CVE-2018-15931
Information
Out of bound write due to malformed GIF while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0x377A (id: 872, no function symbol available)
2d.x3d + 0x3698 (id: 477, no function symbol available)
2d.x3d + 0x3F00 (no function symbol available)
2d.x3d + 0x28B2 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=00000000 ebx=00000000 ecx=00000007 edx=d0d0d0d0 esi=00000000 edi=003db118
eip=6e20377a esp=003da0c0 ebp=003da0d0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6e4e5d0c fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 1.75 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x18bc:
6e20377a 300432 xor byte ptr [edx+esi],al ds:002b:d0d0d0d0=??
Disassembly of stack frame 1 at 2d.x3d + 0x377A
6e2036b8 83f808 cmp eax,8
6e2036bb 7441 je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036bd 83f810 cmp eax,10h
6e2036c0 743c je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036c2 83f820 cmp eax,20h
6e2036c5 7437 je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036c7 83f840 cmp eax,40h
6e2036ca 7432 je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036cc b980000000 mov ecx,80h
6e2036d1 663bc1 cmp ax,cx
6e2036d4 7428 je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036d6 b900010000 mov ecx,100h
6e2036db 663bc1 cmp ax,cx
6e2036de 741e je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036e0 b900020000 mov ecx,200h
6e2036e5 663bc1 cmp ax,cx
6e2036e8 7414 je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036ea b900040000 mov ecx,400h
6e2036ef 663bc1 cmp ax,cx
6e2036f2 740a je 2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036f4 b900080000 mov ecx,800h
6e2036f9 663bc1 cmp ax,cx
6e2036fc 7506 jne 2d!E3DLLFunc+0x1846 (6e203704)
6e2036fe fe8794010000 inc byte ptr [edi+194h]
6e203704 8b4dfc mov ecx,dword ptr [ebp-4]
6e203707 5f pop edi
6e203708 5e pop esi
6e203709 33cd xor ecx,ebp
6e20370b 5b pop ebx
6e20370c e847f80500 call 2d!zlibVersion+0x2148 (6e262f58)
6e203711 8be5 mov esp,ebp
6e203713 5d pop ebp
6e203714 c20800 ret 8
6e203717 55 push ebp
6e203718 8bec mov ebp,esp
6e20371a 53 push ebx
6e20371b 56 push esi
6e20371c 57 push edi
6e20371d 8bf9 mov edi,ecx
6e20371f 6a08 push 8
6e203721 5e pop esi
6e203722 8a9f93000000 mov bl,byte ptr [edi+93h]
6e203728 84db test bl,bl
6e20372a 750e jne 2d!E3DLLFunc+0x187c (6e20373a)
6e20372c 8a8792000000 mov al,byte ptr [edi+92h]
6e203732 888793000000 mov byte ptr [edi+93h],al
6e203738 eb14 jmp 2d!E3DLLFunc+0x1890 (6e20374e)
6e20373a 0fb68fa6410000 movzx ecx,byte ptr [edi+41A6h]
6e203741 8bc6 mov eax,esi
6e203743 99 cdq
6e203744 f7f9 idiv eax,ecx
6e203746 2ad8 sub bl,al
6e203748 889f93000000 mov byte ptr [edi+93h],bl
6e20374e 0fb787a4410000 movzx eax,word ptr [edi+41A4h]
6e203755 663b4754 cmp ax,word ptr [edi+54h]
6e203759 7723 ja 2d!E3DLLFunc+0x18c0 (6e20377e)
6e20375b 0fb7b7a2410000 movzx esi,word ptr [edi+41A2h]
6e203762 8bc8 mov ecx,eax
6e203764 8b8788000000 mov eax,dword ptr [edi+88h]
6e20376a 6a08 push 8
6e20376c 8b1488 mov edx,dword ptr [eax+ecx*4]
6e20376f 8a8f93000000 mov cl,byte ptr [edi+93h]
6e203775 8b4508 mov eax,dword ptr [ebp+8]
6e203778 d2e0 shl al,cl
2d!E3DLLFunc+0x18bc:
6e20377a 300432 xor byte ptr [edx+esi],al // current instruction
6e20377d 5e pop esi
6e20377e 80bf9300000000 cmp byte ptr [edi+93h],0
6e203785 7507 jne 2d!E3DLLFunc+0x18d0 (6e20378e)
6e203787 66ff87a2410000 inc word ptr [edi+41A2h]
6e20378e 668b0df836296e mov cx,word ptr [2d!zlibVersion+0x328e8 (6e2936f8)]
6e203795 0fb7c1 movzx eax,cx
6e203798 3b4750 cmp eax,dword ptr [edi+50h]
6e20379b 0f8cbc000000 jl 2d!E3DLLFunc+0x199f (6e20385d)
6e2037a1 33c0 xor eax,eax
6e2037a3 33db xor ebx,ebx
6e2037a5 668987a2410000 mov word ptr [edi+41A2h],ax
6e2037ac 40 inc eax
6e2037ad 66a3f836296e mov word ptr [2d!zlibVersion+0x328e8 (6e2936f8)],ax
6e2037b3 889f93000000 mov byte ptr [edi+93h],bl
6e2037b9 f605fc36296e40 test byte ptr [2d!zlibVersion+0x328ec (6e2936fc)],40h
6e2037c0 746e je 2d!E3DLLFunc+0x1972 (6e203830)
6e2037c2 8a8f94000000 mov cl,byte ptr [edi+94h]
6e2037c8 0fb6c1 movzx eax,cl
6e2037cb 48 dec eax
6e2037cc 7425 je 2d!E3DLLFunc+0x1935 (6e2037f3)
6e2037ce 48 dec eax
6e2037cf 7415 je 2d!E3DLLFunc+0x1928 (6e2037e6)
6e2037d1 48 dec eax
6e2037d2 48 dec eax
6e2037d3 7405 je 2d!E3DLLFunc+0x191c (6e2037da)
6e2037d5 83e804 sub eax,4
6e2037d8 7527 jne 2d!E3DLLFunc+0x1943 (6e203801)
6e2037da 668b87a4410000 mov ax,word ptr [edi+41A4h]
6e2037e1 662bc6 sub ax,si
6e2037e4 eb18 jmp 2d!E3DLLFunc+0x1940 (6e2037fe)
6e2037e6 668b87a4410000 mov ax,word ptr [edi+41A4h]
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/