CVE-2018-8464
Information
Out of bound read in Windows.Data.Pdf.dll module.
Crash Dump:
Stack
Windows.Data.Pdf.dll!CTile::_DecodePacket + 0x20C (id: 032)
Windows.Data.Pdf.dll!CTile::Decode + 0x77F (id: 6f5)
Windows.Data.Pdf.dll!CCodeStreamDecoder::Decode + 0x1AB
Windows.Data.Pdf.dll!JPXDecoder::Decode + 0x110
Windows.Data.Pdf.dll!PDF::CJPXDecoderByteStream::_Decode + 0xDF
Windows.Data.Pdf.dll!PDF::CJPXDecoderByteStream::DecodeData + 0x11
Registers
eax=00000000 ebx=07c62ee0 ecx=00000000 edx=00008d40 esi=0b456f90 edi=00000000
eip=6f065f2a esp=005ef210 ebp=005ef26c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
fpcw=027F: rn 53 puozdi fpsw=0120: top=0 cc=0001 --p----- fptw=FFFF
fopcode=0000 fpip=0000:74f7aa37 fpdp=0000:005ef260
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=8000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=2.09937e-013 -1.23136e+020 6.64739e-009 -6.21747e-012
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Windows_Data_Pdf!CTile::_DecodePacket+0x20c:
6f065f2a 890491 mov dword ptr [ecx+edx*4],eax ds:002b:00023500=????????
Disassembly of stack frame 1 at Windows.Data.Pdf.dll!CTile::_DecodePacket + 0x20C
6f065e62 ff7514 push dword ptr [ebp+14h]
6f065e65 8bcb mov ecx,ebx
6f065e67 50 push eax
6f065e68 ff7510 push dword ptr [ebp+10h]
6f065e6b 57 push edi
6f065e6c e846030000 call Windows_Data_Pdf!CTile::_GetTagTreeData (6f0661b7)
6f065e71 8bf8 mov edi,eax
6f065e73 897dc8 mov dword ptr [ebp-38h],edi
6f065e76 807f2000 cmp byte ptr [edi+20h],0
6f065e7a 0f8419010000 je Windows_Data_Pdf!CTile::_DecodePacket+0x27b (6f065f99)
6f065e80 33c0 xor eax,eax
6f065e82 33c9 xor ecx,ecx
6f065e84 894de8 mov dword ptr [ebp-18h],ecx
6f065e87 8945d8 mov dword ptr [ebp-28h],eax
6f065e8a 39471c cmp dword ptr [edi+1Ch],eax
6f065e8d 0f8606010000 jbe Windows_Data_Pdf!CTile::_DecodePacket+0x27b (6f065f99)
6f065e93 33f6 xor esi,esi
6f065e95 8975ec mov dword ptr [ebp-14h],esi
6f065e98 397718 cmp dword ptr [edi+18h],esi
6f065e9b 0f86e8000000 jbe Windows_Data_Pdf!CTile::_DecodePacket+0x26b (6f065f89)
6f065ea1 8b4724 mov eax,dword ptr [edi+24h]
6f065ea4 8bd1 mov edx,ecx
6f065ea6 c1e202 shl edx,2
6f065ea9 03c2 add eax,edx
6f065eab 8955c4 mov dword ptr [ebp-3Ch],edx
6f065eae 8945dc mov dword ptr [ebp-24h],eax
6f065eb1 833800 cmp dword ptr [eax],0
6f065eb4 0f84bb000000 je Windows_Data_Pdf!CTile::_DecodePacket+0x257 (6f065f75)
6f065eba 8b08 mov ecx,dword ptr [eax]
6f065ebc e8614a0000 call Windows_Data_Pdf!CCodeBlock::Decode (6f06a922)
6f065ec1 8b45dc mov eax,dword ptr [ebp-24h]
6f065ec4 8b9300010000 mov edx,dword ptr [ebx+100h]
6f065eca 8b08 mov ecx,dword ptr [eax]
6f065ecc 894de0 mov dword ptr [ebp-20h],ecx
6f065ecf 8b4110 mov eax,dword ptr [ecx+10h]
6f065ed2 0faf5104 imul edx,dword ptr [ecx+4]
6f065ed6 8945dc mov dword ptr [ebp-24h],eax
6f065ed9 6b45100c imul eax,dword ptr [ebp+10h],0Ch
6f065edd 0311 add edx,dword ptr [ecx]
6f065edf 33c9 xor ecx,ecx
6f065ee1 214dd0 and dword ptr [ebp-30h],ecx
6f065ee4 038308010000 add eax,dword ptr [ebx+108h]
6f065eea 8945cc mov dword ptr [ebp-34h],eax
6f065eed 8b45e0 mov eax,dword ptr [ebp-20h]
6f065ef0 894df0 mov dword ptr [ebp-10h],ecx
6f065ef3 8b7028 mov esi,dword ptr [eax+28h]
6f065ef6 8b402c mov eax,dword ptr [eax+2Ch]
6f065ef9 2bc6 sub eax,esi
6f065efb 8b75ec mov esi,dword ptr [ebp-14h]
6f065efe c1f802 sar eax,2
6f065f01 85c0 test eax,eax
6f065f03 7444 je Windows_Data_Pdf!CTile::_DecodePacket+0x22b (6f065f49)
6f065f05 8b7dd0 mov edi,dword ptr [ebp-30h]
6f065f08 8b75e0 mov esi,dword ptr [ebp-20h]
6f065f0b 3b4ddc cmp ecx,dword ptr [ebp-24h]
6f065f0e 750f jne Windows_Data_Pdf!CTile::_DecodePacket+0x201 (6f065f1f)
6f065f10 8b8300010000 mov eax,dword ptr [ebx+100h]
6f065f16 2b45dc sub eax,dword ptr [ebp-24h]
6f065f19 03d0 add edx,eax
6f065f1b 8365f000 and dword ptr [ebp-10h],0
6f065f1f 8b45cc mov eax,dword ptr [ebp-34h]
6f065f22 8b08 mov ecx,dword ptr [eax]
6f065f24 8b4628 mov eax,dword ptr [esi+28h]
6f065f27 8b04b8 mov eax,dword ptr [eax+edi*4]
Windows_Data_Pdf!CTile::_DecodePacket+0x20c:
6f065f2a 890491 mov dword ptr [ecx+edx*4],eax // current instruction
6f065f2d 42 inc edx
6f065f2e 8b462c mov eax,dword ptr [esi+2Ch]
6f065f31 47 inc edi
6f065f32 2b4628 sub eax,dword ptr [esi+28h]
6f065f35 8b4df0 mov ecx,dword ptr [ebp-10h]
6f065f38 41 inc ecx
6f065f39 c1f802 sar eax,2
6f065f3c 894df0 mov dword ptr [ebp-10h],ecx
6f065f3f 3bf8 cmp edi,eax
6f065f41 72c8 jb Windows_Data_Pdf!CTile::_DecodePacket+0x1ed (6f065f0b)
6f065f43 8b7dc8 mov edi,dword ptr [ebp-38h]
6f065f46 8b75ec mov esi,dword ptr [ebp-14h]
6f065f49 8b4724 mov eax,dword ptr [edi+24h]
6f065f4c 0345c4 add eax,dword ptr [ebp-3Ch]
6f065f4f 8945cc mov dword ptr [ebp-34h],eax
6f065f52 8b00 mov eax,dword ptr [eax]
6f065f54 8945c4 mov dword ptr [ebp-3Ch],eax
6f065f57 85c0 test eax,eax
6f065f59 7417 je Windows_Data_Pdf!CTile::_DecodePacket+0x254 (6f065f72)
6f065f5b 8bc8 mov ecx,eax
6f065f5d e8b772ffff call Windows_Data_Pdf!CCodeBlock::~CCodeBlock (6f05d219)
6f065f62 ff75c4 push dword ptr [ebp-3Ch]
6f065f65 ff15e477206f call dword ptr [Windows_Data_Pdf!_imp_??3YAXPAXZ (6f2077e4)]
6f065f6b 8b45cc mov eax,dword ptr [ebp-34h]
6f065f6e 59 pop ecx
6f065f6f 832000 and dword ptr [eax],0
6f065f72 8b4de8 mov ecx,dword ptr [ebp-18h]
6f065f75 46 inc esi
6f065f76 41 inc ecx
6f065f77 8975ec mov dword ptr [ebp-14h],esi
6f065f7a 894de8 mov dword ptr [ebp-18h],ecx
PoC
attached
Attachments:
AVW@0x00023500@CTile_DecodePacket1.pdf
References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8464