CVE-2018-15953
Information
Out of bound write due to malformed PIC while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0x8349 (id: 67d, no function symbol available)
2d.x3d + 0x869F (id: 4c0, no function symbol available)
2d.x3d + 0x2974 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=00000000 ebx=00000000 ecx=00000000 edx=00000003 esi=009cf2c0 edi=00000001
eip=70318349 esp=009cf220 ebp=009cf2a8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6f6d5d0c fpdp=0000:009cdabc
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x648b:
70318349 8b08 mov ecx,dword ptr [eax] ds:002b:00000000=????????
Disassembly of stack frame 1 at 2d.x3d + 0x8349
7031828f 59 pop ecx
70318290 663b45f2 cmp ax,word ptr [ebp-0Eh]
70318294 0f8395000000 jae 2d!E3DLLFunc+0x6471 (7031832f)
7031829a 53 push ebx
7031829b 8bce mov ecx,esi
7031829d e8d4040000 call 2d!E3DLLFunc+0x68b8 (70318776)
703182a2 83659000 and dword ptr [ebp-70h],0
703182a6 83be5c02000000 cmp dword ptr [esi+25Ch],0
703182ad 898668020000 mov dword ptr [esi+268h],eax
703182b3 7e6a jle 2d!E3DLLFunc+0x6461 (7031831f)
703182b5 8dbe6f020000 lea edi,[esi+26Fh]
703182bb 807fff02 cmp byte ptr [edi-1],2
703182bf 8a07 mov al,byte ptr [edi]
703182c1 7524 jne 2d!E3DLLFunc+0x6429 (703182e7)
703182c3 3c10 cmp al,10h
703182c5 7412 je 2d!E3DLLFunc+0x641b (703182d9)
703182c7 3ce0 cmp al,0E0h
703182c9 7568 jne 2d!E3DLLFunc+0x6475 (70318333)
703182cb 0fb745f0 movzx eax,word ptr [ebp-10h]
703182cf 8bce mov ecx,esi
703182d1 50 push eax
703182d2 e8a5010000 call 2d!E3DLLFunc+0x65be (7031847c)
703182d7 eb30 jmp 2d!E3DLLFunc+0x644b (70318309)
703182d9 0fb745f0 movzx eax,word ptr [ebp-10h]
703182dd 8bce mov ecx,esi
703182df 50 push eax
703182e0 e87f000000 call 2d!E3DLLFunc+0x64a6 (70318364)
703182e5 eb22 jmp 2d!E3DLLFunc+0x644b (70318309)
703182e7 3c10 cmp al,10h
703182e9 7412 je 2d!E3DLLFunc+0x643f (703182fd)
703182eb 3ce0 cmp al,0E0h
703182ed 7544 jne 2d!E3DLLFunc+0x6475 (70318333)
703182ef 0fb745f0 movzx eax,word ptr [ebp-10h]
703182f3 8bce mov ecx,esi
703182f5 50 push eax
703182f6 e810030000 call 2d!E3DLLFunc+0x674d (7031860b)
703182fb eb0c jmp 2d!E3DLLFunc+0x644b (70318309)
703182fd 0fb745f0 movzx eax,word ptr [ebp-10h]
70318301 8bce mov ecx,esi
70318303 50 push eax
70318304 e8af020000 call 2d!E3DLLFunc+0x66fa (703185b8)
70318309 85c0 test eax,eax
7031830b 7444 je 2d!E3DLLFunc+0x6493 (70318351)
7031830d 8b4590 mov eax,dword ptr [ebp-70h]
70318310 83c704 add edi,4
70318313 40 inc eax
70318314 894590 mov dword ptr [ebp-70h],eax
70318317 3b865c020000 cmp eax,dword ptr [esi+25Ch]
7031831d 7c9c jl 2d!E3DLLFunc+0x63fd (703182bb)
7031831f 0fb745f2 movzx eax,word ptr [ebp-0Eh]
70318323 43 inc ebx
70318324 3bd8 cmp ebx,eax
70318326 0f8c6effffff jl 2d!E3DLLFunc+0x63dc (7031829a)
7031832c 33ff xor edi,edi
7031832e 47 inc edi
7031832f 8bc7 mov eax,edi
70318331 eb20 jmp 2d!E3DLLFunc+0x6495 (70318353)
70318333 68f05c3770 push offset 2d!zlibVersion+0x4ee0 (70375cf0)
70318338 6a00 push 0
7031833a eb06 jmp 2d!E3DLLFunc+0x6484 (70318342)
7031833c 68705c3770 push offset 2d!zlibVersion+0x4e60 (70375c70)
70318341 53 push ebx
70318342 8b8694020000 mov eax,dword ptr [esi+294h]
70318348 50 push eax
2d!E3DLLFunc+0x648b:
70318349 8b08 mov ecx,dword ptr [eax] // current instruction
7031834b ff5114 call dword ptr [ecx+14h]
7031834e 83c40c add esp,0Ch
70318351 33c0 xor eax,eax
70318353 5f pop edi
70318354 5b pop ebx
70318355 8b4dfc mov ecx,dword ptr [ebp-4]
70318358 33cd xor ecx,ebp
7031835a 5e pop esi
7031835b e8f8ab0500 call 2d!zlibVersion+0x2148 (70372f58)
70318360 8be5 mov esp,ebp
70318362 5d pop ebp
70318363 c3 ret
70318364 55 push ebp
70318365 8bec mov ebp,esp
70318367 83ec10 sub esp,10h
7031836a 8365f800 and dword ptr [ebp-8],0
7031836e 53 push ebx
7031836f 56 push esi
70318370 33db xor ebx,ebx
70318372 57 push edi
70318373 8bf9 mov edi,ecx
70318375 395d08 cmp dword ptr [ebp+8],ebx
70318378 0f8eee000000 jle 2d!E3DLLFunc+0x65ae (7031846c)
7031837e 6a01 push 1
70318380 8d45fe lea eax,[ebp-2]
70318383 8bcf mov ecx,edi
70318385 50 push eax
70318386 e82d030000 call 2d!E3DLLFunc+0x67fa (703186b8)
7031838b 85c0 test eax,eax
7031838d 0f84e5000000 je 2d!E3DLLFunc+0x65ba (70318478)
70318393 8a45fe mov al,byte ptr [ebp-2]
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/