Adobe Reader & amp; #39; CoolType. dll & amp; #39; TTF font Overflow

By Nicolas Joly

Riusksk (quange: http://riusksk.blogbus.com)

 

This article is intended to share with you some technical details about the recent Adobe Acrobat/Reader 0-Day exploit (CVE-2010-2883. In the VUPEN organization, we have analyzed a large number of vulnerabilities and 0-day vulnerabilities, and compiled well-developed exploit code for various programs and operating systems. In recent months, we have compiled a lot of code to exploit the Adobe Reader vulnerability and can bypass DEP protection.

Why is this 0-day exploit so interesting that we still need an article? This is rare because it uses some memorable odd tricks and some extraordinary means to bypass DEP and ASLR protection. Some people may already know that, in this vulnerability, the unsecure function strcat () in "CoolType. dll" can be exploited to create an overflow vulnerability. This vulnerability can be triggered when the PDF file is embedded in a specific tabulation segment.

 

. Text: 0803DCF9 push ebp
. Text: 0803 DCFA sub esp, 104 h
. Text: 0803DD00 lea ebp, [esp-4]
. Text: 0803DD04 mov eax, dword_8230FB8
. Text: 0803DD09 xor eax, ebp
. Text: 0803DD0B mov [ebp + 108 h + var_4], eax
. Text: 0803DD11 push 4Ch
. Text: 0803DD13 mov eax, offset loc_8184A54
. Text: 0803DD18 call _ EH_prolog3_catch // set up an SE handler
. Text: 0803DD1D mov eax, [ebp + 108 h + arg_C]
. Text: 0803DD23 mov edi, [ebp + 108 h + arg_0]
. Text: 0803DD29 mov ebx, [ebp + 108 h + arg_4]
. Text: 0803DD2F mov [ebp + 108 h + var_130], edi
. Text: 0803DD32 mov [ebp + 108 h + var_138], eax

 

When the SING table segment in the font file is found, the program executes the following commands:

 

. Text: 0803DD74 push offset aSing; "SING"
. Text: 0803DD79 push edi; int
. Text: 0803DD7A lea ecx, [ebp + 108 h + var_12C]
. Text: 0803DD7D call sub_8021B06
...
. Text: 0803DD9F loc_803DD9F:
. Text: 0803DD9F add eax, 10 h
. Text: 0803DDA2 push eax // long string following the SING table
. Text: 0803DDA3 lea eax, [ebp + 108 h + Dest]
. Text: 0803DDA6 push eax //~ 256 bytes stack buffer
. Text: 0803DDA7 mov [ebp + 108 h + Dest], 0
. Text: 0803 DDAB call strcat // insecure!

 

To exploit this vulnerability, hackers usually overwrite the return address or SE handler, but it may not work here. Because it has a stack cookie to prevent the return address from being exploited, when a function with an exception handling routine is entered, the stack situation is as follows:

 

| SE |
| Next se |
| DEST | <-- vulnerable buffer
|... |
| COOKIE |
| EBP |
| Ret add |

 

As shown above, if you overwrite the return address, the cookie will be rewritten to prevent malicious code from running. If you continue overwriting until an exception is triggered, you can step through the cookie and hand the control to SE handler for processing. Obviously, there is nothing special about this solution. Another method is to overwrite the parameters or variables in the function. Here, attackers also use this method. When He overwrites the stack space, the first exception occurs in BIB. dll, because the next call function uses this overwrite parameter:

 

. Text: 0803DDB0 pop ecx
. Text: 0803DDB1 pop ecx
. Text: 0803DDB2 lea eax, [ebp + 108 h + Dest]
. Text: 0803DDB5 push eax
. Text: 0803DDB6 mov ecx, ebx // ebx actually points to arg_4, which is overwritten
. Text: 0803DDB8 call sub_8001243

 

Then:

 

. Text: 070013F7 lea eax, [ecx + 1Ch] // ecx = [arg_4]
. Text: 070013FA mov [ebp + var_8], eax
. Text: 070013FD mov eax, [ebp + var_8]
. Text: 07001400 lock dec dword ptr [eax] // first crash here

 

If it points to an Invalid Address, the first exception will be triggered at 0x07001400 address, and then execute SE handler, resulting in Adobe Acrobat/Reader crash. Therefore, a valid pointer must be set to at least allow the program to drop any dword byte in the memory, which is also valid (such as the CVE-2008-4812 ). Even so, it is difficult to compile an exploit that can bypass DEP and ASLR. However, sub_8016BDE brings us hope that it pushes two pointers into the stack as parameters:

 

. Text: 0803DEA9 loc_803DEA9:
. Text: 0803DEA9
. Text: 0803DEA9 lea eax, [ebp + 108 h + var_124]
. Text: 0803 DEAC push eax
. Text: 0803 DEAD push ebx
. Text: 0803 DEAE push edi // ebx and edi point to arg_4 and arg_0
. Text: 0803 DEAF call sub_8016BDE

 

The above Code uses arg_0 as the parameter to call sub_8016BDE, while sub_8016BDE returns 0 or a pointer. If 0 is returned, the program will jump to the address 0x080172CE and exit the function. However, if a pointer is returned, sub_801BB21 (using arg_0 as one of the parameters) will be called.

 

. Text: 08016C2B push edi
. Text: 08016C2C mov [ebp + 664 h + var_668], ebx
. Text: 08016C2F mov [ebp + 664 h + var_694], ebx
. Text: 08016C32 mov [ebp + 664 h + var_678], ebx
. Text: 08016C35 call sub_801BB1C // return 0 or a pointer
. Text: 08016C3A cmp eax, ebx
. Text: 08016C3C pop ecx
. Text: 08016C3D mov [ebp + 664 h + var_67C], eax
. Text: 08016C40 jz loc_80172CE
. Text: 08016C46 push 1
. Text: 08016C48 push ebx
. Text: 08016C49 push ebx
. Text: 08016C4A lea eax, [ebp + 664 h + var_678]
. Text: 08016C4D push eax
. Text: 08016C4E lea eax, [ebp + 664 h + var_694]
. Text: 08016C51 push eax
. Text: 08016C52 push edi
. Text: 08016C53 push [ebp + 664 h + var_67C]
. Text: 08016C56 call sub_801BB21 // this call must be reached

 

After the sub_801BB1C function is executed:

 

. Text: 0801BA57 mov eax, dword_823A728
. Text: 0801BA5C test eax, eax // the attacker does not control this pointer
. Text: 0801BA5E jz short locret_801BA73
. Text: 0801BA60 mov ecx, [esp + arg_0] // however ecx may point to a controlled dword
. Text: 0801BA64 mov ecx, [ecx + 4]
. Text: 0801BA67
. Text: 0801BA67 loc_801BA67:
. Text: 0801BA67 cmp ecx, [eax + 4]
. Text: 0801BA6A jz short locret_801BA73
. Text: 0801BA6C mov eax, [eax + 8]
. Text: 0801BA6F test eax, eax
. Text: 0801BA71 jnz short loc_801BA67
. Text: 0801BA73
. Text: 0801BA73 locret_801BA73:
. Text: 0801BA73
. Text: 0801BA73 retn

 

Here, ECX must be equal to [eax + 4] so that the function can return values other than NULL. Which value must eax + 4 point?

 

0x0000006c
0x0000006b
Zero x 00000070
0x0000006f
0x0000006d

 

Because strcat is to be used, null bytes cannot be used! This causes arg_0 + 4 to point to 0x0000006D, which means this value cannot be changed at will, so as to limit the number of bytes that need to be merged into the stack. This is exactly why the author of exploit did not cover the entire stack space, but only part of the space. Finally, enter sub_801BB21 and sub_808B116:

 

. Text: 0808B2E3 mov eax, [edi + 3Ch] // edi = arg_0, but edi + 3Ch points to a stack pointer,
// Itself pointing to a controlled value
. Text: 0808B2E6 cmp eax, ebx
. Text: 0