CVE-2018-12870
Information
Out of bound read due to malformed JBIG2 stream while being parsed in AcroRd32.dll.
Crash Dump:
Stack
Acrobat.dll + 0x6737BD (id: c33, no function symbol available)
Acrobat.dll + 0x65E002 (id: 8ec, no function symbol available)
Acrobat.dll + 0x65C57A (no function symbol available)
Registers
eax=08386000 ebx=004ffa60 ecx=08858046 edx=00000070 esi=00000001 edi=08385ff8
eip=606737bd esp=004ff8e0 ebp=004ff970 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
fpcw=027F: rn 53 puozdi fpsw=0021: top=0 cc=0000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:741a28bb fpdp=0000:741ef398
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 1.107148717794090502970e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=8000000000000000 mm7=8db70c975df22363
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=-4.46392e+012 1.84015e+006 -0.00602074 4.00967e-008
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Acrobat!CTJPEGWarningHandler::operator=+0x3216d:
606737bd 0fb608 movzx ecx,byte ptr [eax] ds:002b:08386000=??
Disassembly of stack frame 1 at Acrobat.dll + 0x6737BD
606736fd 85f6 test esi,esi
606736ff 782d js Acrobat!CTJPEGWarningHandler::operator=+0x320de (6067372e)
60673701 3b31 cmp esi,dword ptr [ecx]
60673703 7d29 jge Acrobat!CTJPEGWarningHandler::operator=+0x320de (6067372e)
60673705 8b4924 mov ecx,dword ptr [ecx+24h]
60673708 0fafc8 imul ecx,eax
6067370b 8bc6 mov eax,esi
6067370d c1f803 sar eax,3
60673710 83e607 and esi,7
60673713 03c8 add ecx,eax
60673715 8b430c mov eax,dword ptr [ebx+0Ch]
60673718 8b4010 mov eax,dword ptr [eax+10h]
6067371b 8a0401 mov al,byte ptr [ecx+eax]
6067371e 848650ca2c61 test byte ptr Acrobat!PDMediaQuerySetMediaType+0x22cef0 (612cca50)[esi],al
60673724 7408 je Acrobat!CTJPEGWarningHandler::operator=+0x320de (6067372e)
60673726 81ca00100000 or edx,1000h
6067372c eb06 jmp Acrobat!CTJPEGWarningHandler::operator=+0x320e4 (60673734)
6067372e 81e2ffef0000 and edx,0EFFFh
60673734 8b4594 mov eax,dword ptr [ebp-6Ch]
60673737 0fb7ca movzx ecx,dx
6067373a 03c1 add eax,ecx
6067373c 8955f8 mov dword ptr [ebp-8],edx
6067373f 50 push eax
60673740 8b4598 mov eax,dword ptr [ebp-68h]
60673743 03c1 add eax,ecx
60673745 8b4d08 mov ecx,dword ptr [ebp+8]
60673748 50 push eax
60673749 e802f8ffff call Acrobat!CTJPEGWarningHandler::operator=+0x31900 (60672f50)
6067374e 0fb7f0 movzx esi,ax
60673751 8b45d4 mov eax,dword ptr [ebp-2Ch]
60673754 8b55e0 mov edx,dword ptr [ebp-20h]
60673757 03c0 add eax,eax
60673759 0bc6 or eax,esi
6067375b 0fb7c0 movzx eax,ax
6067375e 8945d4 mov dword ptr [ebp-2Ch],eax
60673761 8945f8 mov dword ptr [ebp-8],eax
60673764 f6c20f test dl,0Fh
60673767 0f855a010000 jne Acrobat!CTJPEGWarningHandler::operator=+0x32277 (606738c7)
6067376d 8b4da0 mov ecx,dword ptr [ebp-60h]
60673770 c1e808 shr eax,8
60673773 8801 mov byte ptr [ecx],al
60673775 8a45f8 mov al,byte ptr [ebp-8]
60673778 884101 mov byte ptr [ecx+1],al
6067377b 33c0 xor eax,eax
6067377d 83c102 add ecx,2
60673780 8945d4 mov dword ptr [ebp-2Ch],eax
60673783 837db410 cmp dword ptr [ebp-4Ch],10h
60673787 894da0 mov dword ptr [ebp-60h],ecx
6067378a 8945f8 mov dword ptr [ebp-8],eax
6067378d 0f8da8000000 jge Acrobat!CTJPEGWarningHandler::operator=+0x321eb (6067383b)
60673793 8b45c0 mov eax,dword ptr [ebp-40h]
60673796 0fb608 movzx ecx,byte ptr [eax]
60673799 8b45f4 mov eax,dword ptr [ebp-0Ch]
6067379c c1e118 shl ecx,18h
6067379f 0fb7c0 movzx eax,ax
606737a2 0bc8 or ecx,eax
606737a4 894df4 mov dword ptr [ebp-0Ch],ecx
606737a7 8b4dc0 mov ecx,dword ptr [ebp-40h]
606737aa 0fb64101 movzx eax,byte ptr [ecx+1]
606737ae 83c102 add ecx,2
606737b1 c1e010 shl eax,10h
606737b4 0945f4 or dword ptr [ebp-0Ch],eax
606737b7 8b45b8 mov eax,dword ptr [ebp-48h]
606737ba 894dc0 mov dword ptr [ebp-40h],ecx
Acrobat!CTJPEGWarningHandler::operator=+0x3216d:
606737bd 0fb608 movzx ecx,byte ptr [eax] // current instruction
606737c0 8b45ec mov eax,dword ptr [ebp-14h]
606737c3 c1e118 shl ecx,18h
606737c6 0fb7c0 movzx eax,ax
606737c9 0bc8 or ecx,eax
606737cb 894dec mov dword ptr [ebp-14h],ecx
606737ce 8b4db8 mov ecx,dword ptr [ebp-48h]
606737d1 0fb64101 movzx eax,byte ptr [ecx+1]
606737d5 83c102 add ecx,2
606737d8 c1e010 shl eax,10h
606737db 0945ec or dword ptr [ebp-14h],eax
606737de 8b45d8 mov eax,dword ptr [ebp-28h]
606737e1 894db8 mov dword ptr [ebp-48h],ecx
606737e4 0fb608 movzx ecx,byte ptr [eax]
606737e7 8b45e8 mov eax,dword ptr [ebp-18h]
606737ea c1e118 shl ecx,18h
606737ed 0fb7c0 movzx eax,ax
606737f0 0bc8 or ecx,eax
606737f2 894de8 mov dword ptr [ebp-18h],ecx
606737f5 8b4dd8 mov ecx,dword ptr [ebp-28h]
606737f8 0fb64101 movzx eax,byte ptr [ecx+1]
606737fc 83c102 add ecx,2
606737ff c1e010 shl eax,10h
60673802 0945e8 or dword ptr [ebp-18h],eax
60673805 8b45b0 mov eax,dword ptr [ebp-50h]
60673808 894dd8 mov dword ptr [ebp-28h],ecx
6067380b 3945bc cmp dword ptr [ebp-44h],eax
6067380e 0f8310030000 jae Acrobat!CTJPEGWarningHandler::operator=+0x324d4 (60673b24)
60673814 8b45f0 mov eax,dword ptr [ebp-10h]
60673817 0fb60f movzx ecx,byte ptr [edi]
6067381a 0fb7c0 movzx eax,ax
6067381d c1e118 shl ecx,18h
PoC
attached
Attachments:
OOBR[0x1B]@0x6737BD.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/