Information

Out of bound read due to corrpued TIF being parsed in ImageConversion.api.

Crash Dump:

Stack

ImageConversion.api + 0x5F2AD (id: ab6, no function symbol available)
ImageConversion.api + 0x5E701 (id: 58c, no function symbol available)
ImageConversion.api + 0x4F251 (no function symbol available)
ImageConversion.api + 0x2799E (no function symbol available)
ImageConversion.api + 0x18498 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B

Registers

eax=00000001 ebx=00e1e004 ecx=00000098 edx=00000001 esi=19d08a88 edi=00000001
eip=25a5f2ad esp=00e1de20 ebp=00e1dea8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
fpcw=027F: rn 53 puozdi  fpsw=4021: top=0 cc=1000 --p----i  fptw=FFFF
fopcode=0000  fpip=0000:25a76680  fpdp=0000:00000000
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000  st7= 4.100359375000000000000e+0003
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=8000000000000000
mm6=0000000000000000  mm7=8022e00000000000
xmm0=0 0 1.875 0
xmm1=0 0 0 0
xmm2=0 0 1.875 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
ImageConversion!png_write_sig+0x19b14:
25a5f2ad f20f1084ceb8000000 movsd xmm0,mmword ptr [esi+ecx*8+0B8h] ds:002b:19d09000=???????????????? 

Disassembly of stack frame 1 at ImageConversion.api + 0x5F2AD

25a5f1d8 8b45b0          mov     eax,dword ptr [ebp-50h]
25a5f1db 897df8          mov     dword ptr [ebp-8],edi
25a5f1de 6a08            push    8
25a5f1e0 5e              pop     esi
25a5f1e1 2bce            sub     ecx,esi
25a5f1e3 4a              dec     edx
25a5f1e4 894da8          mov     dword ptr [ebp-58h],ecx
25a5f1e7 8955a4          mov     dword ptr [ebp-5Ch],edx
25a5f1ea 75a1            jne     ImageConversion!png_write_sig+0x199f4 (25a5f18d)
25a5f1ec 8b5dd8          mov     ebx,dword ptr [ebp-28h]
25a5f1ef 8b75e0          mov     esi,dword ptr [ebp-20h]
25a5f1f2 8b7dc0          mov     edi,dword ptr [ebp-40h]
25a5f1f5 8b8684000000    mov     eax,dword ptr [esi+84h]
25a5f1fb 33d2            xor     edx,edx
25a5f1fd 895594          mov     dword ptr [ebp-6Ch],edx
25a5f200 2b467c          sub     eax,dword ptr [esi+7Ch]
25a5f203 0f848e030000    je      ImageConversion!png_write_sig+0x19dfe (25a5f597)
25a5f209 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
25a5f20c 8bc2            mov     eax,edx
25a5f20e 33d2            xor     edx,edx
25a5f210 8945e0          mov     dword ptr [ebp-20h],eax
25a5f213 663b17          cmp     dx,word ptr [edi]
25a5f216 0f8322020000    jae     ImageConversion!png_write_sig+0x19ca5 (25a5f43e)
25a5f21c 663b860a010000  cmp     ax,word ptr [esi+10Ah]
25a5f223 0f8367010000    jae     ImageConversion!png_write_sig+0x19bf7 (25a5f390)
25a5f229 0fb7be04010000  movzx   edi,word ptr [esi+104h]
25a5f230 0fb7c8          movzx   ecx,ax
25a5f233 8bd7            mov     edx,edi
25a5f235 33c0            xor     eax,eax
25a5f237 388638010000    cmp     byte ptr [esi+138h],al
25a5f23d 6a20            push    20h
25a5f23f 0f45c1          cmovne  eax,ecx
25a5f242 8b4df0          mov     ecx,dword ptr [ebp-10h]
25a5f245 8b0481          mov     eax,dword ptr [ecx+eax*4]
25a5f248 8a4df4          mov     cl,byte ptr [ebp-0Ch]
25a5f24b d3e0            shl     eax,cl
25a5f24d 23049560cfb325  and     eax,dword ptr ImageConversion!GTIFProjToMapSys+0xbd0c0 (25b3cf60)[edx*4]
25a5f254 59              pop     ecx
25a5f255 2bca            sub     ecx,edx
25a5f257 d3e8            shr     eax,cl
25a5f259 6a08            push    8
25a5f25b 0fb7d0          movzx   edx,ax
25a5f25e 58              pop     eax
25a5f25f 663bf8          cmp     di,ax
25a5f262 760f            jbe     ImageConversion!png_write_sig+0x19ada (25a5f273)
25a5f264 6a10            push    10h
25a5f266 58              pop     eax
25a5f267 663bf8          cmp     di,ax
25a5f26a 7507            jne     ImageConversion!png_write_sig+0x19ada (25a5f273)
25a5f26c 66c1c208        rol     dx,8
25a5f270 0fb7d2          movzx   edx,dx
25a5f273 80bed800000000  cmp     byte ptr [esi+0D8h],0
25a5f27a 7451            je      ImageConversion!png_write_sig+0x19b34 (25a5f2cd)
25a5f27c 8b45e0          mov     eax,dword ptr [ebp-20h]
25a5f27f 0fb7c8          movzx   ecx,ax
25a5f282 0fb7c2          movzx   eax,dx
25a5f285 f20f108cce98000000 movsd xmm1,mmword ptr [esi+ecx*8+98h]
25a5f28e 660f6ed0        movd    xmm2,eax
25a5f292 0fb786f4000000  movzx   eax,word ptr [esi+0F4h]
25a5f299 f30fe6d2        cvtdq2pd xmm2,xmm2
25a5f29d 660f6ec0        movd    xmm0,eax
25a5f2a1 f30fe6c0        cvtdq2pd xmm0,xmm0
25a5f2a5 f20f5cd1        subsd   xmm2,xmm1
25a5f2a9 f20f59d0        mulsd   xmm2,xmm0
ImageConversion!png_write_sig+0x19b14:
25a5f2ad f20f1084ceb8000000 movsd xmm0,mmword ptr [esi+ecx*8+0B8h] // current instruction
25a5f2b6 f20f5cc1        subsd   xmm0,xmm1
25a5f2ba f20f5ed0        divsd   xmm2,xmm0
25a5f2be f20f5815a091ab25 addsd   xmm2,mmword ptr [ImageConversion!GTIFProjToMapSys+0x39300 (25ab91a0)]
25a5f2c6 f20f2cc2        cvttsd2si eax,xmm2
25a5f2ca 0fb7d0          movzx   edx,ax
25a5f2cd 6a03            push    3
25a5f2cf 58              pop     eax
25a5f2d0 394678          cmp     dword ptr [esi+78h],eax
25a5f2d3 740b            je      ImageConversion!png_write_sig+0x19b47 (25a5f2e0)
25a5f2d5 52              push    edx
25a5f2d6 8bcb            mov     ecx,ebx
25a5f2d8 e839f7ffff      call    ImageConversion!png_write_sig+0x1927d (25a5ea16)
25a5f2dd 0fb7d0          movzx   edx,ax
25a5f2e0 6a10            push    10h
25a5f2e2 58              pop     eax
25a5f2e3 663bf8          cmp     di,ax
25a5f2e6 7536            jne     ImageConversion!png_write_sig+0x19b85 (25a5f31e)
25a5f2e8 6a08            push    8
25a5f2ea 58              pop     eax
25a5f2eb 66398606010000  cmp     word ptr [esi+106h],ax
25a5f2f2 752a            jne     ImageConversion!png_write_sig+0x19b85 (25a5f31e)
25a5f2f4 0fb7c2          movzx   eax,dx
25a5f2f7 b9ffff0000      mov     ecx,0FFFFh
25a5f2fc 69c0ff000000    imul    eax,eax,0FFh
25a5f302 bfff000000      mov     edi,0FFh
25a5f307 897d9c          mov     dword ptr [ebp-64h],edi
25a5f30a 99              cdq
25a5f30b f7f9            idiv    eax,ecx
25a5f30d 8d559c          lea     edx,[ebp-64h]
25a5f310 3bc7            cmp     eax,edi
25a5f312 894598          mov     dword ptr [ebp-68h],eax 

PoC

attached


Attachments:
OOBR[0x578]@0x5F2AD.tif

References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/