Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF

🗓️ 15 Aug 2019 00:00:00Reported by Google Security ResearchType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 127 Views

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflo

Code
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:

--- cut ---
(36ec.3210): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fffff987 ebx=f8519200 ecx=290cc000 edx=290c8fbc esi=28f43098 edi=fffff851
eip=645412f9 esp=1390d9e4 ebp=00000014 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
AGM!AGMInitialize+0x584c9:
645412f9 8911            mov     dword ptr [ecx],edx  ds:002b:290cc000=????????

0:023> !heap -p -a ecx-8
    address 290cbff8 found in
    _DPH_HEAP_ROOT @ bc51000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 bc53d9c:         28c10090           4bbf70 -         28c10000           4bd000
    66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
    77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
    7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
    7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
    7725ccee ntdll!RtlAllocateHeap+0x0000003e
    66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
    74a2f1f6 ucrtbase!_malloc_base+0x00000026
    0e75fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
    64531c72 AGM!AGMInitialize+0x00048e42
 
0:023> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 1390da28 77240a31 07bb5958 64540190 1390daac AGM!AGMInitialize+0x584c9
01 1390da9c 74a2f1f6 f238e0c0 07bb5958 0dc0fc40 ntdll!RtlCaptureStackBackTrace+0x41
02 1390dab8 0e75fcd9 004bbf70 0e75fcc0 6451f0bd ucrtbase!_malloc_base+0x26
03 1390db54 6451e588 12b91f98 0000047b 00000001 AcroRd32!AcroWinMainSandbox+0x3ed9
04 1390db58 12b91f98 0000047b 00000001 00000000 AGM!AGMInitialize+0x35758
05 1390db5c 00000000 00000001 00000000 17191e14 0x12b91f98
--- cut ---

Notes:

- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. Without PageHeap, the crash may also be triggered in ntdll!RtlReportCriticalFailure, if the system allocator detects a corrupted chunk.

- The crash is caused by a heap-based buffer overflow and occurs immediately after opening the PDF document (poc1.pdf), or with a bit of interaction (scrolling to other pages, zooming in and out) for poc2.pdf and poc3.pdf.

- We classify the bug as a potential RCE.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47272.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Aug 2019 00:00Current
7.4High risk
Vulners AI Score7.4
adobe acrobat readerwindows 10buffer overflowpdfrceexploit database
127