CVE-2018-15933
Information
Out of bound write due to malformed GIF while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0x7807 (id: 1a5, no function symbol available)
2d.x3d + 0x79C5 (id: b6a, no function symbol available)
2d.x3d + 0x2A32 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=00000200 ebx=008ff500 ecx=0000027e edx=21fccb00 esi=00000042 edi=4bd72000
eip=6e207807 esp=008ff4c8 ebp=008ff4f0 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6e4e5d0c fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x5949:
6e207807 8807 mov byte ptr [edi],al ds:002b:4bd72000=??
Disassembly of stack frame 1 at 2d.x3d + 0x7807
6e20774d 8b4de8 mov ecx,dword ptr [ebp-18h]
6e207750 41 inc ecx
6e207751 894de8 mov dword ptr [ebp-18h],ecx
6e207754 663b4b14 cmp cx,word ptr [ebx+14h]
6e207758 0f8276ffffff jb 2d!E3DLLFunc+0x5816 (6e2076d4)
6e20775e 8b45e4 mov eax,dword ptr [ebp-1Ch]
6e207761 40 inc eax
6e207762 663b4316 cmp ax,word ptr [ebx+16h]
6e207766 8945e4 mov dword ptr [ebp-1Ch],eax
6e207769 0f824effffff jb 2d!E3DLLFunc+0x57ff (6e2076bd)
6e20776f 56 push esi
6e207770 e8f3b70500 call 2d!zlibVersion+0x2158 (6e262f68)
6e207775 ff75fc push dword ptr [ebp-4]
6e207778 e8ebb70500 call 2d!zlibVersion+0x2158 (6e262f68)
6e20777d ff75f8 push dword ptr [ebp-8]
6e207780 e8e3b70500 call 2d!zlibVersion+0x2158 (6e262f68)
6e207785 83c40c add esp,0Ch
6e207788 e935010000 jmp 2d!E3DLLFunc+0x5a04 (6e2078c2)
6e20778d 33c0 xor eax,eax
6e20778f e941010000 jmp 2d!E3DLLFunc+0x5a17 (6e2078d5)
6e207794 807b0f02 cmp byte ptr [ebx+0Fh],2
6e207798 0fb74312 movzx eax,word ptr [ebx+12h]
6e20779c 0f8594000000 jne 2d!E3DLLFunc+0x5978 (6e207836)
6e2077a2 33c9 xor ecx,ecx
6e2077a4 f7e6 mul eax,esi
6e2077a6 0f90c1 seto cl
6e2077a9 f7d9 neg ecx
6e2077ab 0bc8 or ecx,eax
6e2077ad 51 push ecx
6e2077ae e896b70500 call 2d!zlibVersion+0x2139 (6e262f49)
6e2077b3 8bf8 mov edi,eax
6e2077b5 33c0 xor eax,eax
6e2077b7 59 pop ecx
6e2077b8 33c9 xor ecx,ecx
6e2077ba 897df0 mov dword ptr [ebp-10h],edi
6e2077bd 894df4 mov dword ptr [ebp-0Ch],ecx
6e2077c0 663b4316 cmp ax,word ptr [ebx+16h]
6e2077c4 736a jae 2d!E3DLLFunc+0x5972 (6e207830)
6e2077c6 33c0 xor eax,eax
6e2077c8 33f6 xor esi,esi
6e2077ca 663b4314 cmp ax,word ptr [ebx+14h]
6e2077ce 7354 jae 2d!E3DLLFunc+0x5966 (6e207824)
6e2077d0 8b4b04 mov ecx,dword ptr [ebx+4]
6e2077d3 0fb74312 movzx eax,word ptr [ebx+12h]
6e2077d7 03c0 add eax,eax
6e2077d9 50 push eax
6e2077da 8b11 mov edx,dword ptr [ecx]
6e2077dc 57 push edi
6e2077dd 51 push ecx
6e2077de ff523c call dword ptr [edx+3Ch]
6e2077e1 56 push esi
6e2077e2 8bcb mov ecx,ebx
6e2077e4 e83efdffff call 2d!E3DLLFunc+0x5669 (6e207527)
6e2077e9 ff75f4 push dword ptr [ebp-0Ch]
6e2077ec 8bcb mov ecx,ebx
6e2077ee 8bf8 mov edi,eax
6e2077f0 e87efcffff call 2d!E3DLLFunc+0x55b5 (6e207473)
6e2077f5 03f8 add edi,eax
6e2077f7 33c9 xor ecx,ecx
6e2077f9 33c0 xor eax,eax
6e2077fb 663b4312 cmp ax,word ptr [ebx+12h]
6e2077ff 7314 jae 2d!E3DLLFunc+0x5957 (6e207815)
6e207801 8b55f0 mov edx,dword ptr [ebp-10h]
6e207804 8a044a mov al,byte ptr [edx+ecx*2]
2d!E3DLLFunc+0x5949:
6e207807 8807 mov byte ptr [edi],al // current instruction
6e207809 037b08 add edi,dword ptr [ebx+8]
6e20780c 41 inc ecx
6e20780d 0fb74312 movzx eax,word ptr [ebx+12h]
6e207811 3bc8 cmp ecx,eax
6e207813 7cef jl 2d!E3DLLFunc+0x5946 (6e207804)
6e207815 0fb74314 movzx eax,word ptr [ebx+14h]
6e207819 46 inc esi
6e20781a 8b7df0 mov edi,dword ptr [ebp-10h]
6e20781d 3bf0 cmp esi,eax
6e20781f 7caf jl 2d!E3DLLFunc+0x5912 (6e2077d0)
6e207821 8b4df4 mov ecx,dword ptr [ebp-0Ch]
6e207824 0fb74316 movzx eax,word ptr [ebx+16h]
6e207828 41 inc ecx
6e207829 894df4 mov dword ptr [ebp-0Ch],ecx
6e20782c 3bc8 cmp ecx,eax
6e20782e 7c96 jl 2d!E3DLLFunc+0x5908 (6e2077c6)
6e207830 57 push edi
6e207831 e986000000 jmp 2d!E3DLLFunc+0x59fe (6e2078bc)
6e207836 50 push eax
6e207837 e80db70500 call 2d!zlibVersion+0x2139 (6e262f49)
6e20783c 59 pop ecx
6e20783d 8bc8 mov ecx,eax
6e20783f 33ff xor edi,edi
6e207841 33c0 xor eax,eax
6e207843 894df0 mov dword ptr [ebp-10h],ecx
6e207846 897de4 mov dword ptr [ebp-1Ch],edi
6e207849 663b4316 cmp ax,word ptr [ebx+16h]
6e20784d 736c jae 2d!E3DLLFunc+0x59fd (6e2078bb)
6e20784f 33c0 xor eax,eax
6e207851 33f6 xor esi,esi
6e207853 663b4314 cmp ax,word ptr [ebx+14h]
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/