CVE-2018-12869
Information
Out of bound write due to malformed JBIG2 stream while being parsed in Acrobat.dll.
Crash Dump:
Stack
Acrobat.dll + 0x65BF22 (id: 3f4, no function symbol available)
Acrobat.dll + 0x65BD9E (id: f53, no function symbol available)
Acrobat.dll + 0x660BE4 (no function symbol available)
Acrobat.dll + 0x62DE5C (no function symbol available)
Registers
eax=00000003 ebx=0916afe0 ecx=6f68800e edx=09261000 esi=00000001 edi=0000001b
eip=6065bf22 esp=00fffcf0 ebp=00fffcfc iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010213
fpcw=027F: rn 53 puozdi fpsw=0021: top=0 cc=0000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:741a28bb fpdp=0000:741ef398
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 1.107148717794090502970e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=8000000000000000 mm7=8db70c975df22363
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=-0.188993 -4.87086e-027 1.30187e+035 -7.47602e-014
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Acrobat!CTJPEGWarningHandler::operator=+0x1a8d2:
6065bf22 6689348a mov word ptr [edx+ecx*4],si ds:002b:c6c81038=????
Disassembly of stack frame 1 at Acrobat.dll + 0x65BF22
6065be7d 8906 mov dword ptr [esi],eax
6065be7f 8a45fc mov al,byte ptr [ebp-4]
6065be82 57 push edi
6065be83 884604 mov byte ptr [esi+4],al
6065be86 e8f5229dff call Acrobat!AcroWinMain+0x3325 (6002e180)
6065be8b 83c418 add esp,18h
6065be8e 8bc6 mov eax,esi
6065be90 5f pop edi
6065be91 5b pop ebx
6065be92 5e pop esi
6065be93 8be5 mov esp,ebp
6065be95 5d pop ebp
6065be96 c3 ret
6065be97 33c0 xor eax,eax
6065be99 5f pop edi
6065be9a 5b pop ebx
6065be9b 5e pop esi
6065be9c 8be5 mov esp,ebp
6065be9e 5d pop ebp
6065be9f c3 ret
6065bea0 55 push ebp
6065bea1 8bec mov ebp,esp
6065bea3 8a4d10 mov cl,byte ptr [ebp+10h]
6065bea6 33c0 xor eax,eax
6065bea8 56 push esi
6065bea9 be01000000 mov esi,1
6065beae d3e6 shl esi,cl
6065beb0 897510 mov dword ptr [ebp+10h],esi
6065beb3 57 push edi
6065beb4 85f6 test esi,esi
6065beb6 7418 je Acrobat!CTJPEGWarningHandler::operator=+0x1a880 (6065bed0)
6065beb8 8b4d2c mov ecx,dword ptr [ebp+2Ch]
6065bebb 8bd6 mov edx,esi
6065bebd 8d4900 lea ecx,[ecx]
6065bec0 33ff xor edi,edi
6065bec2 8d491c lea ecx,[ecx+1Ch]
6065bec5 668979e4 mov word ptr [ecx-1Ch],di
6065bec9 668979f2 mov word ptr [ecx-0Eh],di
6065becd 4a dec edx
6065bece 75f0 jne Acrobat!CTJPEGWarningHandler::operator=+0x1a870 (6065bec0)
6065bed0 8b7d28 mov edi,dword ptr [ebp+28h]
6065bed3 ba01000000 mov edx,1
6065bed8 85ff test edi,edi
6065beda 0f8410010000 je Acrobat!CTJPEGWarningHandler::operator=+0x1a9a0 (6065bff0)
6065bee0 53 push ebx
6065bee1 8b5d0c mov ebx,dword ptr [ebp+0Ch]
6065bee4 803c1800 cmp byte ptr [eax+ebx],0
6065bee8 7511 jne Acrobat!CTJPEGWarningHandler::operator=+0x1a8ab (6065befb)
6065beea 8d9b00000000 lea ebx,[ebx]
6065bef0 3bc7 cmp eax,edi
6065bef2 7309 jae Acrobat!CTJPEGWarningHandler::operator=+0x1a8ad (6065befd)
6065bef4 40 inc eax
6065bef5 803c1800 cmp byte ptr [eax+ebx],0
6065bef9 74f5 je Acrobat!CTJPEGWarningHandler::operator=+0x1a8a0 (6065bef0)
6065befb 3bc7 cmp eax,edi
6065befd 0f84e7000000 je Acrobat!CTJPEGWarningHandler::operator=+0x1a99a (6065bfea)
6065bf03 8b5508 mov edx,dword ptr [ebp+8]
6065bf06 8b1482 mov edx,dword ptr [edx+eax*4]
6065bf09 3bd6 cmp edx,esi
6065bf0b 0f8d06010000 jge Acrobat!CTJPEGWarningHandler::operator=+0x1a9c7 (6065c017)
6065bf11 8d0cd500000000 lea ecx,[edx*8]
6065bf18 be01000000 mov esi,1
6065bf1d 2bca sub ecx,edx
6065bf1f 8b552c mov edx,dword ptr [ebp+2Ch]
Acrobat!CTJPEGWarningHandler::operator=+0x1a8d2:
6065bf22 6689348a mov word ptr [edx+ecx*4],si // current instruction
6065bf26 8b4d14 mov ecx,dword ptr [ebp+14h]
6065bf29 0fb63408 movzx esi,byte ptr [eax+ecx]
6065bf2d 8b4d08 mov ecx,dword ptr [ebp+8]
6065bf30 8b0c81 mov ecx,dword ptr [ecx+eax*4]
6065bf33 8d14cd00000000 lea edx,[ecx*8]
6065bf3a 2bd1 sub edx,ecx
6065bf3c 8b4d2c mov ecx,dword ptr [ebp+2Ch]
6065bf3f 89749104 mov dword ptr [ecx+edx*4+4],esi
6065bf43 8b4d08 mov ecx,dword ptr [ebp+8]
6065bf46 8b752c mov esi,dword ptr [ebp+2Ch]
6065bf49 8b0c81 mov ecx,dword ptr [ecx+eax*4]
6065bf4c 8d14cd00000000 lea edx,[ecx*8]
6065bf53 2bd1 sub edx,ecx
6065bf55 8b4d18 mov ecx,dword ptr [ebp+18h]
6065bf58 8b0c81 mov ecx,dword ptr [ecx+eax*4]
6065bf5b 894c9608 mov dword ptr [esi+edx*4+8],ecx
6065bf5f 8b4d08 mov ecx,dword ptr [ebp+8]
6065bf62 8b0c81 mov ecx,dword ptr [ecx+eax*4]
6065bf65 8d14cd00000000 lea edx,[ecx*8]
6065bf6c 2bd1 sub edx,ecx
6065bf6e 8b4d08 mov ecx,dword ptr [ebp+8]
6065bf71 89449610 mov dword ptr [esi+edx*4+10h],eax
6065bf75 8b0c81 mov ecx,dword ptr [ecx+eax*4]
6065bf78 8d14cd00000000 lea edx,[ecx*8]
6065bf7f 2bd1 sub edx,ecx
6065bf81 8b4d08 mov ecx,dword ptr [ebp+8]
6065bf84 89449614 mov dword ptr [esi+edx*4+14h],eax
6065bf88 8b0c81 mov ecx,dword ptr [ecx+eax*4]
6065bf8b 0fb63418 movzx esi,byte ptr [eax+ebx]
6065bf8f 8d14cd00000000 lea edx,[ecx*8]
6065bf96 2bd1 sub edx,ecx
PoC
attached
Attachments:
AVW@Reserved@0x65BF22.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/