CVE-2018-12872
Information
Out of bound read due to malformed JBIG2 stream while being parsed in Acrobat.dll.
Crash Dump:
Stack
Acrobat.dll + 0x672ADA (id: 2f9, no function symbol available)
Acrobat.dll + 0x67374E (id: 59f, no function symbol available)
Acrobat.dll + 0x677769 (no function symbol available)
Acrobat.dll + 0x65DEE7 (no function symbol available)
Acrobat.dll + 0x65C57A (no function symbol available)
Registers
eax=08ae9000 ebx=00000001 ecx=08ae9000 edx=08bd5000 esi=08bbefe0 edi=08bacff0
eip=60672ada esp=008dfb10 ebp=008dfb28 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
fpcw=027F: rn 53 puozdi fpsw=0021: top=0 cc=0000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:741a28bb fpdp=0000:741ef398
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 1.107148717794090502970e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=8000000000000000 mm7=8db70c975df22363
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=-1.75547e-012 -1.01278e-006 1.55935e+029 -2.67506e+029
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Acrobat!CTJPEGWarningHandler::operator=+0x3148a:
60672ada 0fb601 movzx eax,byte ptr [ecx] ds:002b:08ae9000=??
Disassembly of stack frame 1 at Acrobat.dll + 0x672ADA
60672a40 894618 mov dword ptr [esi+18h],eax
60672a43 85c0 test eax,eax
60672a45 750a jne Acrobat!CTJPEGWarningHandler::operator=+0x31401 (60672a51)
60672a47 b803000000 mov eax,3
60672a4c 5e pop esi
60672a4d 5d pop ebp
60672a4e c20400 ret 4
60672a51 8a4d08 mov cl,byte ptr [ebp+8]
60672a54 57 push edi
60672a55 bf01000000 mov edi,1
60672a5a 884808 mov byte ptr [eax+8],cl
60672a5d d3e7 shl edi,cl
60672a5f 6a01 push 1
60672a61 57 push edi
60672a62 e8298c9cff call Acrobat!AcroWinMain+0x10835 (6003b690)
60672a67 8b4e18 mov ecx,dword ptr [esi+18h]
60672a6a 83c408 add esp,8
60672a6d 8901 mov dword ptr [ecx],eax
60672a6f 8b4618 mov eax,dword ptr [esi+18h]
60672a72 833800 cmp dword ptr [eax],0
60672a75 750b jne Acrobat!CTJPEGWarningHandler::operator=+0x31432 (60672a82)
60672a77 5f pop edi
60672a78 b803000000 mov eax,3
60672a7d 5e pop esi
60672a7e 5d pop ebp
60672a7f c20400 ret 4
60672a82 6a01 push 1
60672a84 57 push edi
60672a85 e8068c9cff call Acrobat!AcroWinMain+0x10835 (6003b690)
60672a8a 8b4e18 mov ecx,dword ptr [esi+18h]
60672a8d 83c408 add esp,8
60672a90 ba03000000 mov edx,3
60672a95 894104 mov dword ptr [ecx+4],eax
60672a98 33c0 xor eax,eax
60672a9a 8b4e18 mov ecx,dword ptr [esi+18h]
60672a9d 5f pop edi
60672a9e 5e pop esi
60672a9f 394104 cmp dword ptr [ecx+4],eax
60672aa2 0f44c2 cmove eax,edx
60672aa5 5d pop ebp
60672aa6 c20400 ret 4
60672aa9 cc int 3
60672aaa cc int 3
60672aab cc int 3
60672aac cc int 3
60672aad cc int 3
60672aae cc int 3
60672aaf cc int 3
60672ab0 56 push esi
60672ab1 8bf1 mov esi,ecx
60672ab3 57 push edi
60672ab4 8b7e14 mov edi,dword ptr [esi+14h]
60672ab7 8b07 mov eax,dword ptr [edi]
60672ab9 3b4704 cmp eax,dword ptr [edi+4]
60672abc 737e jae Acrobat!CTJPEGWarningHandler::operator=+0x314ec (60672b3c)
60672abe 807e0cff cmp byte ptr [esi+0Ch],0FFh
60672ac2 743a je Acrobat!CTJPEGWarningHandler::operator=+0x314ae (60672afe)
60672ac4 3b4704 cmp eax,dword ptr [edi+4]
60672ac7 720f jb Acrobat!CTJPEGWarningHandler::operator=+0x31488 (60672ad8)
60672ac9 68706a2361 push offset Acrobat!PDMediaQuerySetMediaType+0x196f10 (61236a70)
60672ace 6aff push 0FFFFFFFFh
60672ad0 e89bb5b9ff call Acrobat!CTJPEGDecoderReadNextTile+0x56520 (6020e070)
60672ad5 83c408 add esp,8
60672ad8 8b0f mov ecx,dword ptr [edi]
Acrobat!CTJPEGWarningHandler::operator=+0x3148a:
60672ada 0fb601 movzx eax,byte ptr [ecx] // current instruction
60672add 88470c mov byte ptr [edi+0Ch],al
60672ae0 8d4101 lea eax,[ecx+1]
60672ae3 8907 mov dword ptr [edi],eax
60672ae5 8a470c mov al,byte ptr [edi+0Ch]
60672ae8 88460c mov byte ptr [esi+0Ch],al
60672aeb 0fb6c0 movzx eax,al
60672aee c1e008 shl eax,8
60672af1 014604 add dword ptr [esi+4],eax
60672af4 5f pop edi
60672af5 c7461008000000 mov dword ptr [esi+10h],8
60672afc 5e pop esi
60672afd c3 ret
60672afe 3b4704 cmp eax,dword ptr [edi+4]
60672b01 720f jb Acrobat!CTJPEGWarningHandler::operator=+0x314c2 (60672b12)
60672b03 68706a2361 push offset Acrobat!PDMediaQuerySetMediaType+0x196f10 (61236a70)
60672b08 6aff push 0FFFFFFFFh
60672b0a e861b5b9ff call Acrobat!CTJPEGDecoderReadNextTile+0x56520 (6020e070)
60672b0f 83c408 add esp,8
60672b12 8b0f mov ecx,dword ptr [edi]
60672b14 0fb601 movzx eax,byte ptr [ecx]
60672b17 88470c mov byte ptr [edi+0Ch],al
60672b1a 8d4101 lea eax,[ecx+1]
60672b1d 8907 mov dword ptr [edi],eax
60672b1f 8a470c mov al,byte ptr [edi+0Ch]
60672b22 88460c mov byte ptr [esi+0Ch],al
60672b25 3c8f cmp al,8Fh
60672b27 7713 ja Acrobat!CTJPEGWarningHandler::operator=+0x314ec (60672b3c)
60672b29 0fb6c0 movzx eax,al
60672b2c c1e009 shl eax,9
60672b2f 014604 add dword ptr [esi+4],eax
60672b32 5f pop edi
PoC
attached
Attachments:
OOBR[0x67]@0x672ADA.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/