The following access violation was observed in Adobe Reader X and XI for Windows:
(14e0.1488): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1cfbefcc ebx=00000000 ecx=c0c0c0c0 edx=1dcd2968 esi=1a8fb280 edi=65fcf1dc
eip=658c20d9 esp=0021e124 ebp=0021e14c iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
AcroForm+0x20d9:
658c20d9 ff4904 dec dword ptr [ecx+4] ds:0023:c0c0c0c4=????????
0:000> u @$scopeip-6
AcroForm+0x20d3:
658c20d3 8b0e mov ecx,dword ptr [esi]
658c20d5 85c9 test ecx,ecx
658c20d7 740b je AcroForm+0x20e4 (658c20e4)
658c20d9 ff4904 dec dword ptr [ecx+4]
658c20dc 7506 jne AcroForm+0x20e4 (658c20e4)
658c20de 8b01 mov eax,dword ptr [ecx]
658c20e0 6a01 push 1
658c20e2 ff10 call dword ptr [eax]
0:000> dd esi
1a8fb280 c0c0c0c0 00000000 00000000 00000000
1a8fb290 00000000 65ec9008 1632d9dc 00000000
1a8fb2a0 c0c0c0c0 65ec9008 1632d9dc c0c0729e
1a8fb2b0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
1a8fb2c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
1a8fb2d0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
1a8fb2e0 c0c0c0c0 c0c0c0c0 1a8fb380 c0c0c0c0
1a8fb2f0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0:000> ? esi
Evaluate expression: 445624960 = 1a8fb280
0:000> !heap -p -a esi
address 1a8fb280 found in
_DPH_HEAP_ROOT @ 4a91000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1a743d00: 1a8f0328 ccd8 - 1a8f0000 e000
6bcd8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77085ede ntdll!RtlDebugAllocateHeap+0x00000030
7704a40a ntdll!RtlpAllocateHeap+0x000000c4
77015ae0 ntdll!RtlAllocateHeap+0x0000023a
7313a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
71473db8 MSVCR90!malloc+0x00000079
658d16c9 AcroForm!PlugInMain+0x0000b5d3
658d1782 AcroForm!PlugInMain+0x0000b68c
658d185e AcroForm!PlugInMain+0x0000b768
658d1260 AcroForm!PlugInMain+0x0000b16a
658d13d5 AcroForm!PlugInMain+0x0000b2df
65bb8bbe AcroForm!DllUnregisterServer+0x0027a076
65bb8c93 AcroForm!DllUnregisterServer+0x0027a14b
65d8e64a AcroForm!DllUnregisterServer+0x0044fb02
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0021e14c 65bd00a6 AcroForm+0x20d9
0021e174 65d49566 AcroForm!DllUnregisterServer+0x29155e
0021e194 65c2b91f AcroForm!DllUnregisterServer+0x40aa1e
00000000 00000000 AcroForm!DllUnregisterServer+0x2ecdd7
Notes:
- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for Windows, on Windows 7, with Application Verifier enabled.
- The “ESI” register points into a busy heap region, which is partially filled with 0xc0 bytes because Application Verifier is enabled.
- The type of the crash and the memory context suggests that this is a use-after-free vulnerability: object fields and methods are accessed from memory which has been freed and assigned to some other allocation.
- In some cases, the application crashes inside of a virtual method belonging to another class. This implies that another (incompatible) object is allocated in the memory in question after the "free", but before the "use", thus illustrating the exploitability degree of this vulnerability.
- Attached samples: signal_sigsegv_f4716324_2848_2913.pdf (crashing file), 2913.pdf (original file).
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
|
signal_sigsegv_f4716324_2848_2913.pdf
260 KB
Download
|