Adobe Acrobat Reader DC for Windows – Heap-Based Memory Corruption due to Malformed TTF Font

  • 作者: Google Security Research
    日期: 2019-08-15
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/47276/
  • We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
    
    --- cut ---
    (4c84.1e3c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=13842768 ebx=14b6d730 ecx=1383e108 edx=13832820 esi=13832850 edi=14b6d92c
    eip=1062a82e esp=1383def0 ebp=1383def8 iopl=0 nv up ei pl nz na po nc
    cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
    CoolType!CTInit+0x37aa7:
    1062a82e 8902mov dword ptr [edx],eaxds:002b:13832820=????????
    
    0:022> u @eip-14
    CoolType!CTInit+0x37a93:
    1062a81a 8b7d0cmov edi,dword ptr [ebp+0Ch]
    1062a81d 8b571cmov edx,dword ptr [edi+1Ch]
    1062a820 8b7720mov esi,dword ptr [edi+20h]
    1062a823 035508add edx,dword ptr [ebp+8]
    1062a826 8b4724mov eax,dword ptr [edi+24h]
    1062a829 037508add esi,dword ptr [ebp+8]
    1062a82c 03c6add eax,esi
    1062a82e 8902mov dword ptr [edx],eax
    
    0:022> ? poi(edi+1c)
    Evaluate expression: -56136 = ffff24b8
    
    0:022> ? poi(ebp+8)
    Evaluate expression: 327418728 = 13840368
    
    0:022> !heap -p -a 13840368
    address 13840368 found in
    _DPH_HEAP_ROOT @ bd61000
    in busy allocation (DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
     bd639c0: 13840368 190c94 - 13840000 192000
    unknown!fillpattern
    66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
    77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
    7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
    7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
    7725ccee ntdll!RtlAllocateHeap+0x0000003e
    66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
    74a2f1f6 ucrtbase!_malloc_base+0x00000026
    0e96fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
    105f74d4 CoolType!CTInit+0x0000474d
    105f8888 CoolType!CTInit+0x00005b01
    106270cf CoolType!CTInit+0x00034348
    10626c61 CoolType!CTInit+0x00033eda
    106265a2 CoolType!CTInit+0x0003381b
    10623c6f CoolType!CTInit+0x00030ee8
    10621d55 CoolType!CTInit+0x0002efce
    106210e9 CoolType!CTInit+0x0002e362
    1062096c CoolType!CTInit+0x0002dbe5
    10620893 CoolType!CTInit+0x0002db0c
    645138e1 AGM!AGMInitialize+0x0002aab1
    
     
    0:022> kb
     # ChildEBP RetAddrArgs to Child
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 1383def8 1062a372 13840368 14b6d92c 13840368 CoolType!CTInit+0x37aa7
    01 1383df6c 1062a296 1383e104 1383e034 00000001 CoolType!CTInit+0x375eb
    02 1383df84 1062a277 1383e104 1383e034 16977160 CoolType!CTInit+0x3750f
    03 1383df98 10629d00 1383e104 1383e034 16977160 CoolType!CTInit+0x374f0
    04 1383dfb8 10629a71 1383e328 16977160 00000000 CoolType!CTInit+0x36f79
    05 1383e158 10628ea7 16977160 108a00a0 1383e328 CoolType!CTInit+0x36cea
    06 1383e3b4 10623e89 1383e6a8 1383e430 00000000 CoolType!CTInit+0x36120
    07 1383e6d0 10621d55 00000001 00000000 00000000 CoolType!CTInit+0x31102
    08 1383e7a0 106210e9 16d43ec0 00000009 1383e834 CoolType!CTInit+0x2efce
    09 1383efb8 1062096c 188f40ec 1383efd0 188f40c8 CoolType!CTInit+0x2e362
    0a 1383f038 10620893 188f40ec 188f40d4 393d9f99 CoolType!CTInit+0x2dbe5
    0b 1383f070 645138e1 14c73e6c 188f40ec 10882280 CoolType!CTInit+0x2db0c
    0c 1383f084 644ffb1e 188f40d4 644ffab0 1737c5f0 AGM!AGMInitialize+0x2aab1
    0d 1383f098 644fe8e7 1737c5fc 649a09f8 00000001 AGM!AGMInitialize+0x16cee
    0e 1383f0d0 6451041c 30146add 13db5c78 00000000 AGM!AGMInitialize+0x15ab7
    0f 1383f17c 772fcd28 0ad60000 1383f1b0 66d6922c AGM!AGMInitialize+0x275ec
    10 1383f190 00000000 66d69238 772fcd10 0ad64d80 ntdll!RtlReleaseStackTrace+0x18
    --- cut ---
    
    Notes:
    
    - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
    
    - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-56136 in the above case).
    
    - Attached samples: poc.pdf (crashing file), original.pdf (original file).
    
    - We have minimized the difference between the original and mutated files down to three bytes at offsets 0x2bd4c, 0x2bd4d and 0x2d5b8 (0x00 => 0xff in all cases). These bytes reside inside of a TrueType font stream.
    
    
    Proof of Concept:
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47276.zip