CVE-2024-20735
An out-of-bounds read vulnerability exists in the font file processing functionality of Adobe Acrobat Reader 2023.006.20380. A specially crafted font file embedded into a PDF can trigger this vulnerability, which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2023.006.20380
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-125 - Out-of-bounds Read
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe acrobat supports parsing of embedded font files in the PDF. This vulnerability is related to OpenType font format. An OpenType font file starts with a table directory (TableDirectory ) followed by one or more table record (TableRecord) entries. The structure of TableDirectory is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x04 sfntVersion (0x00010000 or 0x4F54544F )
0x04 0x02 numTables
0x06 0x02 searchRange
0x08 0x02 entrySelector
0x0c 0x02 rangeShift
If the value of the sfntVersion field is 0x00010000, the font contains TrueType data. The CFF data will be present if the value of sfntVersion is 0x4F54544F (‘OTTO). The numTables field specifies the number of TableRecord entries present in the font file. The structure of a TableRecord entry is as follows:
Offset Size Name
------ ----- ----------------------------------
0x00 0x04 tableTag
0x04 0x04 tableChecksum
0x08 0x04 tableOffset
0x0C 0x04 tablelength
tableTag is the name of TableRecord. The tableOffset field specifies the offset of the table from the beginning of the file. The tablelength indicates the length of the table. The structure of each TableRecord depends on the type table, which is defined by the tableTag. This vulnerability occurs when the the value of the tableTag field is the string CPAL, which indicates the table type is Color Palette Table (CPAL).
CPAL is an optional table that defines a palette of colors for use with color fonts. CPAL table starts with a header. The structure of the CPAL table header is as follows:
Offset Size Name
------ -------- --------------------------------------
0x00 0x02 cpalVersion
0x02 0x02 numPaletteEntries
0x04 0x02 numPalettes (np)
0x06 0x02 numColorRecords
0x08 0x04 colorRecordsArrayOffset
0x0C 0x02 * np colorRecordIndices[numPalettes]
cpalVersion indicates the version of the header. The numPaletteEntries field defines the number of palette entries in each palette. The numPalettes field indicates the number of palettes in the table. The numColorRecords specifies the number of color records. colorRecordIndices is an array, which contains colorRecordIndex, and the length of the array is numPalettes. The data type of colorRecordIndex is uint16. In the application, the following code is responsible for processing a CPAL table:
Breakpoint 0 hit
eax=61554fe8 ebx=6cd409d4 ecx=00000000 edx=61554fe8 esi=5cb68fb0 edi=61554fe8
eip=6cafe424 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x4e014:
6cafe424 6a00 push 0
0:000> p
eax=61554fe8 ebx=6cd409d4 ecx=00000000 edx=61554fe8 esi=5cb68fb0 edi=61554fe8
eip=6cafe426 esp=052fd334 ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x4e016:
6cafe426 ff750c push dword ptr [ebp+0Ch] ss:002b:052fd388=052fd3c8
0:000> dd 5cb68fb0
5cb68fb0 6ca41cf0 6cc35c30 6cc35ac0 6ca44f10
5cb68fc0 6cc35a60 6cc35b40 6ca44fd0 6cc35aa0
5cb68fd0 6ca414e0 6ca41cb0 00000000 6cc359d0
5cb68fe0 6cc35a10 00000000 00000000 00000000
5cb68ff0 6cd409d4 545c2fa0 0000005a 00000000
5cb69000 ???????? ???????? ???????? ????????
5cb69010 ???????? ???????? ???????? ????????
5cb69020 ???????? ???????? ???????? ????????
0:000> db 545c2fa0 ;<--------------- (1)
545c2fa0 02 01 01 08 17 0f 1e 0b-2d 1c 24 10 16 27 08 01 ........-.$..'..
545c2fb0 04 05 04 03 02 05 0d 19-26 1c 1d 37 23 2b 1d 15 ........&..7#+..
545c2fc0 15 03 04 04 e7 02 30 39-10 02 0e 29 27 1b 00 00 ......09...)'...
545c2fd0 00 02 00 11 ff fc 00 df-01 88 00 00 00 3e 00 00 .............>..
545c2fe0 37 07 1e 01 37 36 33 36-37 3e 01 37 3e 01 37 36 7...76367>.7>.76
545c2ff0 26 23 22 06 07 06 07 06-26 37 d0 d0 d0 d0 d0 d0 &#".....&7......
545c3000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
545c3010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
[...]
0:000> p
eax=5cb68fb0 ebx=6cd409d4 ecx=0000000f edx=00000004 esi=6ca44f10 edi=61554fe8
eip=6cafe481 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x4e071:
6cafe481 6a06 push 6
0:000> pc
eax=5cb68fb0 ebx=6cd409d4 ecx=6ca44f10 edx=00000004 esi=6ca44f10 edi=61554fe8
eip=6cafe48c esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x4e07c:
6cafe48c ff1530e6c66c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc6e630)] ds:002b:6cc6e630={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:000> pc
eax=0d9489e2 ebx=6cd409d4 ecx=6ca44f10 edx=04000005 esi=6ca44f10 edi=61554fe8
eip=6cafe492 esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4e082:
6cafe492 ffd6 call esi {CoolType!CTInit+0x218b0 (6ca44f10)} ; <---------------- (2)
0:000> p
eax=00001e0b ebx=6cd409d4 ecx=0000000b edx=00000006 esi=6ca44f10 edi=61554fe8
eip=6cafe494 esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e084:
6cafe494 83c40c add esp,0Ch
0:000> p
eax=00001e0b ebx=6cd409d4 ecx=0000000b edx=00000006 esi=6ca44f10 edi=61554fe8
eip=6cafe497 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x4e087:
6cafe497 0fb7c0 movzx eax,ax
0:000> p
eax=00001e0b ebx=6cd409d4 ecx=0000000b edx=00000006 esi=6ca44f10 edi=61554fe8
eip=6cafe49a esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x4e08a:
6cafe49a 8945dc mov dword ptr [ebp-24h],eax ss:002b:052fd358=00000050
[...]
0:000> p
eax=00001e0b ebx=6cd409d4 ecx=00001e0b edx=0017c778 esi=6ca44fd0 edi=61554fe8
eip=6cafe4e7 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0d7:
6cafe4e7 0f848c010000 je CoolType!CTCleanup+0x4e269 (6cafe679) [br=0]
0:000> p
eax=00001e0b ebx=6cd409d4 ecx=00001e0b edx=0017c778 esi=6ca44fd0 edi=61554fe8
eip=6cafe4ed esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0dd:
6cafe4ed 8b33 mov esi,dword ptr [ebx] ds:002b:6cd409d4=6ca41480
0:000> p
eax=00001e0b ebx=6cd409d4 ecx=00001e0b edx=0017c778 esi=6ca41480 edi=61554fe8
eip=6cafe4ef esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0df:
6cafe4ef 8bce mov ecx,esi
0:000> p
eax=00001e0b ebx=6cd409d4 ecx=6ca41480 edx=0017c778 esi=6ca41480 edi=61554fe8
eip=6cafe4f1 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0e1:
6cafe4f1 c1e002 shl eax,2 ; <--------------------- (3)
0:000> p
eax=0000782c ebx=6cd409d4 ecx=6ca41480 edx=0017c778 esi=6ca41480 edi=61554fe8
eip=6cafe4f4 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0e4:
6cafe4f4 50 push eax ; <--------------------- (4)
0:000> p
eax=0000782c ebx=6cd409d4 ecx=6ca41480 edx=0017c778 esi=6ca41480 edi=61554fe8
eip=6cafe4f5 esp=052fd334 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0e5:
6cafe4f5 53 push ebx
0:000> p
eax=0000782c ebx=6cd409d4 ecx=6ca41480 edx=0017c778 esi=6ca41480 edi=61554fe8
eip=6cafe4f6 esp=052fd330 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0e6:
6cafe4f6 ff1530e6c66c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc6e630)] ds:002b:6cc6e630={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:000> p
eax=0d948290 ebx=6cd409d4 ecx=6ca41480 edx=10010400 esi=6ca41480 edi=61554fe8
eip=6cafe4fc esp=052fd330 ebp=052fd37c iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4e0ec:
6cafe4fc ffd6 call esi {CoolType!CTInit+0x1de20 (6ca41480)} ; <--------------------- (5)
0:000> p
eax=5aeca7d0 ebx=6cd409d4 ecx=0000782c edx=00000000 esi=6ca41480 edi=61554fe8
eip=6cafe4fe esp=052fd330 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0ee:
6cafe4fe 837df400 cmp dword ptr [ebp-0Ch],0 ss:002b:052fd370=00001e0b
0:000> dd 5aeca7d0 <--------------------- (6)
5aeca7d0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca7e0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca7f0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca800 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca810 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca820 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca830 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca840 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
At [1] we can observe the content of the CPAL table. The method called at (2) reads the numColorRecords fields of the CPAL table. At (3), size of the vulnerable buffer, namely colorRecordBuf, is calculated by multiplying 4 and numColorRecords (4 * numColorRecords). The malloc function is called at (5), and the size argument of the function comes from the eax register at (4). At (6), we examine colorRecordBuf after the call to malloc.
0:000> g
Breakpoint 1 hit
eax=5aeca7d0 ebx=6cd409d4 ecx=d22f7c40 edx=5aeca7d1 esi=2d1c2413 edi=5cb68fb0
eip=6cafe521 esp=052fd338 ebp=052fd37c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTCleanup+0x4e111:
6cafe521 8bd9 mov ebx,ecx
0:000> p
eax=5aeca7d0 ebx=d22f7c40 ecx=d22f7c40 edx=5aeca7d1 esi=2d1c2413 edi=5cb68fb0
eip=6cafe523 esp=052fd338 ebp=052fd37c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTCleanup+0x4e113:
6cafe523 8d46fd lea eax,[esi-3] <--------------------- (7)
0:000> p
eax=2d1c2410 ebx=d22f7c40 ecx=d22f7c40 edx=5aeca7d1 esi=2d1c2413 edi=5cb68fb0
eip=6cafe526 esp=052fd338 ebp=052fd37c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTCleanup+0x4e116:
6cafe526 8b7708 mov esi,dword ptr [edi+8] ds:002b:5cb68fb8=6cc35ac0
0:000> u 6cafe526 L40
CoolType!CTCleanup+0x4e116:
6cafe526 8b7708 mov esi,dword ptr [edi+8]
6cafe529 50 push eax
6cafe52a ff750c push dword ptr [ebp+0Ch]
6cafe52d 8bce mov ecx,esi
6cafe52f 57 push edi
6cafe530 ff1530e6c66c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc6e630)]
6cafe536 ffd6 call esi
6cafe538 8b4dfc mov ecx,dword ptr [ebp-4]
6cafe53b 83c40c add esp,0Ch
6cafe53e 8841ff mov byte ptr [ecx-1],al
6cafe541 8d040b lea eax,[ebx+ecx]
6cafe544 8b7708 mov esi,dword ptr [edi+8]
6cafe547 8bce mov ecx,esi
6cafe549 50 push eax
6cafe54a ff750c push dword ptr [ebp+0Ch]
6cafe54d 57 push edi
6cafe54e ff1530e6c66c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc6e630)]
6cafe554 ffd6 call esi
6cafe556 8b4dfc mov ecx,dword ptr [ebp-4]
6cafe559 83c40c add esp,0Ch
6cafe55c 8801 mov byte ptr [ecx],al
6cafe55e 8b45f8 mov eax,dword ptr [ebp-8]
6cafe561 8b7708 mov esi,dword ptr [edi+8]
6cafe564 48 dec eax
6cafe565 50 push eax
6cafe566 ff750c push dword ptr [ebp+0Ch]
6cafe569 8bce mov ecx,esi
6cafe56b 57 push edi
6cafe56c ff1530e6c66c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc6e630)]
6cafe572 ffd6 call esi
6cafe574 8b4dfc mov ecx,dword ptr [ebp-4]
6cafe577 83c40c add esp,0Ch
6cafe57a ff75f8 push dword ptr [ebp-8]
6cafe57d 884101 mov byte ptr [ecx+1],al
6cafe580 ff750c push dword ptr [ebp+0Ch]
6cafe583 8b7708 mov esi,dword ptr [edi+8]
6cafe586 8bce mov ecx,esi
6cafe588 57 push edi
6cafe589 ff1530e6c66c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc6e630)]
6cafe58f ffd6 call esi
6cafe591 8b4dfc mov ecx,dword ptr [ebp-4]
6cafe594 83c40c add esp,0Ch
6cafe597 8b75f8 mov esi,dword ptr [ebp-8]
6cafe59a 83c604 add esi,4
6cafe59d 8975f8 mov dword ptr [ebp-8],esi
6cafe5a0 884102 mov byte ptr [ecx+2],al
6cafe5a3 83c104 add ecx,4
6cafe5a6 836df401 sub dword ptr [ebp-0Ch],1
6cafe5aa 894dfc mov dword ptr [ebp-4],ecx
6cafe5ad 0f8570ffffff jne CoolType!CTCleanup+0x4e113 (6cafe523)
[...]
0:000> p
eax=00000000 ebx=d22f7c40 ecx=5aeca7d5 edx=11511004 esi=2d1c2417 edi=5cb68fb0
eip=6cafe5aa esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e19a:
6cafe5aa 894dfc mov dword ptr [ebp-4],ecx ss:002b:052fd378=5aeca7d1
0:000> p
eax=00000000 ebx=d22f7c40 ecx=5aeca7d5 edx=11511004 esi=2d1c2417 edi=5cb68fb0
eip=6cafe5ad esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e19d:
6cafe5ad 0f8570ffffff jne CoolType!CTCleanup+0x4e113 (6cafe523) [br=1] <-------------------- (8)
0:000> dd 5aeca7d0
5aeca7d0 00000000 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca7e0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca7f0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca800 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca810 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca820 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca830 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
5aeca840 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0:000> bp 6CAFE5B3
breakpoint 2 redefined
0:000> g
Breakpoint 2 hit
eax=00000000 ebx=d22f7c40 ecx=5aed1ffd edx=11511004 esi=2d1c9c3f edi=5cb68fb0
eip=6cafe5b3 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4e1a3:
6cafe5b3 8b7de8 mov edi,dword ptr [ebp-18h] ss:002b:052fd364=61554fe8
0:000> dd 5aeca7d0
5aeca7d0 00000000 00000000 00000000 00000000
5aeca7e0 00000000 00000000 00000000 00000000
5aeca7f0 00000000 00000000 00000000 00000000
5aeca800 00000000 00000000 00000000 00000000
5aeca810 00000000 00000000 00000000 00000000
5aeca820 00000000 00000000 00000000 00000000
5aeca830 00000000 00000000 00000000 00000000
5aeca840 00000000 00000000 00000000 00000000
In the above code, a loop starts at (7) and ends at (8), and it writes the 4 * numColorRecords bytes to the colorRecordBuf buffer.
eax=56e70220 ebx=6cd409d4 ecx=0000170f edx=00000108 esi=6ca41480 edi=5cb68fb0
eip=6cafe5e3 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1d3:
6cafe5e3 6a0c push 0Ch
0:000> p
eax=56e70220 ebx=6cd409d4 ecx=0000170f edx=00000108 esi=6ca41480 edi=5cb68fb0
eip=6cafe5e5 esp=052fd334 ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1d5:
6cafe5e5 58 pop eax
0:000> p
eax=0000000c ebx=6cd409d4 ecx=0000170f edx=00000108 esi=6ca41480 edi=5cb68fb0
eip=6cafe5e6 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1d6:
6cafe5e6 8945f4 mov dword ptr [ebp-0Ch],eax ss:002b:052fd370=00000000
0:000> p
eax=0000000c ebx=6cd409d4 ecx=0000170f edx=00000108 esi=6ca41480 edi=5cb68fb0
eip=6cafe5e9 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1d9:
6cafe5e9 33db xor ebx,ebx
0:000> p
eax=0000000c ebx=00000000 ecx=0000170f edx=00000108 esi=6ca41480 edi=5cb68fb0
eip=6cafe5eb esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4e1db:
6cafe5eb 85d2 test edx,edx
0:000> p
eax=0000000c ebx=00000000 ecx=0000170f edx=00000108 esi=6ca41480 edi=5cb68fb0
eip=6cafe5ed esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e1dd:
6cafe5ed 7439 je CoolType!CTCleanup+0x4e218 (6cafe628) [br=0]
0:000> p
eax=0000000c ebx=00000000 ecx=0000170f edx=00000108 esi=6ca41480 edi=5cb68fb0
eip=6cafe5ef esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e1df:
6cafe5ef 8b770c mov esi,dword ptr [edi+0Ch] ds:002b:5cb68fbc=6ca44f10 ;<-------------------------- (9)
0:000> p
eax=0000000c ebx=00000000 ecx=0000170f edx=00000108 esi=6ca44f10 edi=5cb68fb0
eip=6cafe5f2 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e1e2:
6cafe5f2 8bce mov ecx,esi
0:000> p
eax=0000000c ebx=00000000 ecx=6ca44f10 edx=00000108 esi=6ca44f10 edi=5cb68fb0
eip=6cafe5f4 esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e1e4:
6cafe5f4 50 push eax
0:000> p
eax=0000000c ebx=00000000 ecx=6ca44f10 edx=00000108 esi=6ca44f10 edi=5cb68fb0
eip=6cafe5f5 esp=052fd334 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e1e5:
6cafe5f5 ff750c push dword ptr [ebp+0Ch] ss:002b:052fd388=052fd3c8
0:000> p
eax=0000000c ebx=00000000 ecx=6ca44f10 edx=00000108 esi=6ca44f10 edi=5cb68fb0
eip=6cafe5f8 esp=052fd330 ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e1e8:
6cafe5f8 57 push edi
0:000> p
eax=0000000c ebx=00000000 ecx=6ca44f10 edx=00000108 esi=6ca44f10 edi=5cb68fb0
eip=6cafe5f9 esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e1e9:
6cafe5f9 ff1530e6c66c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc6e630)] ds:002b:6cc6e630={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:000> p
eax=0d9489e2 ebx=00000000 ecx=6ca44f10 edx=04000005 esi=6ca44f10 edi=5cb68fb0
eip=6cafe5ff esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4e1ef:
6cafe5ff ffd6 call esi {CoolType!CTInit+0x218b0 (6ca44f10)} ;<-------------------------- (10)
0:000> p
eax=00001627 ebx=00000000 ecx=00000027 edx=0000000c esi=6ca44f10 edi=5cb68fb0
eip=6cafe601 esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1f1:
6cafe601 8b4dd4 mov ecx,dword ptr [ebp-2Ch] ss:002b:052fd350=5aeca7d0
0:000> p
eax=00001627 ebx=00000000 ecx=5aeca7d0 edx=0000000c esi=6ca44f10 edi=5cb68fb0
eip=6cafe604 esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1f4:
6cafe604 03c3 add eax,ebx ;<----------------------------- (11)
0:000> p
eax=00001627 ebx=00000000 ecx=5aeca7d0 edx=0000000c esi=6ca44f10 edi=5cb68fb0
eip=6cafe606 esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1f6:
6cafe606 8b55cc mov edx,dword ptr [ebp-34h] ss:002b:052fd348=56e70220
0:000> p
eax=00001627 ebx=00000000 ecx=5aeca7d0 edx=56e70220 esi=6ca44f10 edi=5cb68fb0
eip=6cafe609 esp=052fd32c ebp=052fd37c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e1f9:
6cafe609 83c40c add esp,0Ch
0:000> p
eax=00001627 ebx=00000000 ecx=5aeca7d0 edx=56e70220 esi=6ca44f10 edi=5cb68fb0
eip=6cafe60c esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x4e1fc:
6cafe60c 8b0481 mov eax,dword ptr [ecx+eax*4] ds:002b:5aed006c=00000000 <------------------- (12)
0:000> u
CoolType!CTCleanup+0x4e1fc:
6cafe60c 8b0481 mov eax,dword ptr [ecx+eax*4]
6cafe60f 8b4df8 mov ecx,dword ptr [ebp-8]
6cafe612 89048a mov dword ptr [edx+ecx*4],eax
6cafe615 41 inc ecx
6cafe616 8b45f4 mov eax,dword ptr [ebp-0Ch]
6cafe619 43 inc ebx
6cafe61a 894df8 mov dword ptr [ebp-8],ecx
6cafe61d 3b5df0 cmp ebx,dword ptr [ebp-10h] ;<------------------------ (13)
In the above code, a loop runs that reads the colorRecordIndices array. The call at (10) reads the element of the array. The index value is calculated at (11) by adding eax and ebx. Here, eax is an element of the array, and ebx is a counter which is not greater than numPaletteEntries. At (13), we can observe the value of ebx is compared against numPaletteEntries. The calculated index value is used at (12) without any validation to read colorRecordBuf.
This vulnerability occurs when the value of max(colorRecordIndices) + numPaletteEntries is greater than numColorRecords. Here, max(colorRecordIndices) is the largest element in the array. If the condition is met, the vulnerability is triggered. This can be observed in a debugger at the time of the crash:
(23c0.14dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000261c ebx=00000000 ecx=5aeca7d0 edx=56e70220 esi=6ca44f10 edi=5cb68fb0
eip=6cafe60c esp=052fd338 ebp=052fd37c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
CoolType!CTCleanup+0x4e1fc:
6cafe60c 8b0481 mov eax,dword ptr [ecx+eax*4] ds:002b:5aed4040=????????
0:000> u
CoolType!CTCleanup+0x4e1fc:
6cafe60c 8b0481 mov eax,dword ptr [ecx+eax*4]
6cafe60f 8b4df8 mov ecx,dword ptr [ebp-8]
6cafe612 89048a mov dword ptr [edx+ecx*4],eax
6cafe615 41 inc ecx
6cafe616 8b45f4 mov eax,dword ptr [ebp-0Ch]
6cafe619 43 inc ebx
6cafe61a 894df8 mov dword ptr [ebp-8],ecx
6cafe61d 3b5df0 cmp ebx,dword ptr [ebp-10h]
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 052fd37c 6caf72f9 6cd409d4 052fd3c8 5cb68fb0 CoolType!CTCleanup+0x4e1fc
01 052fd3dc 6caf70d5 00000000 afffd717 45850bd8 CoolType!CTCleanup+0x46ee9
02 052fd430 6caf52b1 00000000 00000000 5bbbafd0 CoolType!CTCleanup+0x46cc5
03 052fd444 6cb15778 00000000 052fd494 6cc1be24 CoolType!CTCleanup+0x44ea1
04 052fd450 6cc1be24 00000000 afffd7b3 3c86eda8 CoolType!CTCleanup+0x65368
05 052fd494 6cf12907 45850bd8 00000000 052fd4d4 CoolType!CTGetVersion+0x100194
06 052fd4f4 6cde0f97 5bf768d8 052fd718 171e88bb AGM!AGMGetVersion+0xc1257
07 052fdad0 6cddef64 42374954 54398f70 5bf768d8 AGM!AGMInitialize+0x37997
08 052fdc94 6cddcd22 42374954 54398f70 171e8ebf AGM!AGMInitialize+0x35964
09 052fdcd4 6cdfb44b 42374954 54398f70 5a904ff0 AGM!AGMInitialize+0x33722
0a 052fdcf8 6cddbc10 00000301 6cdfb005 54398f70 AGM!AGMInitialize+0x51e4b
0b 052fdd00 6cdfb005 54398f70 45f13d00 45f13d18 AGM!AGMInitialize+0x32610
0c 052fdd20 6ce0b2bf 54398f70 171e8fe7 45f13d18 AGM!AGMInitialize+0x51a05
0d 052fdd8c 6cdfaa84 54398f70 171e8faf 52eeaf58 AGM!AGMInitialize+0x61cbf
0e 052fddc4 6d6bc7f2 5aa72d90 5aa72e94 052fdddc AGM!AGMInitialize+0x51484
0f 052fdde0 6d6babec 52eeaf84 909142a4 00000000 AcroRd32!CTJPEGReader::operator=+0xa6f52
10 052fde40 6d6cb022 90914260 00000000 52eeaf58 AcroRd32!CTJPEGReader::operator=+0xa534c
11 052fde84 6d6b8fa0 90914230 555caf78 52eeaf58 AcroRd32!CTJPEGReader::operator=+0xb5782
12 052fded4 6d6b8e48 909143f8 555caf78 052fdfc4 AcroRd32!CTJPEGReader::operator=+0xa3700
13 052fdf1c 6d6b8d23 052fdf38 9091436c 52edaff8 AcroRd32!CTJPEGReader::operator=+0xa35a8
14 052fdf88 6d6b8b77 052fdfc4 53cdcff0 3fc38e00 AcroRd32!CTJPEGReader::operator=+0xa3483
15 052fdfe8 6d6b6b02 53cdcff0 6d6bca30 52edaff8 AcroRd32!CTJPEGReader::operator=+0xa32d7
16 052fe0e0 6d6b5c82 52edaff8 90917d6c 5bf60d88 AcroRd32!CTJPEGReader::operator=+0xa1262
17 052fe188 6d6b3fd3 52edaff8 052fe34c 909178e4 AcroRd32!CTJPEGReader::operator=+0xa03e2
18 052fe400 6d6b3d5e 00000002 56ae51fa 909178b8 AcroRd32!CTJPEGReader::operator=+0x9e733
19 052fe45c 6d66a500 00000002 56ae51fa 90917bf8 AcroRd32!CTJPEGReader::operator=+0x9e4be
1a 052fe71c 6d6692a8 54b4bef0 052fe7b0 052fe800 AcroRd32!CTJPEGReader::operator=+0x54c60
1b 052fe820 6d66841f 54b4bef0 052fe94c 00000000 AcroRd32!CTJPEGReader::operator=+0x53a08
1c 052fe970 6d6674ba 54b4bef0 052feac8 00000000 AcroRd32!CTJPEGReader::operator=+0x52b7f
1d 052fe9d0 6d667220 54b4bef0 052feac8 00000000 AcroRd32!CTJPEGReader::operator=+0x51c1a
1e 052fea54 6d665580 54b4bef0 052feac8 00000000 AcroRd32!CTJPEGReader::operator=+0x51980
1f 052feb2c 6d664f54 00000001 00000000 9091776c AcroRd32!CTJPEGReader::operator=+0x4fce0
20 052feb88 6d664d05 5c6f3ef0 00000001 90917708 AcroRd32!CTJPEGReader::operator=+0x4f6b4
21 052febec 6d664aaf 052fece0 909171e4 60fbcf88 AcroRd32!CTJPEGReader::operator=+0x4f465
22 052fed00 6d4f1897 0000000f 6d4f17c0 60fbcf88 AcroRd32!CTJPEGReader::operator=+0x4f20f
23 052fed18 6d4f1720 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0x36c77
24 052fed38 75fb0eab 00080104 0000000f 00000000 AcroRd32!DllCanUnloadNow+0x36b00
25 052fed64 75fa7e5a 6d4f1650 00080104 0000000f USER32!_InternalCallWinProc+0x2b
26 052fee48 75fa7a5a 6d4f1650 00000000 0000000f USER32!UserCallWinProcCheckWow+0x33a
27 052feeac 75fab61f 0aedb690 00000000 0000000f USER32!DispatchClientMessage+0xea
28 052feee8 77a8508d 052fef04 00000020 052fef70 USER32!__fnDWORD+0x3f
29 052fef20 7675136c 75fa5b61 052fefc0 83d07ccb ntdll!KiUserCallbackDispatcher+0x4d
2a 052fef24 75fa5b61 052fefc0 83d07ccb 1d37dda8 win32u!NtUserDispatchMessage+0xc
2b 052fef80 75fa5990 0000000f 052fefa4 6d504773 USER32!DispatchMessageWorker+0x1c1
2c 052fef8c 6d504773 052fefc0 1d37dda8 1d37dda8 USER32!DispatchMessageW+0x10
2d 052fefa4 6d50445e 052fefc0 90916cfc 1d37dda8 AcroRd32!DllCanUnloadNow+0x49b53
2e 052ff018 6d504289 90916cb4 1d37dda8 00000000 AcroRd32!DllCanUnloadNow+0x4983e
2f 052ff050 6d483043 90916c20 0d44aff8 00000000 AcroRd32!DllCanUnloadNow+0x49669
30 052ff0c4 6d482a5f 6d2e0000 00af0000 0d44aff8 AcroRd32!AcroWinMainSandbox+0x773
31 052ff4e8 00cd59d0 6d2e0000 00af0000 0d44aff8 AcroRd32!AcroWinMainSandbox+0x18f
32 052ff89c 00d21efa 00af0000 00000000 08be0050 AcroRd32_exe!IsSandboxedProcess+0x126030
33 052ff8e8 76eefcc9 0512a000 76eefcb0 052ff954 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1d54a
34 052ff8f8 77a77c6e 0512a000 43d13409 00000000 KERNEL32!BaseThreadInitThunk+0x19
35 052ff954 77a77c3e ffffffff 77a98c39 00000000 ntdll!__RtlUserThreadStart+0x2f
36 052ff964 00000000 00cd1640 0512a000 00000000 ntdll!_RtlUserThreadStart+0x1b
In the above debugger output, the crash occurs when the calculated index is greater than numColorRecords. Using this vulnerability, it is possible to read arbitrary memory of the process. Because of complex interactions between PDF reader and font subcomponents, especially in the presence of a JavaScript engine, it is possible that sensitive contents of arbitrary memory could be disclosed, which could aid in further exploitation and exploit mitigation bypass.
The vendor released a security bulletin at: https://helpx.adobe.com/security/products/acrobat/apsb24-07.html Patches can be found linked from this site
2023-12-19 - Vendor Disclosure
2024-02-13 - Vendor Patch Release
2024-02-15 - Public Release
Discovered by KPC of Cisco Talos.