Adobe Acrobat Reader DC AcroForm PDFDocEncoding Remote Code Execution Vulnerability

Summary

An exploitable case of parser confusion can lead to invalid pointer arithmetic in part of code responsible for parsing AcroForm forms in the Adobe Acrobat Reader DC 2017.009.20044. A specially crafted PDF file can abuse this unchecked pointer arithmetic to access and overwrite arbitrary memory in the process ultimately leading to arbitrary code execution. In order to trigger this vulnerability, a victim would need to open the malicious file or access a malicious web page.

Tested Versions

Adobe Acrobat Reader DC 2017.009.20044

Product URLs

<https://get.adobe.com/reader/&gt;

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-823: Use of Out-of-range Pointer Offset

Details

Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

AcroForm elements of the PDF are used to define interactive forms that the user can use to input additional data. As part of AcroForm resource dictionary, various objects can be specified to be used by the form, such as fonts, encodings and so on. One of the encodings can be PDFDocEncoding which is used for specifically encoded strings.

Usually, PDFDocEncoding object will consist of an array of Differences which define differences of this specific encoding from the defined or implicit base encoding. In Adobe Reader, if PDFDocEncoding object has it’s base encoding defined as WinAnsiEncoding (which shouldn’t ever be the case in regular files), a parser can be tricked into using a direct differences offset value as an offset to a pointer creating an out of bounds memory access condition. For example:

5 0 obj
/DR 
  /Encoding 
    /PDFDocEncoding 6 0 R
  >>
>>   >>
endobj
6 0 obj
/Type /Encoding
/BaseEncoding /WinAnsiEncoding
/Differences [ -247381695 /a
  ]
endobj

In the above excerpt from our PoC for this issue, object 5 is of AcroForm type and its resource dictionary refers to object 6 as PDFDocEncoding object. Object 6 in turn defines base encoding and malformed differences. The value -247381695 (or 0xf1414141 hex) will end up being used as a pointer offset in a memory write instruction. This can be simply observed in the following crash information:

(1998.211c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_in \AcroForm.api - 
eax=21100061 ebx=00000000 ecx=21105cc0 edx=0a2d4ff8 esi=00000001 edi=f1414141
eip=20a77eeb esp=0012e614 ebp=0012e654 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
AcroForm!DllUnregisterServer+0x316be:
20a77eeb 66890479        mov     word ptr [ecx+edi*2],ax  ds:0023:0392df42=????

Note that at the time of the crash, ecx points to valid memory, but edi contains the specified value. A value being written (in register ax) is also under our control and is 0x0061 in this case (ASCII for a).

Finally, by adding more differences entries in the Differences array, the out of bound write can be repeated arbitrary many times.

By abusing this, effectively arbitrary, write anywhere primitive, process can be manipulated into achieving arbitrary code execution.

Timeline

2017-06-09 - Vendor Disclosure
2017-08-08 - Public Release