CVE-2018-15937
Information
Out of bound read due to malformed PSD while being parsed in 2d.x3d
Crash Dump:
Stack
ntdll.dll!LdrpMapDllNtFileName + 0x12F (id: 159)
ntdll.dll!LdrpMapDllRetry + 0xA8 (id: 0fe)
ntdll.dll!LdrpProcessWork + 0x111
ntdll.dll!LdrpDrainWorkQueue + 0x14F
ntdll.dll!LdrpLoadDllInternal + 0xDC
ntdll.dll!LdrpLoadDll + 0x93
ntdll.dll!LdrLoadDll + 0x92
KERNELBASE.dll!LoadLibraryExW + 0x148
KERNELBASE.dll!LoadLibraryExA + 0x26
KERNELBASE.dll!LoadLibraryA + 0x32
Registers
eax=00000000 ebx=08864f84 ecx=77c11e4c edx=00000000 esi=00000000 edi=08864f78
eip=77d50511 esp=00eff618 ebp=00eff660 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
fpcw=027F: rn 53 puozdi fpsw=0000: top=0 cc=0000 -------- fptw=FFFF
fopcode=0000 fpip=0000:73d9bc44 fpdp=0000:73eece2c
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 0.000000000000000000000e+0000 st7=-1.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=0000000000000000 mm7=8000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=-2.01971e+023 -1.34634e+017 -1.70127e-024 -4.675e+014
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
ntdll!LdrpMapDllNtFileName+0x12f:
77d50511 837f6000 cmp dword ptr [edi+60h],0 ds:002b:08864fd8=????????
Disassembly of stack frame 1 at ntdll.dll!LdrpMapDllNtFileName + 0x12F
77d50439 6a40 push 40h
77d5043b 8975d4 mov dword ptr [ebp-2Ch],esi
77d5043e 58 pop eax
77d5043f 7505 jne ntdll!LdrpMapDllNtFileName+0x64 (77d50446)
77d50441 b840080000 mov eax,840h
77d50446 8945dc mov dword ptr [ebp-24h],eax
77d50449 895dd8 mov dword ptr [ebp-28h],ebx
77d5044c 8975e0 mov dword ptr [ebp-20h],esi
77d5044f 8975e4 mov dword ptr [ebp-1Ch],esi
77d50452 e8f978ffff call ntdll!RtlGetCurrentServiceSessionId (77d47d50)
77d50457 85c0 test eax,eax
77d50459 0f8525480400 jne ntdll!LdrpMapDllNtFileName+0x448a2 (77d94c84)
77d5045f b88403fe7f mov eax,offset SharedUserData+0x384 (7ffe0384)
77d50464 803800 cmp byte ptr [eax],0
77d50467 0f852a480400 jne ntdll!LdrpMapDllNtFileName+0x448b5 (77d94c97)
77d5046d 8bde mov ebx,esi
77d5046f 6a60 push 60h
77d50471 6a05 push 5
77d50473 8d45c4 lea eax,[ebp-3Ch]
77d50476 50 push eax
77d50477 8d45d0 lea eax,[ebp-30h]
77d5047a 50 push eax
77d5047b 6821001000 push offset acrobat_rt3d_test01+0x21 (00100021)
77d50480 8d45f8 lea eax,[ebp-8]
77d50483 50 push eax
77d50484 e8a7930100 call ntdll!NtOpenFile (77d69830)
77d50489 8bf0 mov esi,eax
77d5048b 85f6 test esi,esi
77d5048d 0f8856480400 js ntdll!LdrpMapDllNtFileName+0x44907 (77d94ce9)
77d50493 8bc6 mov eax,esi
77d50495 f7d0 not eax
77d50497 85c0 test eax,eax
77d50499 0f8996000000 jns ntdll!LdrpMapDllNtFileName+0x153 (77d50535)
77d5049f 803d047ce17700 cmp byte ptr [ntdll!LdrpAuditIntegrityContinuity (77e17c04)],0
77d504a6 0f8580480400 jne ntdll!LdrpMapDllNtFileName+0x4494a (77d94d2c)
77d504ac ff75f8 push dword ptr [ebp-8]
77d504af 8d5f0c lea ebx,[edi+0Ch]
77d504b2 6800000001 push 1000000h
77d504b7 6a10 push 10h
77d504b9 6a00 push 0
77d504bb 6a00 push 0
77d504bd 6a0f push 0Fh
77d504bf 53 push ebx
77d504c0 e8db940100 call ntdll!NtCreateSection (77d699a0)
77d504c5 8bf0 mov esi,eax
77d504c7 85f6 test esi,esi
77d504c9 0f8884480400 js ntdll!LdrpMapDllNtFileName+0x44971 (77d94d53)
77d504cf e87c78ffff call ntdll!RtlGetCurrentServiceSessionId (77d47d50)
77d504d4 85c0 test eax,eax
77d504d6 0f85fc480400 jne ntdll!LdrpMapDllNtFileName+0x449f6 (77d94dd8)
77d504dc b88403fe7f mov eax,offset SharedUserData+0x384 (7ffe0384)
77d504e1 803800 cmp byte ptr [eax],0
77d504e4 0f8501490400 jne ntdll!LdrpMapDllNtFileName+0x44a09 (77d94deb)
77d504ea f7471000010000 test dword ptr [edi+10h],100h
77d504f1 750f jne ntdll!LdrpMapDllNtFileName+0x120 (77d50502)
77d504f3 833d0887e17700 cmp dword ptr [ntdll!LdrpAdvapi32DllHandle (77e18708)],0
77d504fa 0f853f490400 jne ntdll!LdrpMapDllNtFileName+0x44a5d (77d94e3f)
77d50500 33f6 xor esi,esi
77d50502 8bc6 mov eax,esi
77d50504 f7d0 not eax
77d50506 85c0 test eax,eax
77d50508 7913 jns ntdll!LdrpMapDllNtFileName+0x13b (77d5051d)
77d5050a 8bcf mov ecx,edi
77d5050c e8547afeff call ntdll!LdrpMapDllWithSectionHandle (77d37f65)
ntdll!LdrpMapDllNtFileName+0x12f:
77d50511 837f6000 cmp dword ptr [edi+60h],0 // current instruction
77d50515 8bf0 mov esi,eax
77d50517 0f855d490400 jne ntdll!LdrpMapDllNtFileName+0x44a98 (77d94e7a)
77d5051d ff33 push dword ptr [ebx]
77d5051f e8ac900100 call ntdll!NtClose (77d695d0)
77d50524 832300 and dword ptr [ebx],0
77d50527 837df8ff cmp dword ptr [ebp-8],0FFFFFFFFh
77d5052b 7408 je ntdll!LdrpMapDllNtFileName+0x153 (77d50535)
77d5052d ff75f8 push dword ptr [ebp-8]
77d50530 e89b900100 call ntdll!NtClose (77d695d0)
77d50535 8bc6 mov eax,esi
77d50537 8b4dfc mov ecx,dword ptr [ebp-4]
77d5053a 5f pop edi
77d5053b 5e pop esi
77d5053c 33cd xor ecx,ebp
77d5053e 5b pop ebx
77d5053f e8fcb00100 call ntdll!__security_check_cookie (77d6b640)
77d50544 8be5 mov esp,ebp
77d50546 5d pop ebp
77d50547 c3 ret
ntdll!LdrpCheckForRetryLoading:
77d50548 8bff mov edi,edi
77d5054a 55 push ebp
77d5054b 8bec mov ebp,esp
77d5054d 83ec14 sub esp,14h
77d50550 8bc1 mov eax,ecx
77d50552 8855ff mov byte ptr [ebp-1],dl
77d50555 53 push ebx
77d50556 33db xor ebx,ebx
77d50558 8945ec mov dword ptr [ebp-14h],eax
77d5055b 56 push esi
77d5055c 57 push edi
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/