145 - Adobe Reader X for Windows out-of-bounds write in AcroRd32.dll - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Dec 2014
Cc:	project-...@google.com
Reported-2014-Oct-30 CVE-2014-8457 Id-3115 Deadline-90 Product-Reader Fixed-2014-Dec-9 CCProjectZeroMembers Severity-High Vendor-Adobe Finder-mjurczyk

Adobe Reader X for Windows out-of-bounds write in AcroRd32.dll

Project Member Reported by mjurczyk@google.com, Oct 30 2014

Back to list

The following access violation was observed in Adobe Reader X for Windows:

(ec4.654): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000ff ebx=18160385 ecx=179d5000 edx=00000000 esi=00049230 edi=6514eb86
eip=652f7ad7 esp=0012ed58 ebp=0012ed84 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0xf7e27:
652f7ad7 8801            mov     byte ptr [ecx],al          ds:0023:179d5000=??
0:000> !heap -p -a ecx
    address 179d5000 found in
    _DPH_HEAP_ROOT @ 4a61000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                17a40bfc:         1799e240            36dc0 -         1799e000            38000
    70448e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77085ede ntdll!RtlDebugAllocateHeap+0x00000030
    7704a40a ntdll!RtlpAllocateHeap+0x000000c4
    77015ae0 ntdll!RtlAllocateHeap+0x0000023a
    7328a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71473db8 MSVCR90!malloc+0x00000079
    65001e92 AcroRd32_64fe0000!AVAcroALM_Destroy+0x000137c4
    65310f64 AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0x001112b4
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ed84 652fd1fa AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0xf7e27
0012ee2c 65310f64 AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0xfd54a
0012ef2c 64ffdacf AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0x1112b4
0012ef40 6531211c AcroRd32_64fe0000!AVAcroALM_Destroy+0xf401
0012f344 6557bd45 AcroRd32_64fe0000!CTJPEGRotateOptions::operator=+0x11246c
0012f5c8 650f6046 AcroRd32_64fe0000!PDFLTerm+0x183ac5
00000000 00000000 AcroRd32_64fe0000!DllCanUnloadNow+0xd82a

Notes:

- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with Application Verifier enabled. We are unable to reproduce on Adobe Reader XI (11.0.09) in the same configuration.

- The crash occurs when the user opens the “Thumbnails” dialog on the left of the main window.

- The “ECX” register points at the end boundary of a heap allocation.

- Based on the nature of the crash, we can assume it is caused by a heap-based buffer overflow condition.

- Attached samples: signal_sigsegv_f6529e93_5762_4873.pdf (crashing file), 4873.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

signal_sigsegv_f6529e93_5762_4873.pdf
1.2 MB Download

4873.pdf
1.2 MB Download

Project Member Comment 1 by mjurczyk@google.com, Oct 30 2014

Owner: mjurczyk@google.com

Project Member Comment 2 by mjurczyk@google.com, Oct 31 2014

Labels: Id-3115

Project Member Comment 3 by mjurczyk@google.com, Dec 10 2014

Labels: -Restrict-View-Commit CVE-2014-8457 Fixed-2014-Dec-9
Status: Fixed

http://helpx.adobe.com/security/products/reader/apsb14-28.html

► Sign in to add a comment