dword ptr [ecx+4]
2a20d70d 7f1b jg MPS!MPSRecognizeWMF+0x44fda (2a20d72a)
2a20d70f 8b0f mov ecx,dword ptr [edi]
2a20d711 8bd0 mov edx,eax
2a20d713 c1ea10 shr edx,10h
MPS!MPSRecognizeWMF+0x44fc6:
2a20d716 8811 mov byte ptr [ecx],dl // current instruction
2a20d718 8bd0 mov edx,eax
2a20d71a 8b0f mov ecx,dword ptr [edi]
2a20d71c c1ea08 shr edx,8
2a20d71f 885101 mov byte ptr [ecx+1],dl
2a20d722 8b0f mov ecx,dword ptr [edi]
2a20d724 884102 mov byte ptr [ecx+2],al
2a20d727 830703 add dword ptr [edi],3
2a20d72a 8b4df0 mov ecx,dword ptr [ebp-10h]
2a20d72d 46 inc esi
2a20d72e 8a55fe mov dl,byte ptr [ebp-2]
2a20d731 41 inc ecx
2a20d732 0fb6c2 movzx eax,dl
2a20d735 894df0 mov dword ptr [ebp-10h],ecx
2a20d738 3bc8 cmp ecx,eax
2a20d73a 7ca4 jl MPS!MPSRecognizeWMF+0x44f90 (2a20d6e0)
2a20d73c f6c201 test dl,1
2a20d73f 0f844bffffff je MPS!MPSRecognizeWMF+0x44f40 (2a20d690)
2a20d745 8b4d10 mov ecx,dword ptr [ebp+10h]
2a20d748 8d45ff lea eax,[ebp-1]
2a20d74b 50 push eax
2a20d74c e85fc2fcff call MPS!MPSRecognizeWMF+0x11260 (2a1d99b0)
2a20d751 e93affffff jmp MPS!MPSRecognizeWMF+0x44f40 (2a20d690)
2a20d756 8b4d10 mov ecx,dword ptr [ebp+10h]
2a20d759 8d45fe lea eax,[ebp-2]
2a20d75c 50 push eax
2a20d75d 8d45ff lea eax,[ebp-1]
2a20d760 50 push eax
2a20d761 e84ac2fcff call MPS!MPSRecognizeWMF+0x11260 (2a1d99b0)
2a20d766 8bc8 mov ecx,eax
2a20d768 e843c2fcff call MPS!MPSRecognizeWMF+0x11260 (2a1d99b0)
2a20d76d 8b45f8 mov eax,dword ptr [ebp-8]
PoC
attached
Attachments:
OOBW[0x18]@0x9D716.emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/