CVE-2018-12866
Information
Out of bound read due to corrpued EMF being parsed in MPS.dll.
Crash Dump:
Stack
MPS.dll + 0x3674A (id: 69c, no function symbol available)
MPS.dll + 0x148AE (id: fc6, no function symbol available)
MPS.dll + 0x1465D (no function symbol available)
MPS.dll + 0xADADD (no function symbol available)
MPS.dll + 0xB91C9 (no function symbol available)
MPS.dll + 0x7077E (no function symbol available)
MPS.dll + 0xBC5B4 (no function symbol available)
MPS.dll + 0x70960 (no function symbol available)
MPS.dll + 0x5F03E (no function symbol available)
MPS.dll + 0x5D8BC (no function symbol available)
ImageConversion.api + 0xA1F0 (no function symbol available)
ImageConversion.api + 0x18BD7 (no function symbol available)
ImageConversion.api + 0x1B61F (no function symbol available)
ImageConversion.api + 0xB58B (no function symbol available)
Acrobat.dll + 0x820A38 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=46122f60 ebx=00000000 ecx=1fffff60 edx=1fffffe0 esi=26123000 edi=7fff10a0
eip=2934674a esp=0053cf9c ebp=0053d048 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:295d7042 fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 5.368708800000000000000e+0008
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=ffffff0000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSToAGMColorSpace+0x1284a:
2934674a f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Disassembly of stack frame 1 at MPS.dll + 0x3674A
293466ad 8b16 mov edx,dword ptr [esi]
293466af 83c604 add esi,4
293466b2 a900010181 test eax,81010100h
293466b7 74dc je MPS!MPSToAGMColorSpace+0x12795 (29346695)
293466b9 84d2 test dl,dl
293466bb 742c je MPS!MPSToAGMColorSpace+0x127e9 (293466e9)
293466bd 84f6 test dh,dh
293466bf 741e je MPS!MPSToAGMColorSpace+0x127df (293466df)
293466c1 f7c20000ff00 test edx,0FF0000h
293466c7 740c je MPS!MPSToAGMColorSpace+0x127d5 (293466d5)
293466c9 f7c2000000ff test edx,0FF000000h
293466cf 75c4 jne MPS!MPSToAGMColorSpace+0x12795 (29346695)
293466d1 8917 mov dword ptr [edi],edx
293466d3 eb18 jmp MPS!MPSToAGMColorSpace+0x127ed (293466ed)
293466d5 81e2ffff0000 and edx,0FFFFh
293466db 8917 mov dword ptr [edi],edx
293466dd eb0e jmp MPS!MPSToAGMColorSpace+0x127ed (293466ed)
293466df 81e2ff000000 and edx,0FFh
293466e5 8917 mov dword ptr [edi],edx
293466e7 eb04 jmp MPS!MPSToAGMColorSpace+0x127ed (293466ed)
293466e9 33d2 xor edx,edx
293466eb 8917 mov dword ptr [edi],edx
293466ed 83c704 add edi,4
293466f0 33c0 xor eax,eax
293466f2 83e901 sub ecx,1
293466f5 740c je MPS!MPSToAGMColorSpace+0x12803 (29346703)
293466f7 33c0 xor eax,eax
293466f9 8907 mov dword ptr [edi],eax
293466fb 83c704 add edi,4
293466fe 83e901 sub ecx,1
29346701 75f6 jne MPS!MPSToAGMColorSpace+0x127f9 (293466f9)
29346703 83e303 and ebx,3
29346706 0f8577ffffff jne MPS!MPSToAGMColorSpace+0x12783 (29346683)
2934670c 8b442410 mov eax,dword ptr [esp+10h]
29346710 5b pop ebx
29346711 5e pop esi
29346712 5f pop edi
29346713 c3 ret
29346714 cc int 3
29346715 cc int 3
29346716 cc int 3
29346717 cc int 3
29346718 cc int 3
29346719 cc int 3
2934671a cc int 3
2934671b cc int 3
2934671c cc int 3
2934671d cc int 3
2934671e cc int 3
2934671f cc int 3
29346720 57 push edi
29346721 56 push esi
29346722 8b742410 mov esi,dword ptr [esp+10h]
29346726 8b4c2414 mov ecx,dword ptr [esp+14h]
2934672a 8b7c240c mov edi,dword ptr [esp+0Ch]
2934672e 8bc1 mov eax,ecx
29346730 8bd1 mov edx,ecx
29346732 03c6 add eax,esi
29346734 3bfe cmp edi,esi
29346736 7608 jbe MPS!MPSToAGMColorSpace+0x12840 (29346740)
29346738 3bf8 cmp edi,eax
2934673a 0f8268030000 jb MPS!MPSToAGMColorSpace+0x12ba8 (29346aa8)
29346740 0fba2530566e2901 bt dword ptr [MPS!MPSOptions+0x25ee70 (296e5630)],1
29346748 7307 jae MPS!MPSToAGMColorSpace+0x12851 (29346751)
MPS!MPSToAGMColorSpace+0x1284a:
2934674a f3a4 rep movs byte ptr es:[edi],byte ptr [esi] // current instruction
2934674c e917030000 jmp MPS!MPSToAGMColorSpace+0x12b68 (29346a68)
29346751 81f980000000 cmp ecx,80h
29346757 0f82ce010000 jb MPS!MPSToAGMColorSpace+0x12a2b (2934692b)
2934675d 8bc7 mov eax,edi
2934675f 33c6 xor eax,esi
29346761 a90f000000 test eax,0Fh
29346766 750e jne MPS!MPSToAGMColorSpace+0x12876 (29346776)
29346768 0fba25607a6a2901 bt dword ptr [MPS!MPSOptions+0x2212a0 (296a7a60)],1
29346770 0f82da040000 jb MPS!MPSToAGMColorSpace+0x12d50 (29346c50)
29346776 0fba2530566e2900 bt dword ptr [MPS!MPSOptions+0x25ee70 (296e5630)],0
2934677e 0f83a7010000 jae MPS!MPSToAGMColorSpace+0x12a2b (2934692b)
29346784 f7c703000000 test edi,3
2934678a 0f85b8010000 jne MPS!MPSToAGMColorSpace+0x12a48 (29346948)
29346790 f7c603000000 test esi,3
29346796 0f8597010000 jne MPS!MPSToAGMColorSpace+0x12a33 (29346933)
2934679c 0fbae702 bt edi,2
293467a0 730d jae MPS!MPSToAGMColorSpace+0x128af (293467af)
293467a2 8b06 mov eax,dword ptr [esi]
293467a4 83e904 sub ecx,4
293467a7 8d7604 lea esi,[esi+4]
293467aa 8907 mov dword ptr [edi],eax
293467ac 8d7f04 lea edi,[edi+4]
293467af 0fbae703 bt edi,3
293467b3 7311 jae MPS!MPSToAGMColorSpace+0x128c6 (293467c6)
293467b5 f30f7e0e movq xmm1,mmword ptr [esi]
293467b9 83e908 sub ecx,8
293467bc 8d7608 lea esi,[esi+8]
293467bf 660fd60f movq mmword ptr [edi],xmm1
293467c3 8d7f08 lea edi,[edi+8]
293467c6 f7c607000000 test esi,7
PoC
attached
Attachments:
OOBR[0x80]@0x3674A.emf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/