An exploitable case of parser confusion can lead to invalid pointer arithmetic in part of code responsible for parsing AcroForm forms in the Adobe Acrobat Reader DC 2017.009.20044. A specially crafted PDF file can abuse this unchecked pointer arithmetic to access and overwrite arbitrary memory in the process ultimately leading to arbitrary code execution. In order to trigger this vulnerability, a victim would need to open the malicious file or access a malicious web page.
Adobe Acrobat Reader DC 2017.009.20044
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-823: Use of Out-of-range Pointer Offset
Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.
AcroForm elements of the PDF are used to define interactive forms that the user can use to input additional data. As part of AcroForm resource dictionary, various objects can be specified to be used by the form, such as fonts, encodings and so on. One of the encodings can be
PDFDocEncoding which is used for specifically encoded strings.
Usually, PDFDocEncoding object will consist of an array of
Differences which define differences of this specific encoding from the defined or implicit base encoding. In Adobe Reader, if
PDFDocEncoding object has it’s base encoding defined as
WinAnsiEncoding (which shouldn’t ever be the case in regular files), a parser can be tricked into using a direct differences offset value as an offset to a pointer creating an out of bounds memory access condition. For example:
5 0 obj /DR /Encoding /PDFDocEncoding 6 0 R >> >>
endobj 6 0 obj /Type /Encoding /BaseEncoding /WinAnsiEncoding /Differences [ -247381695 /a ] endobj
In the above excerpt from our PoC for this issue, object 5 is of
AcroForm type and its resource dictionary refers to object 6 as
PDFDocEncoding object. Object 6 in turn defines base encoding and malformed differences. The value -247381695 (or 0xf1414141 hex) will end up being used as a pointer offset in a memory write instruction. This can be simply observed in the following crash information:
(1998.211c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. WARNING: Unable to verify checksum for C:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api - eax=21100061 ebx=00000000 ecx=21105cc0 edx=0a2d4ff8 esi=00000001 edi=f1414141 eip=20a77eeb esp=0012e614 ebp=0012e654 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 AcroForm!DllUnregisterServer+0x316be: 20a77eeb 66890479 mov word ptr [ecx+edi*2],ax ds:0023:0392df42=????
Note that at the time of the crash,
ecx points to valid memory, but
edi contains the specified value. A value being written (in register
ax) is also under our control and is 0x0061 in this case (ASCII for
Finally, by adding more differences entries in the
Differences array, the out of bound write can be repeated arbitrary many times.
By abusing this, effectively arbitrary, write anywhere primitive, process can be manipulated into achieving arbitrary code execution.
2017-06-09 - Vendor Disclosure
2017-08-08 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.