CVE-2018-15955
Information
Out of bound write due to malformed TIF while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0xAA61 (id: 7a1, no function symbol available)
2d.x3d + 0xA49D (id: 130, no function symbol available)
2d.x3d + 0x2AA3 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=4ca84e68 ebx=fffffffc ecx=0000003c edx=00000010 esi=4448afd0 edi=00000001
eip=6f50aa61 esp=0117f118 ebp=0117f144 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6f52ec6c fpdp=0000:2c5b0db0
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 9.999847412109375000000e-0001
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=ffff000000000000
xmm0=0 0 0 0
xmm1=0 0 0 17
xmm2=0 0 7.49957 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x8ba3:
6f50aa61 c6410300 mov byte ptr [ecx+3],0 ds:002b:0000003f=??
Disassembly of stack frame 1 at 2d.x3d + 0xAA61
6f50a999 33c9 xor ecx,ecx
6f50a99b c745f0ffff0000 mov dword ptr [ebp-10h],0FFFFh
6f50a9a2 8bdf mov ebx,edi
6f50a9a4 8b461c mov eax,dword ptr [esi+1Ch]
6f50a9a7 8b7874 mov edi,dword ptr [eax+74h]
6f50a9aa 8b45f8 mov eax,dword ptr [ebp-8]
6f50a9ad 0fb70448 movzx eax,word ptr [eax+ecx*2]
6f50a9b1 6685d2 test dx,dx
6f50a9b4 740d je 2d!E3DLLFunc+0x8b05 (6f50a9c3)
6f50a9b6 69c0ff000000 imul eax,eax,0FFh
6f50a9bc 99 cdq
6f50a9bd f77df0 idiv eax,dword ptr [ebp-10h]
6f50a9c0 8b55ec mov edx,dword ptr [ebp-14h]
6f50a9c3 88448f02 mov byte ptr [edi+ecx*4+2],al
6f50a9c7 8b45f4 mov eax,dword ptr [ebp-0Ch]
6f50a9ca 0fb70448 movzx eax,word ptr [eax+ecx*2]
6f50a9ce 6685d2 test dx,dx
6f50a9d1 740d je 2d!E3DLLFunc+0x8b22 (6f50a9e0)
6f50a9d3 69c0ff000000 imul eax,eax,0FFh
6f50a9d9 99 cdq
6f50a9da f77df0 idiv eax,dword ptr [ebp-10h]
6f50a9dd 8b55ec mov edx,dword ptr [ebp-14h]
6f50a9e0 88448f01 mov byte ptr [edi+ecx*4+1],al
6f50a9e4 8b45e8 mov eax,dword ptr [ebp-18h]
6f50a9e7 0fb70448 movzx eax,word ptr [eax+ecx*2]
6f50a9eb 6685d2 test dx,dx
6f50a9ee 740d je 2d!E3DLLFunc+0x8b3f (6f50a9fd)
6f50a9f0 69c0ff000000 imul eax,eax,0FFh
6f50a9f6 99 cdq
6f50a9f7 f77df0 idiv eax,dword ptr [ebp-10h]
6f50a9fa 8b55ec mov edx,dword ptr [ebp-14h]
6f50a9fd 88048f mov byte ptr [edi+ecx*4],al
6f50aa00 8b45e4 mov eax,dword ptr [ebp-1Ch]
6f50aa03 40 inc eax
6f50aa04 c6448f03ff mov byte ptr [edi+ecx*4+3],0FFh
6f50aa09 0fb7c8 movzx ecx,ax
6f50aa0c 8945e4 mov dword ptr [ebp-1Ch],eax
6f50aa0f 3bcb cmp ecx,ebx
6f50aa11 7c91 jl 2d!E3DLLFunc+0x8ae6 (6f50a9a4)
6f50aa13 eb66 jmp 2d!E3DLLFunc+0x8bbd (6f50aa7b)
6f50aa15 f30f100d585e566f movss xmm1,dword ptr [2d!zlibVersion+0x5048 (6f565e58)]
6f50aa1d 33d2 xor edx,edx
6f50aa1f 42 inc edx
6f50aa20 c745e404000000 mov dword ptr [ebp-1Ch],4
6f50aa27 8bcb mov ecx,ebx
6f50aa29 d3e2 shl edx,cl
6f50aa2b 8d42ff lea eax,[edx-1]
6f50aa2e 660f6ec0 movd xmm0,eax
6f50aa32 8b461c mov eax,dword ptr [esi+1Ch]
6f50aa35 0f5bc0 cvtdq2ps xmm0,xmm0
6f50aa38 8b4874 mov ecx,dword ptr [eax+74h]
6f50aa3b f30f5ec8 divss xmm1,xmm0
6f50aa3f 85ff test edi,edi
6f50aa41 750d jne 2d!E3DLLFunc+0x8b92 (6f50aa50)
6f50aa43 8d0c91 lea ecx,[ecx+edx*4]
6f50aa46 c745e4fcffffff mov dword ptr [ebp-1Ch],0FFFFFFFCh
6f50aa4d 83c1fc add ecx,0FFFFFFFCh
6f50aa50 33ff xor edi,edi
6f50aa52 85d2 test edx,edx
6f50aa54 7e28 jle 2d!E3DLLFunc+0x8bc0 (6f50aa7e)
6f50aa56 8b5de4 mov ebx,dword ptr [ebp-1Ch]
6f50aa59 660f6ec7 movd xmm0,edi
6f50aa5d 47 inc edi
6f50aa5e 0f5bc0 cvtdq2ps xmm0,xmm0
2d!E3DLLFunc+0x8ba3:
6f50aa61 c6410300 mov byte ptr [ecx+3],0 // current instruction
6f50aa65 f30f59c1 mulss xmm0,xmm1
6f50aa69 f30f2cc0 cvttss2si eax,xmm0
6f50aa6d 8801 mov byte ptr [ecx],al
6f50aa6f 884101 mov byte ptr [ecx+1],al
6f50aa72 884102 mov byte ptr [ecx+2],al
6f50aa75 03cb add ecx,ebx
6f50aa77 3bfa cmp edi,edx
6f50aa79 7cde jl 2d!E3DLLFunc+0x8b9b (6f50aa59)
6f50aa7b 8b5dfc mov ebx,dword ptr [ebp-4]
6f50aa7e 33ff xor edi,edi
6f50aa80 897de4 mov dword ptr [ebp-1Ch],edi
6f50aa83 397e18 cmp dword ptr [esi+18h],edi
6f50aa86 0f8efb000000 jle 2d!E3DLLFunc+0x8cc9 (6f50ab87)
6f50aa8c 8b461c mov eax,dword ptr [esi+1Ch]
6f50aa8f 57 push edi
6f50aa90 50 push eax
6f50aa91 8b08 mov ecx,dword ptr [eax]
6f50aa93 ff515c call dword ptr [ecx+5Ch]
6f50aa96 6a00 push 0
6f50aa98 57 push edi
6f50aa99 ff7624 push dword ptr [esi+24h]
6f50aa9c 8945f8 mov dword ptr [ebp-8],eax
6f50aa9f ff7608 push dword ptr [esi+8]
6f50aaa2 e88e6b0300 call 2d!png_set_filter_heuristics+0x2dfb4 (6f541635)
6f50aaa7 83c410 add esp,10h
6f50aaaa 85c0 test eax,eax
6f50aaac 0f88da000000 js 2d!E3DLLFunc+0x8cce (6f50ab8c)
6f50aab2 83fb01 cmp ebx,1
6f50aab5 7546 jne 2d!E3DLLFunc+0x8c3f (6f50aafd)
6f50aab7 8365e000 and dword ptr [ebp-20h],0
6f50aabb 837e1400 cmp dword ptr [esi+14h],0
PoC
attached
Attachments:
golden_boy.u3d
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/