CVE-2018-12875
Information
Stack based buffer overflow while parsing malformed xslt in AXSLE.dll.
Crash Dump:
Stack
AXSLE.dll + 0x518CA (id: a16, no function symbol available)
AXSLE.dll + 0x4E990 (id: 72d, no function symbol available)
AXSLE.dll + 0x23E69 (no function symbol available)
AXSLE.dll + 0x27779 (no function symbol available)
AXSLE.dll + 0x29752 (no function symbol available)
AXSLE.dll + 0x2FCF4 (no function symbol available)
AXSLE.dll + 0x2EC8A (no function symbol available)
AXSLE.dll + 0x2E9BD (no function symbol available)
AXSLE.dll + 0x2EA9D (no function symbol available)
AXSLE.dll + 0x2EC8A (no function symbol available)
AXSLE.dll + 0x2E9BD (no function symbol available)
AXSLE.dll + 0x2FB61 (no function symbol available)
AXSLE.dll + 0x1AA3B (no function symbol available)
AXSLE.dll + 0x1A9FB (no function symbol available)
AXSLE.dll + 0x1A9FB (no function symbol available)
AXSLE.dll + 0x1A9FB (no function symbol available)
AXSLE.dll + 0x2F011 (no function symbol available)
AXSLE.dll + 0x2EC8A (no function symbol available)
AXSLE.dll + 0x2E9BD (no function symbol available)
AXSLE.dll + 0x2EA9D (no function symbol available)
AXSLE.dll + 0x2EC8A (no function symbol available)
AXSLE.dll + 0x2E9BD (no function symbol available)
AXSLE.dll + 0x2EA9D (no function symbol available)
AXSLE.dll + 0x2EC8A (no function symbol available)
AXSLE.dll + 0x2E9BD (no function symbol available)
AXSLE.dll + 0x2FB61 (no function symbol available)
AXSLE.dll + 0x1AA3B (no function symbol available)
AXSLE.dll + 0x2FC73 (no function symbol available)
AXSLE.dll + 0x2EC8A (no function symbol available)
AXSLE.dll + 0x2E9BD (no function symbol available)
AXSLE.dll + 0x2EC38 (no function symbol available)
AXSLE.dll + 0x1C106 (no function symbol available)
AXSLE.dll + 0x17091 (no function symbol available)
AXSLE.dll + 0x131F5 (no function symbol available)
AXSLE.dll + 0xE807 (no function symbol available)
Registers
eax=00000001 ebx=07122e18 ecx=00000002 edx=000001e0 esi=00000000 edi=00000110
eip=6f2618ca esp=010fd5e8 ebp=010fd90c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
fpcw=027F: rn 53 puozdi fpsw=0000: top=0 cc=0000 -------- fptw=FFFF
fopcode=0000 fpip=0000:6f2339ce fpdp=0000:010fd9bc
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 0.000000000000000000000e+0000 st7= 8.500000042500000154160e+0127
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=0000000000000000 mm7=fb2313b86c470000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
AXSLE!AXE_TransformerTerminate+0x4bbe4:
6f2618ca cd29 int 29h
Disassembly of stack frame 1 at AXSLE.dll + 0x518CA
6f261830 55 push ebp
6f261831 8bec mov ebp,esp
6f261833 56 push esi
6f261834 33c0 xor eax,eax
6f261836 50 push eax
6f261837 50 push eax
6f261838 50 push eax
6f261839 50 push eax
6f26183a 50 push eax
6f26183b 50 push eax
6f26183c 50 push eax
6f26183d 50 push eax
6f26183e 8b550c mov edx,dword ptr [ebp+0Ch]
6f261841 8d4900 lea ecx,[ecx]
6f261844 8a02 mov al,byte ptr [edx]
6f261846 0ac0 or al,al
6f261848 7409 je AXSLE!AXE_TransformerTerminate+0x4bb6d (6f261853)
6f26184a 83c201 add edx,1
6f26184d 0fab0424 bts dword ptr [esp],eax
6f261851 ebf1 jmp AXSLE!AXE_TransformerTerminate+0x4bb5e (6f261844)
6f261853 8b7508 mov esi,dword ptr [ebp+8]
6f261856 83c9ff or ecx,0FFFFFFFFh
6f261859 8d4900 lea ecx,[ecx]
6f26185c 83c101 add ecx,1
6f26185f 8a06 mov al,byte ptr [esi]
6f261861 0ac0 or al,al
6f261863 7409 je AXSLE!AXE_TransformerTerminate+0x4bb88 (6f26186e)
6f261865 83c601 add esi,1
6f261868 0fa30424 bt dword ptr [esp],eax
6f26186c 73ee jae AXSLE!AXE_TransformerTerminate+0x4bb76 (6f26185c)
6f26186e 8bc1 mov eax,ecx
6f261870 83c420 add esp,20h
6f261873 5e pop esi
6f261874 c9 leave
6f261875 c3 ret
6f261876 55 push ebp
6f261877 8bec mov ebp,esp
6f261879 ff1534a0276f call dword ptr [AXSLE!AXE_TransformerTerminate+0x6434e (6f27a034)]
6f26187f 6a01 push 1
6f261881 a37c112a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b496 (6f2a117c)],eax
6f261886 e825730000 call AXSLE!AXE_TransformerTerminate+0x52eca (6f268bb0)
6f26188b ff7508 push dword ptr [ebp+8]
6f26188e e83f650000 call AXSLE!AXE_TransformerTerminate+0x520ec (6f267dd2)
6f261893 833d7c112a6f00 cmp dword ptr [AXSLE!AXE_TransformerTerminate+0x8b496 (6f2a117c)],0
6f26189a 59 pop ecx
6f26189b 59 pop ecx
6f26189c 7508 jne AXSLE!AXE_TransformerTerminate+0x4bbc0 (6f2618a6)
6f26189e 6a01 push 1
6f2618a0 e80b730000 call AXSLE!AXE_TransformerTerminate+0x52eca (6f268bb0)
6f2618a5 59 pop ecx
6f2618a6 68090400c0 push 0C0000409h
6f2618ab e80d650000 call AXSLE!AXE_TransformerTerminate+0x520d7 (6f267dbd)
6f2618b0 59 pop ecx
6f2618b1 5d pop ebp
6f2618b2 c3 ret
6f2618b3 55 push ebp
6f2618b4 8bec mov ebp,esp
6f2618b6 81ec24030000 sub esp,324h
6f2618bc 6a17 push 17h
6f2618be e899180100 call AXSLE!AXE_TransformerTerminate+0x5d476 (6f27315c)
6f2618c3 85c0 test eax,eax
6f2618c5 7405 je AXSLE!AXE_TransformerTerminate+0x4bbe6 (6f2618cc)
6f2618c7 6a02 push 2
6f2618c9 59 pop ecx
AXSLE!AXE_TransformerTerminate+0x4bbe4:
6f2618ca cd29 int 29h // current instruction
6f2618cc a3600f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b27a (6f2a0f60)],eax
6f2618d1 890d5c0f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b276 (6f2a0f5c)],ecx
6f2618d7 8915580f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b272 (6f2a0f58)],edx
6f2618dd 891d540f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b26e (6f2a0f54)],ebx
6f2618e3 8935500f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b26a (6f2a0f50)],esi
6f2618e9 893d4c0f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b266 (6f2a0f4c)],edi
6f2618ef 668c15780f2a6f mov word ptr [AXSLE!AXE_TransformerTerminate+0x8b292 (6f2a0f78)],ss
6f2618f6 668c0d6c0f2a6f mov word ptr [AXSLE!AXE_TransformerTerminate+0x8b286 (6f2a0f6c)],cs
6f2618fd 668c1d480f2a6f mov word ptr [AXSLE!AXE_TransformerTerminate+0x8b262 (6f2a0f48)],ds
6f261904 668c05440f2a6f mov word ptr [AXSLE!AXE_TransformerTerminate+0x8b25e (6f2a0f44)],es
6f26190b 668c25400f2a6f mov word ptr [AXSLE!AXE_TransformerTerminate+0x8b25a (6f2a0f40)],fs
6f261912 668c2d3c0f2a6f mov word ptr [AXSLE!AXE_TransformerTerminate+0x8b256 (6f2a0f3c)],gs
6f261919 9c pushfd
6f26191a 8f05700f2a6f pop dword ptr [AXSLE!AXE_TransformerTerminate+0x8b28a (6f2a0f70)]
6f261920 8b4500 mov eax,dword ptr [ebp]
6f261923 a3640f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b27e (6f2a0f64)],eax
6f261928 8b4504 mov eax,dword ptr [ebp+4]
6f26192b a3680f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b282 (6f2a0f68)],eax
6f261930 8d4508 lea eax,[ebp+8]
6f261933 a3740f2a6f mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b28e (6f2a0f74)],eax
6f261938 8b85dcfcffff mov eax,dword ptr [ebp-324h]
6f26193e c705b00e2a6f01000100 mov dword ptr [AXSLE!AXE_TransformerTerminate+0x8b1ca (6f2a0eb0)],10001h
6f261948 a1680f2a6f mov eax,dword ptr [AXSLE!AXE_TransformerTerminate+0x8b282 (6f2a0f68)]
PoC
attached
Attachments:
stacko@0x518ca.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/