CVE-2018-12867
Information
Out of bound read due to corrpued TIF being parsed in ImageConversion.api.
Crash Dump:
Stack
ImageConversion.api + 0x5F2AD (id: ab6, no function symbol available)
ImageConversion.api + 0x5E701 (id: 58c, no function symbol available)
ImageConversion.api + 0x4F251 (no function symbol available)
ImageConversion.api + 0x2799E (no function symbol available)
ImageConversion.api + 0x18498 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B
Registers
eax=00000001 ebx=00e1e004 ecx=00000098 edx=00000001 esi=19d08a88 edi=00000001
eip=25a5f2ad esp=00e1de20 ebp=00e1dea8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
fpcw=027F: rn 53 puozdi fpsw=4021: top=0 cc=1000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:25a76680 fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000 st7= 4.100359375000000000000e+0003
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=8000000000000000
mm6=0000000000000000 mm7=8022e00000000000
xmm0=0 0 1.875 0
xmm1=0 0 0 0
xmm2=0 0 1.875 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
ImageConversion!png_write_sig+0x19b14:
25a5f2ad f20f1084ceb8000000 movsd xmm0,mmword ptr [esi+ecx*8+0B8h] ds:002b:19d09000=????????????????
Disassembly of stack frame 1 at ImageConversion.api + 0x5F2AD
25a5f1d8 8b45b0 mov eax,dword ptr [ebp-50h]
25a5f1db 897df8 mov dword ptr [ebp-8],edi
25a5f1de 6a08 push 8
25a5f1e0 5e pop esi
25a5f1e1 2bce sub ecx,esi
25a5f1e3 4a dec edx
25a5f1e4 894da8 mov dword ptr [ebp-58h],ecx
25a5f1e7 8955a4 mov dword ptr [ebp-5Ch],edx
25a5f1ea 75a1 jne ImageConversion!png_write_sig+0x199f4 (25a5f18d)
25a5f1ec 8b5dd8 mov ebx,dword ptr [ebp-28h]
25a5f1ef 8b75e0 mov esi,dword ptr [ebp-20h]
25a5f1f2 8b7dc0 mov edi,dword ptr [ebp-40h]
25a5f1f5 8b8684000000 mov eax,dword ptr [esi+84h]
25a5f1fb 33d2 xor edx,edx
25a5f1fd 895594 mov dword ptr [ebp-6Ch],edx
25a5f200 2b467c sub eax,dword ptr [esi+7Ch]
25a5f203 0f848e030000 je ImageConversion!png_write_sig+0x19dfe (25a5f597)
25a5f209 8b4df4 mov ecx,dword ptr [ebp-0Ch]
25a5f20c 8bc2 mov eax,edx
25a5f20e 33d2 xor edx,edx
25a5f210 8945e0 mov dword ptr [ebp-20h],eax
25a5f213 663b17 cmp dx,word ptr [edi]
25a5f216 0f8322020000 jae ImageConversion!png_write_sig+0x19ca5 (25a5f43e)
25a5f21c 663b860a010000 cmp ax,word ptr [esi+10Ah]
25a5f223 0f8367010000 jae ImageConversion!png_write_sig+0x19bf7 (25a5f390)
25a5f229 0fb7be04010000 movzx edi,word ptr [esi+104h]
25a5f230 0fb7c8 movzx ecx,ax
25a5f233 8bd7 mov edx,edi
25a5f235 33c0 xor eax,eax
25a5f237 388638010000 cmp byte ptr [esi+138h],al
25a5f23d 6a20 push 20h
25a5f23f 0f45c1 cmovne eax,ecx
25a5f242 8b4df0 mov ecx,dword ptr [ebp-10h]
25a5f245 8b0481 mov eax,dword ptr [ecx+eax*4]
25a5f248 8a4df4 mov cl,byte ptr [ebp-0Ch]
25a5f24b d3e0 shl eax,cl
25a5f24d 23049560cfb325 and eax,dword ptr ImageConversion!GTIFProjToMapSys+0xbd0c0 (25b3cf60)[edx*4]
25a5f254 59 pop ecx
25a5f255 2bca sub ecx,edx
25a5f257 d3e8 shr eax,cl
25a5f259 6a08 push 8
25a5f25b 0fb7d0 movzx edx,ax
25a5f25e 58 pop eax
25a5f25f 663bf8 cmp di,ax
25a5f262 760f jbe ImageConversion!png_write_sig+0x19ada (25a5f273)
25a5f264 6a10 push 10h
25a5f266 58 pop eax
25a5f267 663bf8 cmp di,ax
25a5f26a 7507 jne ImageConversion!png_write_sig+0x19ada (25a5f273)
25a5f26c 66c1c208 rol dx,8
25a5f270 0fb7d2 movzx edx,dx
25a5f273 80bed800000000 cmp byte ptr [esi+0D8h],0
25a5f27a 7451 je ImageConversion!png_write_sig+0x19b34 (25a5f2cd)
25a5f27c 8b45e0 mov eax,dword ptr [ebp-20h]
25a5f27f 0fb7c8 movzx ecx,ax
25a5f282 0fb7c2 movzx eax,dx
25a5f285 f20f108cce98000000 movsd xmm1,mmword ptr [esi+ecx*8+98h]
25a5f28e 660f6ed0 movd xmm2,eax
25a5f292 0fb786f4000000 movzx eax,word ptr [esi+0F4h]
25a5f299 f30fe6d2 cvtdq2pd xmm2,xmm2
25a5f29d 660f6ec0 movd xmm0,eax
25a5f2a1 f30fe6c0 cvtdq2pd xmm0,xmm0
25a5f2a5 f20f5cd1 subsd xmm2,xmm1
25a5f2a9 f20f59d0 mulsd xmm2,xmm0
ImageConversion!png_write_sig+0x19b14:
25a5f2ad f20f1084ceb8000000 movsd xmm0,mmword ptr [esi+ecx*8+0B8h] // current instruction
25a5f2b6 f20f5cc1 subsd xmm0,xmm1
25a5f2ba f20f5ed0 divsd xmm2,xmm0
25a5f2be f20f5815a091ab25 addsd xmm2,mmword ptr [ImageConversion!GTIFProjToMapSys+0x39300 (25ab91a0)]
25a5f2c6 f20f2cc2 cvttsd2si eax,xmm2
25a5f2ca 0fb7d0 movzx edx,ax
25a5f2cd 6a03 push 3
25a5f2cf 58 pop eax
25a5f2d0 394678 cmp dword ptr [esi+78h],eax
25a5f2d3 740b je ImageConversion!png_write_sig+0x19b47 (25a5f2e0)
25a5f2d5 52 push edx
25a5f2d6 8bcb mov ecx,ebx
25a5f2d8 e839f7ffff call ImageConversion!png_write_sig+0x1927d (25a5ea16)
25a5f2dd 0fb7d0 movzx edx,ax
25a5f2e0 6a10 push 10h
25a5f2e2 58 pop eax
25a5f2e3 663bf8 cmp di,ax
25a5f2e6 7536 jne ImageConversion!png_write_sig+0x19b85 (25a5f31e)
25a5f2e8 6a08 push 8
25a5f2ea 58 pop eax
25a5f2eb 66398606010000 cmp word ptr [esi+106h],ax
25a5f2f2 752a jne ImageConversion!png_write_sig+0x19b85 (25a5f31e)
25a5f2f4 0fb7c2 movzx eax,dx
25a5f2f7 b9ffff0000 mov ecx,0FFFFh
25a5f2fc 69c0ff000000 imul eax,eax,0FFh
25a5f302 bfff000000 mov edi,0FFh
25a5f307 897d9c mov dword ptr [ebp-64h],edi
25a5f30a 99 cdq
25a5f30b f7f9 idiv eax,ecx
25a5f30d 8d559c lea edx,[ebp-64h]
25a5f310 3bc7 cmp eax,edi
25a5f312 894598 mov dword ptr [ebp-68h],eax
PoC
attached
Attachments:
OOBR[0x578]@0x5F2AD.tif
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/