|
|
Adobe Reader X and XI for Windows out-of-bounds write in CoolType.dll | ||||||
| Project Member Reported by mjurczyk@google.com, Oct 30 2014 | Back to list | ||||||
The following access violation was observed in Adobe Reader X and XI for Windows:
(1640.1544): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c668000 ebx=00000000 ecx=0c668000 edx=00000000 esi=7fffee47 edi=0c668000
eip=6a861038 esp=002bc038 ebp=002bc060 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
CoolType+0x1038:
6a861038 832000 and dword ptr [eax],0 ds:0023:0c668000=????????
0:000> !heap -p -a eax
address 0c668000 found in
_DPH_HEAP_ROOT @ 50a1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
c4f0c30: c6581d8 fe28 - c658000 11000
73128e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77085ede ntdll!RtlDebugAllocateHeap+0x00000030
7704a40a ntdll!RtlpAllocateHeap+0x000000c4
77015ae0 ntdll!RtlAllocateHeap+0x0000023a
730fa792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
71473db8 MSVCR90!malloc+0x00000079
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
002bc060 6a920de3 CoolType+0x1038
002bc088 6a910fd7 CoolType!CTGetVersion+0x19f63
002bc0b8 6a8ec0c0 CoolType!CTGetVersion+0xa157
002bc160 6a86e7f9 CoolType!CTInit+0x37db2
002bc178 6a86fc3f CoolType+0xe7f9
00000000 00000000 CoolType+0xfc3f
Notes:
- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for Windows, on Windows 7, with Application Verifier enabled.
- The crash occurs after navigating to the ~6th page of the POC document.
- The “EAX” register points at the end boundary of a heap allocation.
- Based on the type of memory reference of the crashing instruction, we can assume this is a heap-based buffer overflow.
- Attached samples: signal_sigsegv_f753bec6_7517_6052.pdf (crashing file), 6052.pdf (original file).
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
,
Oct 30 2014
,
Oct 31 2014
,
Dec 10 2014
,
Jan 27 2015
The vendor communication timeline is as follows: 10/30/14 Vulnerability is reported to Adobe PSIRT. 10/31/14 Adobe PSIRT confirms reception of the reports and assigns internal case ID (PSIRT-3109). 12/05/14 Adobe PSIRT informs us that the vulnerability would be fixed in next Tuesday's Acrobat and Reader security bulletins, and assigns CVE-2014-9160 for the issue. 12/08/14 Adobe PSIRT sends and update claiming that the issue is fixed for Windows, but the vendor has been unable to introduce a fix in the update for Mac, so the case is kept open until an update is released for Mac. 01/27/15 We send a heads-up to Adobe that the 90 day deadline elapses on the next day and we will remove the view restriction. We have reproduced the crash on a fully updated Adobe Reader for Mac. We are currently not aware of any mitigations for the vulnerability.
,
Jan 29 2015
Deadline exceeded - automatically derestricting
,
Feb 9 2015
,
May 12 2015
https://helpx.adobe.com/security/products/reader/apsb15-10.html |
|||||||
| ► Sign in to add a comment | |||||||
1.9 MB Download
2.0 MB Download