CVE-2018-15956
Information
Out of bound read due to malformed TIF while being parsed in 2d.x3d
Crash Dump:
Stack
2d.x3d + 0xA89B (id: 7dc, no function symbol available)
2d.x3d + 0xA478 (id: 851, no function symbol available)
2d.x3d + 0x2AA3 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E
Registers
eax=437a5000 ebx=00000002 ecx=0000021f edx=fffffffe esi=38ac4fd0 edi=4fb50de0
eip=6f50a89b esp=006ff88c ebp=006ff8ac iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010293
fpcw=027F: rn 53 puozdi fpsw=4020: top=0 cc=1000 --p----- fptw=FFFF
fopcode=0000 fpip=0000:6f52ec6c fpdp=0000:2bb20db0
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000 st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=d400000000000000
mm4=a000000000000000 mm5=c000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x89dd:
6f50a89b 8a10 mov dl,byte ptr [eax] ds:002b:437a5000=??
Disassembly of stack frame 1 at 2d.x3d + 0xA89B
6f50a7f2 897df4 mov dword ptr [ebp-0Ch],edi
6f50a7f5 0fb7582c movzx ebx,word ptr [eax+2Ch]
6f50a7f9 b001 mov al,1
6f50a7fb 8bcb mov ecx,ebx
6f50a7fd d2e0 shl al,cl
6f50a7ff fec8 dec al
6f50a801 8845fe mov byte ptr [ebp-2],al
6f50a804 397e18 cmp dword ptr [esi+18h],edi
6f50a807 0f8ec4000000 jle 2d!E3DLLFunc+0x8a13 (6f50a8d1)
6f50a80d 6a00 push 0
6f50a80f 57 push edi
6f50a810 ff7624 push dword ptr [esi+24h]
6f50a813 ff7608 push dword ptr [esi+8]
6f50a816 e81a6e0300 call 2d!png_set_filter_heuristics+0x2dfb4 (6f541635)
6f50a81b 83c410 add esp,10h
6f50a81e 85c0 test eax,eax
6f50a820 0f88b5000000 js 2d!E3DLLFunc+0x8a1d (6f50a8db)
6f50a826 8b461c mov eax,dword ptr [esi+1Ch]
6f50a829 57 push edi
6f50a82a 50 push eax
6f50a82b 8b08 mov ecx,dword ptr [eax]
6f50a82d ff515c call dword ptr [ecx+5Ch]
6f50a830 8945ec mov dword ptr [ebp-14h],eax
6f50a833 83fb04 cmp ebx,4
6f50a836 7420 je 2d!E3DLLFunc+0x899a (6f50a858)
6f50a838 83fb02 cmp ebx,2
6f50a83b 741b je 2d!E3DLLFunc+0x899a (6f50a858)
6f50a83d 83fb01 cmp ebx,1
6f50a840 7416 je 2d!E3DLLFunc+0x899a (6f50a858)
6f50a842 83fb08 cmp ebx,8
6f50a845 756e jne 2d!E3DLLFunc+0x89f7 (6f50a8b5)
6f50a847 ff7614 push dword ptr [esi+14h]
6f50a84a ff7624 push dword ptr [esi+24h]
6f50a84d 50 push eax
6f50a84e e81b870500 call 2d!zlibVersion+0x215e (6f562f6e)
6f50a853 83c40c add esp,0Ch
6f50a856 eb5d jmp 2d!E3DLLFunc+0x89f7 (6f50a8b5)
6f50a858 8365f000 and dword ptr [ebp-10h],0
6f50a85c 83caff or edx,0FFFFFFFFh
6f50a85f 837e1400 cmp dword ptr [esi+14h],0
6f50a863 8b4624 mov eax,dword ptr [esi+24h]
6f50a866 8945f8 mov dword ptr [ebp-8],eax
6f50a869 7e4a jle 2d!E3DLLFunc+0x89f7 (6f50a8b5)
6f50a86b 8b7dec mov edi,dword ptr [ebp-14h]
6f50a86e 85d2 test edx,edx
6f50a870 7910 jns 2d!E3DLLFunc+0x89c4 (6f50a882)
6f50a872 8a08 mov cl,byte ptr [eax]
6f50a874 40 inc eax
6f50a875 6a08 push 8
6f50a877 5a pop edx
6f50a878 884dff mov byte ptr [ebp-1],cl
6f50a87b 2bd3 sub edx,ebx
6f50a87d 8945f8 mov dword ptr [ebp-8],eax
6f50a880 eb03 jmp 2d!E3DLLFunc+0x89c7 (6f50a885)
6f50a882 8a4dff mov cl,byte ptr [ebp-1]
6f50a885 8ac1 mov al,cl
6f50a887 8aca mov cl,dl
6f50a889 d2e8 shr al,cl
6f50a88b 8b4df0 mov ecx,dword ptr [ebp-10h]
6f50a88e 2245fe and al,byte ptr [ebp-2]
6f50a891 2bd3 sub edx,ebx
6f50a893 880439 mov byte ptr [ecx+edi],al
6f50a896 8b45f8 mov eax,dword ptr [ebp-8]
6f50a899 790e jns 2d!E3DLLFunc+0x89eb (6f50a8a9)
2d!E3DLLFunc+0x89dd:
6f50a89b 8a10 mov dl,byte ptr [eax] // current instruction
6f50a89d 40 inc eax
6f50a89e 8855ff mov byte ptr [ebp-1],dl
6f50a8a1 6a08 push 8
6f50a8a3 5a pop edx
6f50a8a4 8945f8 mov dword ptr [ebp-8],eax
6f50a8a7 2bd3 sub edx,ebx
6f50a8a9 41 inc ecx
6f50a8aa 894df0 mov dword ptr [ebp-10h],ecx
6f50a8ad 3b4e14 cmp ecx,dword ptr [esi+14h]
6f50a8b0 7cbc jl 2d!E3DLLFunc+0x89b0 (6f50a86e)
6f50a8b2 8b7df4 mov edi,dword ptr [ebp-0Ch]
6f50a8b5 8b4604 mov eax,dword ptr [esi+4]
6f50a8b8 6a00 push 0
6f50a8ba ff7618 push dword ptr [esi+18h]
6f50a8bd 8b08 mov ecx,dword ptr [eax]
6f50a8bf 57 push edi
6f50a8c0 50 push eax
6f50a8c1 ff510c call dword ptr [ecx+0Ch]
6f50a8c4 47 inc edi
6f50a8c5 897df4 mov dword ptr [ebp-0Ch],edi
6f50a8c8 3b7e18 cmp edi,dword ptr [esi+18h]
6f50a8cb 0f8c3cffffff jl 2d!E3DLLFunc+0x894f (6f50a80d)
6f50a8d1 33c0 xor eax,eax
6f50a8d3 40 inc eax
6f50a8d4 5f pop edi
6f50a8d5 5e pop esi
6f50a8d6 5b pop ebx
6f50a8d7 8be5 mov esp,ebp
6f50a8d9 5d pop ebp
6f50a8da c3 ret
6f50a8db 85ff test edi,edi
PoC
attached
Attachments:
golden_boy.u3d
OOBR[0x88]+0 7dc.851 @ asdfqwerasdfqwer.exe!2d.x3d+0xA89B.html
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/