Steven Seeley of Source InciteSRC-2017-0007SRC-2017-0007 : Adobe Acrobat Pro DC ImageConversion EMF parsing EMR_EXTTEXTOUTA Array Indexing Remote Code Execution Vulnerability
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.022 Low
EPSS
Percentile
89.3%
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of EMF files. The issue results from the lack of proper validation of user-supplied data in the EMR_EXTTEXTOUTA record, which can result in a out-of-bounds read memory access during array indexing. An attacker can leverage this vulnerability to execute code under the context of the current process.
Upon parsing the crafted EMF file, the following access violation occurs:
(fbc.d4c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=487cc578 ebx=0015d1f0 ecx=48b0eb3c edx=00006544 esi=0007d400 edi=48ac2c00
eip=6286a2ac esp=0015d144 ebp=0015d1d0 iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210287
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Acrobat DC\Acrobat\MPS.dll -
MPS+0xa2ac:
6286a2ac 668b0450 mov ax,word ptr [eax+edx*2] ds:0023:487d9000=????
The vulnerability occurs in sub_1000A050 within MPS.dll:
.text:1000A2A0 loc_1000A2A0:
.text:1000A2A0 mov dword ptr [ecx], 0
.text:1000A2A6 lea ecx, [ecx+0Ch]
.text:1000A2A9 mov eax, [ebx+4]
.text:1000A2AC mov ax, [eax+edx*2] ; out-of-bounds read
.text:1000A2B0 inc edx
.text:1000A2B1 mov [ecx-0Ch], ax
.text:1000A2B5 cmp edx, [ebp+var_44]
.text:1000A2B8 jb short loc_1000A2A0
The index is influenced and controlled at offset 0x215 and can be leveraged to read and write out of bounds.
Affected Vendors:
Adobe
Affected Products:
Acrobat Pro DC
Vendor Response:
Adobe has issued an update to correct these vulnerabilities. More details can be found at:
<https://helpx.adobe.com/security/products/acrobat/apsb17-24.html>
Proof of Concept:
<https://github.com/sourceincite/poc/blob/master/SRC-2017-0007.emf>
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.022 Low
EPSS
Percentile
89.3%