Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtGoogle Security Research1337DAY-ID-33646
HistoryDec 11, 2019 - 12:00 a.m.

Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font Exploit

2019-12-1100:00:00
Google Security Research
0day.today
516

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.359 Low

EPSS

Percentile

97.1%

JSON
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:

--- cut ---
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=707779e0 ebx=25876c38 ecx=052faab8 edx=707703a4 esi=707703d4 edi=25876e34
eip=10e6c29e esp=052fa89c ebp=052fa8a4 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
CoolType!CTInit+0x3913e:
10e6c29e 8902            mov     dword ptr [edx],eax  ds:002b:707703a4=31a03194

0:000> u @eip-14
CoolType!CTInit+0x3912a:
10e6c28a 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
10e6c28d 8b571c          mov     edx,dword ptr [edi+1Ch]
10e6c290 8b7720          mov     esi,dword ptr [edi+20h]
10e6c293 035508          add     edx,dword ptr [ebp+8]
10e6c296 8b4724          mov     eax,dword ptr [edi+24h]
10e6c299 037508          add     esi,dword ptr [ebp+8]
10e6c29c 03c6            add     eax,esi
10e6c29e 8902            mov     dword ptr [edx],eax

0:000> ? poi(edi+1c)
Evaluate expression: -690332 = fff57764

0:000> ? poi(ebp+8)
Evaluate expression: 1887538240 = 70818c40

0:000> !heap -p -a 70818c40
    address 70818c40 found in
    _DPH_HEAP_ROOT @ bfc1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                723d3b94:         70818c40            173c0 -         70818000            19000
          unknown!fillpattern
    0f32a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
    77f24b26 ntdll!RtlDebugAllocateHeap+0x0000003c
    77e7e3e6 ntdll!RtlpAllocateHeap+0x000000f6
    77e7cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
    77e7ccee ntdll!RtlAllocateHeap+0x0000003e
    0f48aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
    77c2f1f6 ucrtbase!_malloc_base+0x00000026
    5fbefc39 AcroRd32!AcroWinMainSandbox+0x00003ec9
    10e37991 CoolType!CTInit+0x00004831
    10e38e1b CoolType!CTInit+0x00005cbb
    10e68870 CoolType!CTInit+0x00035710
    10e683dc CoolType!CTInit+0x0003527c
    10e67d25 CoolType!CTInit+0x00034bc5
    10e65902 CoolType!CTInit+0x000327a2
    10e633f2 CoolType!CTInit+0x00030292
    10e62719 CoolType!CTInit+0x0002f5b9
    10e620e8 CoolType!CTInit+0x0002ef88
    10e62000 CoolType!CTInit+0x0002eea0
    108f36f1 AGM!AGMInitialize+0x0002a881

 
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 052fa8a4 10e6bde2 70818c40 25876e34 70818c40 CoolType!CTInit+0x3913e
01 052fa918 10e6bd06 052faab4 052fa9e4 00000001 CoolType!CTInit+0x38c82
02 052fa930 10e6bce7 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38ba6
03 052fa944 10e6bb4f 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38b87
04 052fa968 10e6b8b0 052facd8 73330f68 110f7080 CoolType!CTInit+0x389ef
05 052fab08 10e6abf9 73330f68 110f7080 052facd8 CoolType!CTInit+0x38750
06 052fad64 10e65b0c 052fb054 052faddc 00000000 CoolType!CTInit+0x37a99
07 052fb07c 10e633f2 000007c6 00000000 00000000 CoolType!CTInit+0x329ac
08 052fb14c 10e62719 65babff0 00000001 052fb1dc CoolType!CTInit+0x30292
09 052fb964 10e620e8 6aa0a9b4 052fb97c 6aa0a990 CoolType!CTInit+0x2f5b9
0a 052fb9e4 10e62000 6aa0a9b4 6aa0a99c 73fdc4da CoolType!CTInit+0x2ef88
0b 052fba24 108f36f1 7155bd90 6aa0a9b4 6aa0a99c CoolType!CTInit+0x2eea0
0c 052fba38 108e023e 6aa0a99c 108e01d0 331cbd80 AGM!AGMInitialize+0x2a881
0d 052fba4c 108df007 331cbd8c 10d84a18 00000001 AGM!AGMInitialize+0x173ce
0e 052fba84 108f0bcc c1574612 1733a7d0 00000000 AGM!AGMInitialize+0x16197
0f 052fbb4c 0f327c7a 0bfc16cc 052fbb78 0f3291ab AGM!AGMInitialize+0x27d5c
--- cut ---

Notes:

- The crash looks very similar to the one reported in Issue #1891 in June 2019, and fixed in August 2019 as CVE-2019-8042. The stack trace and context are nearly identical. It is possible that this is an unfixed variant of the previous vulnerability.

- Reproduces on Adobe Acrobat Reader DC (2019.012.20040) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).

- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-690332 in the above case).

- Attached samples: poc[1-4].pdf (crashing files).


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47769.zip

Related

checkpoint_advisories 2
cve 2
symantec 1
prion 2
exploitpack 1
zdi 1
exploitdb 1
googleprojectzero 1
threatpost 1
nessus 8
openvas 24
adobe 2
kaspersky 1
checkpoint_advisories
checkpoint_advisories
Adobe Acrobat and Reader Heap Overflow (APSB19-55: CVE-2019-16451)
2019-12-10 00:00:00
Adobe Acrobat and Reader Heap Overflow (APSB19-41: CVE-2019-8042)
2019-08-13 00:00:00
cve
cve
CVE-2019-16451
2019-12-19 15:15:00
CVE-2019-8042
2019-08-20 20:15:00
symantec
symantec
Adobe Acrobat and Reader CVE-2019-16451 Heap Buffer Overflow Vulnerability
2019-12-10 00:00:00
prion
prion
Heap overflow
2019-08-20 20:15:00
Heap overflow
2019-12-19 15:15:00
exploitpack
exploitpack
Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font
2019-12-11 00:00:00
zdi
zdi
Adobe Acrobat Pro DC TTF Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
2020-02-03 00:00:00
exploitdb
exploitdb
Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font
2019-12-11 00:00:00
googleprojectzero
googleprojectzero
Part II: Returning to Adobe Reader symbols on macOS
2020-01-30 00:00:00
threatpost
threatpost
Adobe Fixes 17 Critical Acrobat, Photoshop and Brackets Flaws
2019-12-10 16:37:03
nessus
nessus
Adobe Reader <= 2015.006.30505 / 2017.011.30152 / 2019.021.20056 Multiple Vulnerabilities (APSB19-55) (macOS)
2019-12-13 00:00:00
Adobe Acrobat <= 2015.006.30505 / 2017.011.30155 / 2019.021.20056 Multiple Vulnerabilities (APSB19-55) (macOS)
2019-12-13 00:00:00
Adobe Reader <= 2015.006.30505 / 2017.011.30152 / 2019.021.20056 Multiple Vulnerabilities (APSB19-55)
2019-12-13 00:00:00
openvas
openvas
Adobe Acrobat DC 2015 Security Updates (APSB19-55) - Mac OS X
2019-12-12 00:00:00
Adobe Acrobat DC (Continuous) Security Updates (APSB19-55) - Mac OS X
2019-12-12 00:00:00
Adobe Reader 2017 Security Updates (APSB19-55) - Mac OS X
2019-12-12 00:00:00
adobe
adobe
APSB19-55 - Security update available for Adobe Acrobat and Reader
2019-12-10 00:00:00
APSB19-41 Security update available for Adobe Acrobat and Reader
2019-08-13 00:00:00
kaspersky
kaspersky
KLA11531 Multiple vulnerabilities in Adobe Acrobat and Adobe Acrobat Reader
2019-08-14 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.359 Low

EPSS

Percentile

97.1%

JSON
Related for 1337DAY-ID-33646
checkpoint_advisories2cve2symantec1prion2exploitpack1zdi1exploitdb1googleprojectzero1threatpost1nessus8openvas24adobe2kaspersky1