CVE-2018-15934
Information
Out of bound write due to malformed GIF while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0x7892 (id: 36b, no function symbol available)
2d.x3d + 0x79C5 (id: b6a, no function symbol available)
2d.x3d + 0x2A32 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=00000100 ebx=00cff128 ecx=4d6ca000 edx=000001d9 esi=0000007e edi=35154e20
eip=6e207892 esp=00cff0f0 ebp=00cff118 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6e4e5d0c fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x59d4:
6e207892 8801 mov byte ptr [ecx],al ds:002b:4d6ca000=??
Disassembly of stack frame 1 at 2d.x3d + 0x7892
6e2077ee 8bf8 mov edi,eax
6e2077f0 e87efcffff call 2d!E3DLLFunc+0x55b5 (6e207473)
6e2077f5 03f8 add edi,eax
6e2077f7 33c9 xor ecx,ecx
6e2077f9 33c0 xor eax,eax
6e2077fb 663b4312 cmp ax,word ptr [ebx+12h]
6e2077ff 7314 jae 2d!E3DLLFunc+0x5957 (6e207815)
6e207801 8b55f0 mov edx,dword ptr [ebp-10h]
6e207804 8a044a mov al,byte ptr [edx+ecx*2]
6e207807 8807 mov byte ptr [edi],al
6e207809 037b08 add edi,dword ptr [ebx+8]
6e20780c 41 inc ecx
6e20780d 0fb74312 movzx eax,word ptr [ebx+12h]
6e207811 3bc8 cmp ecx,eax
6e207813 7cef jl 2d!E3DLLFunc+0x5946 (6e207804)
6e207815 0fb74314 movzx eax,word ptr [ebx+14h]
6e207819 46 inc esi
6e20781a 8b7df0 mov edi,dword ptr [ebp-10h]
6e20781d 3bf0 cmp esi,eax
6e20781f 7caf jl 2d!E3DLLFunc+0x5912 (6e2077d0)
6e207821 8b4df4 mov ecx,dword ptr [ebp-0Ch]
6e207824 0fb74316 movzx eax,word ptr [ebx+16h]
6e207828 41 inc ecx
6e207829 894df4 mov dword ptr [ebp-0Ch],ecx
6e20782c 3bc8 cmp ecx,eax
6e20782e 7c96 jl 2d!E3DLLFunc+0x5908 (6e2077c6)
6e207830 57 push edi
6e207831 e986000000 jmp 2d!E3DLLFunc+0x59fe (6e2078bc)
6e207836 50 push eax
6e207837 e80db70500 call 2d!zlibVersion+0x2139 (6e262f49)
6e20783c 59 pop ecx
6e20783d 8bc8 mov ecx,eax
6e20783f 33ff xor edi,edi
6e207841 33c0 xor eax,eax
6e207843 894df0 mov dword ptr [ebp-10h],ecx
6e207846 897de4 mov dword ptr [ebp-1Ch],edi
6e207849 663b4316 cmp ax,word ptr [ebx+16h]
6e20784d 736c jae 2d!E3DLLFunc+0x59fd (6e2078bb)
6e20784f 33c0 xor eax,eax
6e207851 33f6 xor esi,esi
6e207853 663b4314 cmp ax,word ptr [ebx+14h]
6e207857 7353 jae 2d!E3DLLFunc+0x59ee (6e2078ac)
6e207859 8b4b04 mov ecx,dword ptr [ebx+4]
6e20785c 0fb74312 movzx eax,word ptr [ebx+12h]
6e207860 50 push eax
6e207861 ff75f0 push dword ptr [ebp-10h]
6e207864 8b11 mov edx,dword ptr [ecx]
6e207866 51 push ecx
6e207867 ff523c call dword ptr [edx+3Ch]
6e20786a 56 push esi
6e20786b 8bcb mov ecx,ebx
6e20786d e8b5fcffff call 2d!E3DLLFunc+0x5669 (6e207527)
6e207872 57 push edi
6e207873 8bcb mov ecx,ebx
6e207875 8945e8 mov dword ptr [ebp-18h],eax
6e207878 e8f6fbffff call 2d!E3DLLFunc+0x55b5 (6e207473)
6e20787d 8b4de8 mov ecx,dword ptr [ebp-18h]
6e207880 33d2 xor edx,edx
6e207882 03c8 add ecx,eax
6e207884 33c0 xor eax,eax
6e207886 663b4312 cmp ax,word ptr [ebx+12h]
6e20788a 7317 jae 2d!E3DLLFunc+0x59e5 (6e2078a3)
6e20788c 8b7df0 mov edi,dword ptr [ebp-10h]
6e20788f 8a043a mov al,byte ptr [edx+edi]
2d!E3DLLFunc+0x59d4:
6e207892 8801 mov byte ptr [ecx],al // current instruction
6e207894 034b08 add ecx,dword ptr [ebx+8]
6e207897 42 inc edx
6e207898 0fb74312 movzx eax,word ptr [ebx+12h]
6e20789c 3bd0 cmp edx,eax
6e20789e 7cef jl 2d!E3DLLFunc+0x59d1 (6e20788f)
6e2078a0 8b7de4 mov edi,dword ptr [ebp-1Ch]
6e2078a3 0fb74314 movzx eax,word ptr [ebx+14h]
6e2078a7 46 inc esi
6e2078a8 3bf0 cmp esi,eax
6e2078aa 7cad jl 2d!E3DLLFunc+0x599b (6e207859)
6e2078ac 0fb74316 movzx eax,word ptr [ebx+16h]
6e2078b0 47 inc edi
6e2078b1 897de4 mov dword ptr [ebp-1Ch],edi
6e2078b4 3bf8 cmp edi,eax
6e2078b6 7c97 jl 2d!E3DLLFunc+0x5991 (6e20784f)
6e2078b8 8b4df0 mov ecx,dword ptr [ebp-10h]
6e2078bb 51 push ecx
6e2078bc e8a7b60500 call 2d!zlibVersion+0x2158 (6e262f68)
6e2078c1 59 pop ecx
6e2078c2 6a02 push 2
6e2078c4 58 pop eax
6e2078c5 66394316 cmp word ptr [ebx+16h],ax
6e2078c9 7507 jne 2d!E3DLLFunc+0x5a14 (6e2078d2)
6e2078cb 8bcb mov ecx,ebx
6e2078cd e868fcffff call 2d!E3DLLFunc+0x567c (6e20753a)
6e2078d2 33c0 xor eax,eax
6e2078d4 40 inc eax
6e2078d5 5f pop edi
6e2078d6 5e pop esi
6e2078d7 5b pop ebx
6e2078d8 8be5 mov esp,ebp
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/