CVE-2018-12873
Information
Out of bound write due to malformed JBIG2 stream while being parsed in Acrobat.dll.
Crash Dump:
Stack
Acrobat.dll + 0x677F69 (id: 1d7, no function symbol available)
Acrobat.dll + 0x65E14D (id: b81, no function symbol available)
Acrobat.dll + 0x65C57A (no function symbol available)
Registers
eax=087ecffc ebx=08548fe8 ecx=087f0ffc edx=00000017 esi=00000001 edi=0000001a
eip=60677f69 esp=004ff68c ebp=004ff70c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
fpcw=027F: rn 53 puozdi fpsw=0021: top=0 cc=0000 --p----i fptw=FFFF
fopcode=0000 fpip=0000:73a528bb fpdp=0000:73a9f398
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 1.107148717794090502970e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=8000000000000000 mm7=8db70c975df22363
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=-7.03653e-021 1.50002e-022 2.52709e+027 -6.68526e-022
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x429:
60677f69 895104 mov dword ptr [ecx+4],edx ds:002b:087f1000=????????
Disassembly of stack frame 1 at Acrobat.dll + 0x677F69
60677e98 8b03 mov eax,dword ptr [ebx]
60677e9a 83e908 sub ecx,8
60677e9d 894dac mov dword ptr [ebp-54h],ecx
60677ea0 83ea08 sub edx,8
60677ea3 8bcb mov ecx,ebx
60677ea5 8955a8 mov dword ptr [ebp-58h],edx
60677ea8 89430c mov dword ptr [ebx+0Ch],eax
60677eab e8a0030000 call Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x710 (60678250)
60677eb0 83f809 cmp eax,9
60677eb3 0f878b000000 ja Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x404 (60677f44)
60677eb9 0fb68838826760 movzx ecx,byte ptr Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x6f8 (60678238)[eax]
60677ec0 ff248d28826760 jmp dword ptr Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x6e8 (60678228)[ecx*4]
60677ec7 66837de800 cmp word ptr [ebp-18h],0
60677ecc 7446 je Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x3d4 (60677f14)
60677ece 8b75ec mov esi,dword ptr [ebp-14h]
60677ed1 8bc7 mov eax,edi
60677ed3 2bc6 sub eax,esi
60677ed5 8bcb mov ecx,ebx
60677ed7 50 push eax
60677ed8 ff75d0 push dword ptr [ebp-30h]
60677edb 56 push esi
60677edc ff7508 push dword ptr [ebp+8]
60677edf e8dc050000 call Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x980 (606784c0)
60677ee4 85c0 test eax,eax
60677ee6 0f85bb000000 jne Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x467 (60677fa7)
60677eec 3845f3 cmp byte ptr [ebp-0Dh],al
60677eef 754d jne Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x3fe (60677f3e)
60677ef1 8b4ddc mov ecx,dword ptr [ebp-24h]
60677ef4 c645f301 mov byte ptr [ebp-0Dh],1
60677ef8 3b4dcc cmp ecx,dword ptr [ebp-34h]
60677efb 0f83ad020000 jae Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x66e (606781ae)
60677f01 8b45e0 mov eax,dword ptr [ebp-20h]
60677f04 8930 mov dword ptr [eax],esi
60677f06 83c004 add eax,4
60677f09 83c104 add ecx,4
60677f0c 8945e0 mov dword ptr [ebp-20h],eax
60677f0f 894ddc mov dword ptr [ebp-24h],ecx
60677f12 eb2a jmp Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x3fe (60677f3e)
60677f14 807df300 cmp byte ptr [ebp-0Dh],0
60677f18 7424 je Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x3fe (60677f3e)
60677f1a 8b4dd8 mov ecx,dword ptr [ebp-28h]
60677f1d c645f300 mov byte ptr [ebp-0Dh],0
60677f21 3b4dc8 cmp ecx,dword ptr [ebp-38h]
60677f24 0f8384020000 jae Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x66e (606781ae)
60677f2a 8b45e4 mov eax,dword ptr [ebp-1Ch]
60677f2d 8b75ec mov esi,dword ptr [ebp-14h]
60677f30 8930 mov dword ptr [eax],esi
60677f32 83c004 add eax,4
60677f35 83c104 add ecx,4
60677f38 8945e4 mov dword ptr [ebp-1Ch],eax
60677f3b 894dd8 mov dword ptr [ebp-28h],ecx
60677f3e 897dec mov dword ptr [ebp-14h],edi
60677f41 897dd4 mov dword ptr [ebp-2Ch],edi
60677f44 8b7dec mov edi,dword ptr [ebp-14h]
60677f47 8b45d4 mov eax,dword ptr [ebp-2Ch]
60677f4a 8b75e8 mov esi,dword ptr [ebp-18h]
60677f4d 8b4dac mov ecx,dword ptr [ebp-54h]
60677f50 8b55a8 mov edx,dword ptr [ebp-58h]
60677f53 3b45c0 cmp eax,dword ptr [ebp-40h]
60677f56 0f8cd4feffff jl Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x2f0 (60677e30)
60677f5c 8b45e4 mov eax,dword ptr [ebp-1Ch]
60677f5f 8b4de0 mov ecx,dword ptr [ebp-20h]
60677f62 8b55c0 mov edx,dword ptr [ebp-40h]
60677f65 807df200 cmp byte ptr [ebp-0Eh],0
Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x429:
60677f69 895104 mov dword ptr [ecx+4],edx // current instruction
60677f6c 0f9445f2 sete byte ptr [ebp-0Eh]
60677f70 8911 mov dword ptr [ecx],edx
60677f72 895004 mov dword ptr [eax+4],edx
60677f75 8910 mov dword ptr [eax],edx
60677f77 8b45d0 mov eax,dword ptr [ebp-30h]
60677f7a 40 inc eax
60677f7b 8945d0 mov dword ptr [ebp-30h],eax
60677f7e 3b45b0 cmp eax,dword ptr [ebp-50h]
60677f81 0f8c29feffff jl Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x270 (60677db0)
60677f87 66837d0c00 cmp word ptr [ebp+0Ch],0
60677f8c 0f8423020000 je Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x675 (606781b5)
60677f92 8b03 mov eax,dword ptr [ebx]
60677f94 8bcb mov ecx,ebx
60677f96 89430c mov dword ptr [ebx+0Ch],eax
60677f99 e8b2020000 call Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x710 (60678250)
60677f9e 83f809 cmp eax,9
60677fa1 0f840e020000 je Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x675 (606781b5)
60677fa7 be0d000000 mov esi,0Dh
60677fac e914020000 jmp Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x685 (606781c5)
60677fb1 8b75ec mov esi,dword ptr [ebp-14h]
60677fb4 33c0 xor eax,eax
60677fb6 8b7de8 mov edi,dword ptr [ebp-18h]
60677fb9 83feff cmp esi,0FFFFFFFFh
60677fbc 0f44f0 cmove esi,eax
60677fbf 8975d4 mov dword ptr [ebp-2Ch],esi
60677fc2 33f6 xor esi,esi
60677fc4 8bcb mov ecx,ebx
60677fc6 6685ff test di,di
60677fc9 7405 je Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x490 (60677fd0)
60677fcb 8b4308 mov eax,dword ptr [ebx+8]
60677fce eb03 jmp Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x493 (60677fd3)
PoC
attached
Attachments:
OOBW[0x6C]@0x677F69.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/