Adobe Acrobat Reader DC for Windows – Heap-Based Buffer Overflow While Processing Malformed PDF

• Exploit Database
• 108 阅读

• 作者： Google Security Research
  日期： 2019-08-15
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47272/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

  We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:   --- cut --- (36ec.3210): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=fffff987 ebx=f8519200 ecx=290cc000 edx=290c8fbc esi=28f43098 edi=fffff851 eip=645412f9 esp=1390d9e4 ebp=00000014 iopl=0 nv up ei ng nz na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010286 AGM!AGMInitialize+0x584c9: 645412f9 8911mov dword ptr [ecx],edxds:002b:290cc000=????????   0:023> !heap -p -a ecx-8 address 290cbff8 found in _DPH_HEAP_ROOT @ bc51000 in busy allocation (DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) bc53d9c: 28c10090 4bbf70 - 28c10000 4bd000 66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 0e75fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 64531c72 AGM!AGMInitialize+0x00048e42 0:023> kb # ChildEBP RetAddrArgs to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 1390da28 77240a31 07bb5958 64540190 1390daac AGM!AGMInitialize+0x584c9 01 1390da9c 74a2f1f6 f238e0c0 07bb5958 0dc0fc40 ntdll!RtlCaptureStackBackTrace+0x41 02 1390dab8 0e75fcd9 004bbf70 0e75fcc0 6451f0bd ucrtbase!_malloc_base+0x26 03 1390db54 6451e588 12b91f98 0000047b 00000001 AcroRd32!AcroWinMainSandbox+0x3ed9 04 1390db58 12b91f98 0000047b 00000001 00000000 AGM!AGMInitialize+0x35758 05 1390db5c 00000000 00000001 00000000 17191e14 0x12b91f98 --- cut ---   Notes:   - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. Without PageHeap, the crash may also be triggered in ntdll!RtlReportCriticalFailure, if the system allocator detects a corrupted chunk.   - The crash is caused by a heap-based buffer overflow and occurs immediately after opening the PDF document (poc1.pdf), or with a bit of interaction (scrolling to other pages, zooming in and out) for poc2.pdf and poc3.pdf.   - We classify the bug as a potential RCE.     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47272.zip