[CNNVD] Adobe Reader and Acrobat Memory Corruption Vulnerability (cnnvd-201308-479)
Adobe Reader and acrobat are all products of the United States Adobe (Adobe) company. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and Conversion tool.
There are security vulnerabilities in Adobe reader and Acrobat. An attacker could exploit the vulnerability to execute arbitrary code or cause a denial of service (memory corruption). The following versions are affected: The 9.x version prior to Adobe reader and Acrobat 9.5.5, 10.1.7 prior to the 10.x version, and the 11.x version prior to 11.0.03.
The test environment is Adobe reader11+windows 7. Mount debugger after opening the POC program exits unexpectedly, but not interrupted in the debugger, in the task manager found that there are 2 processes in Adobe Reader, so enable child process debugging, reload, and break in the debugger, the information is as follows.
eax=00000001ebx=00000001Ecx=64f7f4ea edx=04bb1078ESI=3EF2CC90 edi=00000000eip=64f7e84b esp=0016e540ebp=0016e564Iopl=0nv up ei pl NZ ac po cycs=001bss=0023ds=0023es=0023fs=003bgs=0000Efl=00210213*** ERROR:Symbol file could notbe found. defaulted to export symbols forC:\program Files\adobe\reader One.0\reader\acrord32.dll-acrord32! Dllcanunloadnow+0x150524:64f7e84b 8b06movEax,dword ptr [esi]ds:0023: 3ef2cc90=????????
We'll look ahead and see that ESI comes from ecx, and because ECX is the this pointer, the object pointer is suspected here. Look back and have call DWORD ptr [EAX+364H]. The reload enabled heap allocation record is then reloaded. As follows
1:007>!heap-p-a ESI address 3eaeac90 foundinch_dph_heap_root @4451000 inchFree-ed Allocation (Dph_heap_block:virtaddr virtsize) 3136171C:3eaea000 -778890b2verifier! AVRFDEBUGPAGEHEAPFREE+0X000000C277775674ntdll! rtldebugfreeheap+0x0000002f 77737aca ntdll! RTLPFREEHEAP+0X0000005D 77702d68ntdll! rtlfreeheap+0x00000142 768af1ac kernel32! heapfree+0x00000014***ERROR:Symbol file could notbe found. defaulted to export symbols forC:\windows\system32\msvcr100.dll-6b41016a msvcr100!free+0x0000001c 627e1325 acrord32! CTJPEGLIBINIT+0X0000F6D5 6290C2AFacrord32! Dllcanunloadnow+0x0010df88 628b3381 acrord32! dllcanunloadnow+0x000b505a 6294723b acrord32! Dllcanunloadnow+0x00148f14 628980b1acrord32! dllcanunloadnow+0x00099d8a 62E54BBF acrord32!ctjpegrotateoptions:: Operator=+0x001b0aa3 628980b1acrord32! dllcanunloadnow+0x00099d8a 62CFABCA acrord32!ctjpegrotateoptions:: Operator=+0x00056aae 62cfb275 acrord32!ctjpegrotateoptions:: operator=+0x00057159 62cf93be acrord32!ctjpegrotateoptions:: operator=+0x000552a2 62da391e acrord32!ctjpegrotateoptions:: operator=+0x000ff802 62da3b7c acrord32!ctjpegrotateoptions:: Operator=+0x000ffa60 62da3eca acrord32!ctjpegrotateoptions:: operator=+0x000ffdae***WARNING:Unable to verify checksum forC:\program Files\adobe\reader One.0\reader\plug_ins\annots.api***ERROR:Symbol file could notbe found. defaulted to export symbols forC:\program Files\adobe\reader One.0\reader\plug_ins\annots.api-64989a3a annots! pluginmain+0x00078015 6498a692 annots! PLUGINMAIN+0X00078C6D 6498af61 annots! pluginmain+0x0007953c***WARNING:Unable to verify checksum forC:\program Files\adobe\reader One.0\reader\plug_ins\escript.api***ERROR:Symbol file could notbe found. defaulted to export symbols forC:\program Files\adobe\reader One.0\reader\plug_ins\escript.api-66e2a8e8 escript! Pluginmain+0x000392b6 66dfff65 escript! pluginmain+0x0000e933 66e19749 escript! pluginmain+0x00028117 66e157ec escript! PLUGINMAIN+0X000241BA 66e378e6 escript! PLUGINMAIN+0X000462B4 66e3786c escript! pluginmain+0x0004623a 66e36951 escript! pluginmain+0x0004531f 66e3626c escript! PLUGINMAIN+0X00044C3A 66e342da escript! Pluginmain+0x00042ca8 64989e26 annots! pluginmain+0x00078401
Obviously it's a memory block that has been freed, so let's see where this memory block is allocated. The allocation record of the memory is touched by the next break in the allocation function.
1:011>!heap-p-A04878de8Address04878de8Foundinch_dph_heap_root @ 45f1000inchBusy Allocation (Dph_heap_block:useraddr usersize-virtaddr virtsize)f05e4:4878de8214-4878000 -77888e89 verifier! avrfdebugpageheapallocate+0x00000229 77774ea6 ntdll! rtldebugallocateheap+0x00000030 77737d96 ntdll! RTLPALLOCATEHEAP+0X000000C4 777034cantdll! rtlallocateheap+0x0000023a 6b7709ee msvcr100!unlock+0x000000ba 6b771e32 msvcr100!calloc_crt+0x00000016 6b771d93 M Svcr100!mbtowc_l+0x000001be 6b771e16 msvcr100!mbtowc_l+0x00000241 7770af24ntdll! ldrpcallinitroutine+0x00000014 7770b511ntdll! ldrpinitializethread+0x0000015b 7770b298NTDLL!_LDRPINITIALIZE+0X000001AD 7770b2c5ntdll! ldrinitializethunk+0x00000010
Finally, let's look at the operation when reusing
1:007> Kpchildebp retaddrWARNING:Stack Unwind Information notavailable. Following frames may wrong.001fe02864f7e0d2 acrord32! dllcanunloadnow+0x150524001fe04c64f7f3e3 acrord32! Dllcanunloadnow+0x14fdab001fe05464f7d996 acrord32! DLLCANUNLOADNOW+0X1510BC001fe0a064f7c68c acrord32! dllcanunloadnow+0x14f66f001fe0d064f7c50e acrord32! dllcanunloadnow+0x14e365001fe16064f7c206 acrord32! Dllcanunloadnow+0x14e1e7001fe17064F7C1A1 acrord32! DLLCANUNLOADNOW+0X14DEDF001fe17c64ed712e acrord32! dllcanunloadnow+0x14de7a001fe1a864f7ae0e acrord32! Dllcanunloadnow+0xa8e07001fe1d864f76d1d acrord32! Dllcanunloadnow+0x14cae7001FE1FC64f76bf1 acrord32! Dllcanunloadnow+0x1489f6001fe21464f7434c acrord32! Dllcanunloadnow+0x1488ca001FE2AC64e2e440 acrord32! dllcanunloadnow+0x146025001fe2d864f73a64 acrord32! dllcanunloadnow+0x119001fe300653d38ef acrord32! dllcanunloadnow+0x14573d001fe37c653d3b7c acrord32!ctjpegrotateoptions:: Operator=+0xff7d3001fe390653d3eca acrord32!ctjpegrotateoptions:: operator=+0xffa60***WARNING:Unable to verify checksum forC:\program Files\adobe\reader One.0\reader\plug_ins\annots.api***ERROR:Symbol file could notbe found. defaulted to export symbols forC:\program Files\adobe\reader One.0\reader\plug_ins\annots.api-001fe39c63009a3aacrord32!ctjpegrotateoptions:: Operator=+0xffdae001fe3b06300a692annots! pluginmain+0x78015001fe3c86300af61annots! pluginmain+0x78c6d
Cve-2013-3346adobe reader and Acrobat Memory Corruption Vulnerability analysis