CVE-2018-15938
Information
Out of bound write due to malformed PSD while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0x7219 (id: 5ba, no function symbol available)
2d.x3d + 0x73F4 (id: e8d, no function symbol available)
2d.x3d + 0x2A10 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=00000000 ebx=4e32b040 ecx=48020fff edx=00001ffb esi=008ff448 edi=0000ffdd
eip=6ad67219 esp=008ff0c8 ebp=008ff434 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:685a5d0c fpdp=0000:008fdb18
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x535b:
6ad67219 884101 mov byte ptr [ecx+1],al ds:002b:48021000=??
Disassembly of stack frame 1 at 2d.x3d + 0x7219
6ad6715a 58 pop eax
6ad6715b 3bc8 cmp ecx,eax
6ad6715d 8995d8fcffff mov dword ptr [ebp-328h],edx
6ad67163 0f4fc8 cmovg ecx,eax
6ad67166 8bc3 mov eax,ebx
6ad67168 898de8fcffff mov dword ptr [ebp-318h],ecx
6ad6716e 8985ecfcffff mov dword ptr [ebp-314h],eax
6ad67174 85c9 test ecx,ecx
6ad67176 0f8ee8000000 jle 2d!E3DLLFunc+0x53a6 (6ad67264)
6ad6717c c785d0fcffff10000000 mov dword ptr [ebp-330h],10h
6ad67186 837e2200 cmp dword ptr [esi+22h],0
6ad6718a 899de4fcffff mov dword ptr [ebp-31Ch],ebx
6ad67190 0f86bc000000 jbe 2d!E3DLLFunc+0x5394 (6ad67252)
6ad67196 8b460c mov eax,dword ptr [esi+0Ch]
6ad67199 ffb5ccfcffff push dword ptr [ebp-334h]
6ad6719f 52 push edx
6ad671a0 8b08 mov ecx,dword ptr [eax]
6ad671a2 50 push eax
6ad671a3 ff513c call dword ptr [ecx+3Ch]
6ad671a6 8b4608 mov eax,dword ptr [esi+8]
6ad671a9 53 push ebx
6ad671aa 50 push eax
6ad671ab 8b08 mov ecx,dword ptr [eax]
6ad671ad ff515c call dword ptr [ecx+5Ch]
6ad671b0 6a02 push 2
6ad671b2 8bc8 mov ecx,eax
6ad671b4 58 pop eax
6ad671b5 3985e8fcffff cmp dword ptr [ebp-318h],eax
6ad671bb 7e37 jle 2d!E3DLLFunc+0x5336 (6ad671f4)
6ad671bd 33c0 xor eax,eax
6ad671bf 6a02 push 2
6ad671c1 8d5001 lea edx,[eax+1]
6ad671c4 8b85d0fcffff mov eax,dword ptr [ebp-330h]
6ad671ca 6639462a cmp word ptr [esi+2Ah],ax
6ad671ce 58 pop eax
6ad671cf 0f44d0 cmove edx,eax
6ad671d2 8b85ecfcffff mov eax,dword ptr [ebp-314h]
6ad671d8 83e800 sub eax,0
6ad671db 7414 je 2d!E3DLLFunc+0x5333 (6ad671f1)
6ad671dd 48 dec eax
6ad671de 740d je 2d!E3DLLFunc+0x532f (6ad671ed)
6ad671e0 48 dec eax
6ad671e1 7411 je 2d!E3DLLFunc+0x5336 (6ad671f4)
6ad671e3 48 dec eax
6ad671e4 750e jne 2d!E3DLLFunc+0x5336 (6ad671f4)
6ad671e6 6bc203 imul eax,edx,3
6ad671e9 03c8 add ecx,eax
6ad671eb eb07 jmp 2d!E3DLLFunc+0x5336 (6ad671f4)
6ad671ed 03ca add ecx,edx
6ad671ef eb03 jmp 2d!E3DLLFunc+0x5336 (6ad671f4)
6ad671f1 8d0c51 lea ecx,[ecx+edx*2]
6ad671f4 33c0 xor eax,eax
6ad671f6 8bd0 mov edx,eax
6ad671f8 85ff test edi,edi
6ad671fa 7e34 jle 2d!E3DLLFunc+0x5372 (6ad67230)
6ad671fc 8b9dd8fcffff mov ebx,dword ptr [ebp-328h]
6ad67202 0fb7462a movzx eax,word ptr [esi+2Ah]
6ad67206 83f808 cmp eax,8
6ad67209 7413 je 2d!E3DLLFunc+0x5360 (6ad6721e)
6ad6720b 83f810 cmp eax,10h
6ad6720e 7513 jne 2d!E3DLLFunc+0x5365 (6ad67223)
6ad67210 8a445301 mov al,byte ptr [ebx+edx*2+1]
6ad67214 8801 mov byte ptr [ecx],al
6ad67216 8a0453 mov al,byte ptr [ebx+edx*2]
2d!E3DLLFunc+0x535b:
6ad67219 884101 mov byte ptr [ecx+1],al // current instruction
6ad6721c eb05 jmp 2d!E3DLLFunc+0x5365 (6ad67223)
6ad6721e 8a041a mov al,byte ptr [edx+ebx]
6ad67221 8801 mov byte ptr [ecx],al
6ad67223 030e add ecx,dword ptr [esi]
6ad67225 42 inc edx
6ad67226 3bd7 cmp edx,edi
6ad67228 7cd8 jl 2d!E3DLLFunc+0x5344 (6ad67202)
6ad6722a 8b9de4fcffff mov ebx,dword ptr [ebp-31Ch]
6ad67230 8b95d8fcffff mov edx,dword ptr [ebp-328h]
6ad67236 43 inc ebx
6ad67237 899de4fcffff mov dword ptr [ebp-31Ch],ebx
6ad6723d 3b5e22 cmp ebx,dword ptr [esi+22h]
6ad67240 0f8250ffffff jb 2d!E3DLLFunc+0x52d8 (6ad67196)
6ad67246 8b85ecfcffff mov eax,dword ptr [ebp-314h]
6ad6724c 8b8de8fcffff mov ecx,dword ptr [ebp-318h]
6ad67252 40 inc eax
6ad67253 8985ecfcffff mov dword ptr [ebp-314h],eax
6ad67259 6a00 push 0
6ad6725b 5b pop ebx
6ad6725c 3bc1 cmp eax,ecx
6ad6725e 0f8c22ffffff jl 2d!E3DLLFunc+0x52c8 (6ad67186)
6ad67264 52 push edx
6ad67265 e8febc0500 call 2d!zlibVersion+0x2158 (6adc2f68)
6ad6726a 59 pop ecx
6ad6726b 33c0 xor eax,eax
6ad6726d 40 inc eax
6ad6726e e821bd0500 call 2d!zlibVersion+0x2184 (6adc2f94)
6ad67273 c3 ret
6ad67274 56 push esi
6ad67275 8bf1 mov esi,ecx
6ad67277 57 push edi
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/