CPR-Zero: CVE-2018-15927

Information

Out of bound read due to corrpued TIF being parsed in ImageConversion.api.

Crash Dump:

Stack

ImageConversion.api + 0x6010C (id: 00b, no function symbol available)
ImageConversion.api + 0x5F626 (id: 69a, no function symbol available)
ImageConversion.api + 0x5E9A5 (no function symbol available)
ImageConversion.api + 0x4F251 (no function symbol available)
ImageConversion.api + 0x2799E (no function symbol available)
ImageConversion.api + 0x18498 (no function symbol available)
Acrobat.dll + 0x7BB44B (no function symbol available)
Acrobat.dll + 0x7BD6C1 (no function symbol available)
Acrobat.dll + 0x7BD642 (no function symbol available)
Acrobat.dll + 0xB8A43 (no function symbol available)
Acrobat.dll + 0xB73FD (no function symbol available)
Acrobat.dll + 0xB6919 (no function symbol available)
Acrobat.dll + 0xB4BB2 (no function symbol available)
Acrobat.dll + 0xB340F (no function symbol available)
Acrobat.dll + 0xB2CFC (no function symbol available)
Acrobat.dll + 0x2EFFA (no function symbol available)
Acrobat.dll + 0x2B36E (no function symbol available)
Acrobat.dll!AcroWinMain + 0x18
Acrobat.exe + 0x76EC (no function symbol available)
Acrobat.exe + 0x8711 (no function symbol available)
KERNEL32.DLL!BaseThreadInitThunk + 0x24
ntdll.dll!__RtlUserThreadStart + 0x2F
ntdll.dll!_RtlUserThreadStart + 0x1B

Registers

eax=16b38a88 ebx=16b38ac0 ecx=00000002 edx=000000ff esi=00afde3c edi=1ac96ffe
eip=25d4010c esp=00afdc14 ebp=00afdc3c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
fpcw=027F: rn 53 puozdi  fpsw=4021: top=0 cc=1000 --p----i  fptw=FFFF
fopcode=0000  fpip=0000:25d566ef  fpdp=0000:00000000
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000  st7= 7.200000000000000000000e+0001
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=8000000000000000
mm6=0000000000000000  mm7=9000000000000000
xmm0=0 0 7.886 -1.9354e-012
xmm1=0 0 6.68829 7.74946e-008
xmm2=0 0 7.21414 2.15338e+014
xmm3=0 0 1.75 0
xmm4=0 0 7.5 0
xmm5=0 0 1.9715 -1.9354e-012
xmm6=0 0 0 0
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
ImageConversion!png_write_sig+0x1a973:
25d4010c 8a4f02          mov     cl,byte ptr [edi+2]        ds:002b:1ac97000=?? 

Disassembly of stack frame 1 at ImageConversion.api + 0x6010C

25d40048 ba00010000      mov     edx,100h
25d4004d f20f2cc8        cvttsd2si ecx,xmm0
25d40051 8bda            mov     ebx,edx
25d40053 2b5df0          sub     ebx,dword ptr [ebp-10h]
25d40056 c1e307          shl     ebx,7
25d40059 8945f4          mov     dword ptr [ebp-0Ch],eax
25d4005c 8bc2            mov     eax,edx
25d4005e 2b55f8          sub     edx,dword ptr [ebp-8]
25d40061 2bc1            sub     eax,ecx
25d40063 c1e007          shl     eax,7
25d40066 8945fc          mov     dword ptr [ebp-4],eax
25d40069 c1e207          shl     edx,7
25d4006c 8b06            mov     eax,dword ptr [esi]
25d4006e 8bca            mov     ecx,edx
25d40070 c1f910          sar     ecx,10h
25d40073 0355f8          add     edx,dword ptr [ebp-8]
25d40076 8b8068050000    mov     eax,dword ptr [eax+568h]
25d4007c 8b4004          mov     eax,dword ptr [eax+4]
25d4007f 890c07          mov     dword ptr [edi+eax],ecx
25d40082 8b06            mov     eax,dword ptr [esi]
25d40084 8b4dfc          mov     ecx,dword ptr [ebp-4]
25d40087 c1f910          sar     ecx,10h
25d4008a 8b8068050000    mov     eax,dword ptr [eax+568h]
25d40090 8b4008          mov     eax,dword ptr [eax+8]
25d40093 890c07          mov     dword ptr [edi+eax],ecx
25d40096 8b06            mov     eax,dword ptr [esi]
25d40098 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
25d4009b 8b8068050000    mov     eax,dword ptr [eax+568h]
25d400a1 8b400c          mov     eax,dword ptr [eax+0Ch]
25d400a4 890c07          mov     dword ptr [edi+eax],ecx
25d400a7 8b06            mov     eax,dword ptr [esi]
25d400a9 034de8          add     ecx,dword ptr [ebp-18h]
25d400ac 894df4          mov     dword ptr [ebp-0Ch],ecx
25d400af 8b8068050000    mov     eax,dword ptr [eax+568h]
25d400b5 8b4010          mov     eax,dword ptr [eax+10h]
25d400b8 891c07          mov     dword ptr [edi+eax],ebx
25d400bb 83c704          add     edi,4
25d400be 8b45ec          mov     eax,dword ptr [ebp-14h]
25d400c1 0145fc          add     dword ptr [ebp-4],eax
25d400c4 035df0          add     ebx,dword ptr [ebp-10h]
25d400c7 81ff00040000    cmp     edi,400h
25d400cd 7c9d            jl      ImageConversion!png_write_sig+0x1a8d3 (25d4006c)
25d400cf 8b06            mov     eax,dword ptr [esi]
25d400d1 33c9            xor     ecx,ecx
25d400d3 6a03            push    3
25d400d5 5a              pop     edx
25d400d6 0fb7800a010000  movzx   eax,word ptr [eax+10Ah]
25d400dd 2bc2            sub     eax,edx
25d400df 85c0            test    eax,eax
25d400e1 0f4fc8          cmovg   ecx,eax
25d400e4 8b4518          mov     eax,dword ptr [ebp+18h]
25d400e7 03ca            add     ecx,edx
25d400e9 0fafc8          imul    ecx,eax
25d400ec 49              dec     ecx
25d400ed 3b4d14          cmp     ecx,dword ptr [ebp+14h]
25d400f0 7608            jbe     ImageConversion!png_write_sig+0x1a961 (25d400fa)
25d400f2 895510          mov     dword ptr [ebp+10h],edx
25d400f5 e9fe000000      jmp     ImageConversion!png_write_sig+0x1aa5f (25d401f8)
25d400fa 85c0            test    eax,eax
25d400fc 0f84e6000000    je      ImageConversion!png_write_sig+0x1aa4f (25d401e8)
25d40102 8b7d10          mov     edi,dword ptr [ebp+10h]
25d40105 8b06            mov     eax,dword ptr [esi]
25d40107 8a17            mov     dl,byte ptr [edi]
25d40109 8a5f01          mov     bl,byte ptr [edi+1]
ImageConversion!png_write_sig+0x1a973:
25d4010c 8a4f02          mov     cl,byte ptr [edi+2] // current instruction
25d4010f 83c703          add     edi,3
25d40112 8bb068050000    mov     esi,dword ptr [eax+568h]
25d40118 897d10          mov     dword ptr [ebp+10h],edi
25d4011b 0fb6f9          movzx   edi,cl
25d4011e 0fb6ca          movzx   ecx,dl
25d40121 8b06            mov     eax,dword ptr [esi]
25d40123 897514          mov     dword ptr [ebp+14h],esi
25d40126 6a03            push    3
25d40128 0fb61401        movzx   edx,byte ptr [ecx+eax]
25d4012c 8b4604          mov     eax,dword ptr [esi+4]
25d4012f 8955e8          mov     dword ptr [ebp-18h],edx
25d40132 0fb6f3          movzx   esi,bl
25d40135 8b5d14          mov     ebx,dword ptr [ebp+14h]
25d40138 8b0cb8          mov     ecx,dword ptr [eax+edi*4]
25d4013b 03ca            add     ecx,edx
25d4013d baff000000      mov     edx,0FFh
25d40142 3bca            cmp     ecx,edx
25d40144 0fb6c1          movzx   eax,cl
25d40147 0f4fc2          cmovg   eax,edx
25d4014a 33d2            xor     edx,edx
25d4014c 85c9            test    ecx,ecx
25d4014e 0fb6c0          movzx   eax,al
25d40151 8b4b0c          mov     ecx,dword ptr [ebx+0Ch]
25d40154 0f48c2          cmovs   eax,edx
25d40157 8945ec          mov     dword ptr [ebp-14h],eax
25d4015a 8b4310          mov     eax,dword ptr [ebx+10h]
25d4015d 8b14b0          mov     edx,dword ptr [eax+esi*4]
25d40160 0314b9          add     edx,dword ptr [ecx+edi*4]
25d40163 b9ff000000      mov     ecx,0FFh
25d40168 c1fa10          sar     edx,10h
25d4016b 0355e8          add     edx,dword ptr [ebp-18h] 

PoC

attached

Attachments:
OOBR[0x10]@0x6010C.tif

References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/

Share this: