CVE-2018-15930
Information
Out of bound read due to malformed GIF while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0x3613 (id: 5d5, no function symbol available)
2d.x3d + 0x3F00 (id: d6d, no function symbol available)
2d.x3d + 0x28B2 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=00002c00 ebx=00000000 ecx=00000002 edx=00002c00 esi=00000002 edi=010fb690
eip=6e203613 esp=010fa654 ebp=010fb664 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6e4e5d0c fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x1755:
6e203613 8a8497a0010000 mov al,byte ptr [edi+edx*4+1A0h] ds:002b:01106830=??
Disassembly of stack frame 1 at 2d.x3d + 0x3613
6e20354a 8d4101 lea eax,[ecx+1]
6e20354d 888294010000 mov byte ptr [edx+194h],al
6e203553 b800100000 mov eax,1000h
6e203558 668982a8410000 mov word ptr [edx+41A8h],ax
6e20355f 33c0 xor eax,eax
6e203561 40 inc eax
6e203562 66d3e0 shl ax,cl
6e203565 668982aa410000 mov word ptr [edx+41AAh],ax
6e20356c 40 inc eax
6e20356d 668982ac410000 mov word ptr [edx+41ACh],ax
6e203574 40 inc eax
6e203575 668982a0410000 mov word ptr [edx+41A0h],ax
6e20357c 33c9 xor ecx,ecx
6e20357e 0fb7c1 movzx eax,cx
6e203581 83ceff or esi,0FFFFFFFFh
6e203584 66898c82a0010000 mov word ptr [edx+eax*4+1A0h],cx
6e20358c 41 inc ecx
6e20358d 6689b482a2010000 mov word ptr [edx+eax*4+1A2h],si
6e203595 663b8aac410000 cmp cx,word ptr [edx+41ACh]
6e20359c 76e0 jbe 2d!E3DLLFunc+0x16c0 (6e20357e)
6e20359e 5e pop esi
6e20359f c3 ret
6e2035a0 83a1bc41000000 and dword ptr [ecx+41BCh],0
6e2035a7 33c0 xor eax,eax
6e2035a9 668981b8410000 mov word ptr [ecx+41B8h],ax
6e2035b0 e98cffffff jmp 2d!E3DLLFunc+0x1683 (6e203541)
6e2035b5 56 push esi
6e2035b6 8bf1 mov esi,ecx
6e2035b8 eb11 jmp 2d!E3DLLFunc+0x170d (6e2035cb)
6e2035ba 8b4e04 mov ecx,dword ptr [esi+4]
6e2035bd 6a01 push 1
6e2035bf 0fb6c0 movzx eax,al
6e2035c2 50 push eax
6e2035c3 8b11 mov edx,dword ptr [ecx]
6e2035c5 51 push ecx
6e2035c6 ff5228 call dword ptr [edx+28h]
6e2035c9 8bce mov ecx,esi
6e2035cb e809030000 call 2d!E3DLLFunc+0x1a1b (6e2038d9)
6e2035d0 84c0 test al,al
6e2035d2 75e6 jne 2d!E3DLLFunc+0x16fc (6e2035ba)
6e2035d4 5e pop esi
6e2035d5 c3 ret
6e2035d6 55 push ebp
6e2035d7 8bec mov ebp,esp
6e2035d9 b804100000 mov eax,1004h
6e2035de e83dfa0500 call 2d!zlibVersion+0x2210 (6e263020)
6e2035e3 a12436296e mov eax,dword ptr [2d!zlibVersion+0x32814 (6e293624)]
6e2035e8 33c5 xor eax,ebp
6e2035ea 8945fc mov dword ptr [ebp-4],eax
6e2035ed 53 push ebx
6e2035ee 8a5d0c mov bl,byte ptr [ebp+0Ch]
6e2035f1 660fbec3 movsx ax,bl
6e2035f5 56 push esi
6e2035f6 57 push edi
6e2035f7 0fb7f0 movzx esi,ax
6e2035fa 8bf9 mov edi,ecx
6e2035fc 8b4508 mov eax,dword ptr [ebp+8]
6e2035ff 0fb7c0 movzx eax,ax
6e203602 46 inc esi
6e203603 b9ff0f0000 mov ecx,0FFFh
6e203608 663bf1 cmp si,cx
6e20360b 7323 jae 2d!E3DLLFunc+0x1772 (6e203630)
6e20360d 0fbfd0 movsx edx,ax
6e203610 0fb7ce movzx ecx,si
2d!E3DLLFunc+0x1755:
6e203613 8a8497a0010000 mov al,byte ptr [edi+edx*4+1A0h] // current instruction
6e20361a 88840dfcefffff mov byte ptr [ebp+ecx-1004h],al
6e203621 0fb78497a2010000 movzx eax,word ptr [edi+edx*4+1A2h]
6e203629 6685c0 test ax,ax
6e20362c 79d4 jns 2d!E3DLLFunc+0x1744 (6e203602)
6e20362e eb06 jmp 2d!E3DLLFunc+0x1778 (6e203636)
6e203630 81c6ffff0000 add esi,0FFFFh
6e203636 0fb7c6 movzx eax,si
6e203639 8a9405fcefffff mov dl,byte ptr [ebp+eax-1004h]
6e203640 0fb787a0410000 movzx eax,word ptr [edi+41A0h]
6e203647 0fb6ca movzx ecx,dl
6e20364a 66898c87a0010000 mov word ptr [edi+eax*4+1A0h],cx
6e203652 0fb78fa0410000 movzx ecx,word ptr [edi+41A0h]
6e203659 668b87a8410000 mov ax,word ptr [edi+41A8h]
6e203660 6689848fa2010000 mov word ptr [edi+ecx*4+1A2h],ax
6e203668 66ff87a0410000 inc word ptr [edi+41A0h]
6e20366f 80fb01 cmp bl,1
6e203672 0fb68dfdefffff movzx ecx,byte ptr [ebp-1003h]
6e203679 0fb6c2 movzx eax,dl
6e20367c 0f44c8 cmove ecx,eax
6e20367f 888dfdefffff mov byte ptr [ebp-1003h],cl
6e203685 0fb7c6 movzx eax,si
6e203688 8bcf mov ecx,edi
6e20368a 0fb68405fcefffff movzx eax,byte ptr [ebp+eax-1004h]
6e203692 50 push eax
6e203693 e87f000000 call 2d!E3DLLFunc+0x1859 (6e203717)
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/