Adobe Acrobat Reader DC for Windows – Heap-Based Buffer Overflow While Processing Malformed PDF

• Exploit Database
• 12 阅读

• 作者： Google Security Research
  日期： 2019-08-15
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47272/

• We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
  
  --- cut ---
  (36ec.3210): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=fffff987 ebx=f8519200 ecx=290cc000 edx=290c8fbc esi=28f43098 edi=fffff851
  eip=645412f9 esp=1390d9e4 ebp=00000014 iopl=0 nv up ei ng nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010286
  AGM!AGMInitialize+0x584c9:
  645412f9 8911mov dword ptr [ecx],edxds:002b:290cc000=????????
  
  0:023> !heap -p -a ecx-8
  address 290cbff8 found in
  _DPH_HEAP_ROOT @ bc51000
  in busy allocation (DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
   bc53d9c: 28c10090 4bbf70 - 28c10000 4bd000
  66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
  77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
  7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
  7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
  7725ccee ntdll!RtlAllocateHeap+0x0000003e
  66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
  74a2f1f6 ucrtbase!_malloc_base+0x00000026
  0e75fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
  64531c72 AGM!AGMInitialize+0x00048e42
   
  0:023> kb
   # ChildEBP RetAddrArgs to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  00 1390da28 77240a31 07bb5958 64540190 1390daac AGM!AGMInitialize+0x584c9
  01 1390da9c 74a2f1f6 f238e0c0 07bb5958 0dc0fc40 ntdll!RtlCaptureStackBackTrace+0x41
  02 1390dab8 0e75fcd9 004bbf70 0e75fcc0 6451f0bd ucrtbase!_malloc_base+0x26
  03 1390db54 6451e588 12b91f98 0000047b 00000001 AcroRd32!AcroWinMainSandbox+0x3ed9
  04 1390db58 12b91f98 0000047b 00000001 00000000 AGM!AGMInitialize+0x35758
  05 1390db5c 00000000 00000001 00000000 17191e14 0x12b91f98
  --- cut ---
  
  Notes:
  
  - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. Without PageHeap, the crash may also be triggered in ntdll!RtlReportCriticalFailure, if the system allocator detects a corrupted chunk.
  
  - The crash is caused by a heap-based buffer overflow and occurs immediately after opening the PDF document (poc1.pdf), or with a bit of interaction (scrolling to other pages, zooming in and out) for poc2.pdf and poc3.pdf.
  
  - We classify the bug as a potential RCE.
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47272.zip