Papers

   

 
Aug 25, 2010
Adobe Acrobat Reader All version Memory Corruption
Title: Adobe Acrobat Reader Memory Corruption PoC
Advisory URL: http://itsecteam.com/en/vulnerabilities/vulnerability62.htm
poc: http://itsecteam.com/files/adb_poc.zip
Date published: 2010-08-25
System Affected:

Adobe Acrobat reader 7.x

Adobe Acrobat Reader 8.x

Adobe Acrobat reader 9.x


Tested version:

Adobe Acrobat 8.1

Adobe Acrobat 9.2

Adobe Acrobat 9.3

Adobe Acrobat 9.3.4

Program Description:

 Acrobat reader is a desktop publishing software product from Adobe and PDF as a standard bed storage and transfer documentation uses. This software first portable PDF format to support. Adobe Acrobat, which now has several different versions, different versions can open and read, edit and change PDF files and produce provides. Copy it was called Adobe Rydrnam free from Adobe's website can be downloaded and can read and print PDF files provides. Acrobat Reader software and a solution for displaying text files in a special layout similar to the printed texts used to.

Vulnerability Description:

The vulnerability was discovered in all versions of the program is available in our regular program open Acrobat reader and then attach AcroRd32.exe in windbg debugger. then from the file menu open our poc files.This vulnerability when loading a program when the api name acroform.api program reaches an error that follows on to eat.

 

Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00000000 ebx=00000001 ecx=02ae1314 edx=020c4bc8 esi=02adb470 edi=0012f4b4

eip=20946b4a esp=0012f414 ebp=0012f470 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api -

AcroForm!DllUnregisterServer+0x130993:

20946b4a 8b00            mov     eax,dword ptr [eax]  ds:0023:00000000=????????

Missing image name, possible paged-out or corrupt data.

Missing image name, possible paged-out or corrupt data.

Missing image name, possible paged-out or corrupt data.

0:000> u

AcroForm!DllUnregisterServer+0x130993:

20946b4a 8b00            mov     eax,dword ptr [eax]

20946b4c c3              ret

20946b4d 56              push    esi

20946b4e 8b742408        mov     esi,dword ptr [esp+8]

20946b52 57              push    edi

20946b53 33ff            xor     edi,edi

20946b55 393e            cmp     dword ptr [esi],edi

20946b57 7e1a            jle     AcroForm!DllUnregisterServer+0x1309bc (20946b73)

 Well we see that after Cmp eax, [eax] program gives Access violation


But the memory of this bug occurs when special characters it is injected. But because it is not possible to register them and can not be changed with the chain to locate crash can not be changed after the currently exploit this vulnerability to be a solution to this vulnerability found. Api above with the following 3 module that you can see with the address.

 

acroform_PlugInMain          20802202
acroform_DllRegisterServer   20816190
acroform_DllUnregisterServer 208161B7

AcroForm.api:20802202 acroform_PlugInMain:
AcroForm.api:20802202 push    ebp
AcroForm.api:20802203 mov     ebp, esp
AcroForm.api:20802205 mov     eax, [ebp+14h]
AcroForm.api:20802208 mov     ecx, [eax]
AcroForm.api:2080220A mov     dword_21197F78, ecx
AcroForm.api:20802210 mov     eax, [eax+4]
AcroForm.api:20802213 mov     off_21197F80, eax
AcroForm.api:20802218 mov     eax, offset unk_20000
AcroForm.api:2080221D cmp     [ebp+8], eax
AcroForm.api:20802220 jnb     short loc_20802225
AcroForm.api:20802222 mov     eax, [ebp+8]
AcroForm.api:20802225


AcroForm.api:20802225 loc_20802225:                           ; CODE XREF: AcroForm.api:20802220j
AcroForm.api:20802225 mov     ecx, [ebp+0Ch]
AcroForm.api:20802228 mov     [ecx], eax
AcroForm.api:2080222A mov     eax, [ebp+10h]
AcroForm.api:2080222D mov     dword ptr [eax], offset unk_2080223B
AcroForm.api:20802233 mov     ax, 1
AcroForm.api:20802237 pop     ebp
AcroForm.api:20802238 retn    10h
AcroForm.api:20816190 acroform_DllRegisterServer:
AcroForm.api:20816190 push    esi
AcroForm.api:20816191 push    0
AcroForm.api:20816193 push    off_21197F80
AcroForm.api:20816199 mov     esi, offset aN                  ; "___ $"
AcroForm.api:2081619E push    offset unk_20E86000
AcroForm.api:208161A3 mov     ecx, esi
AcroForm.api:208161A5 call    near ptr unk_20803DB2
AcroForm.api:208161AA push    0
AcroForm.api:208161AC push    1
AcroForm.api:208161AE mov     ecx, esi
AcroForm.api:208161B0 call    near ptr unk_208160B2
AcroForm.api:208161B5 pop     esi
AcroForm.api:208161B6 retn

AcroForm.api:208161B7 acroform_DllUnregisterServer:
AcroForm.api:208161B7 push    esi
AcroForm.api:208161B8 push    0






AcroForm.api:208161BA push    off_21197F80
AcroForm.api:208161C0 mov     esi, offset aN                  ; "___ $"
AcroForm.api:208161C5 push    offset unk_20E86000
AcroForm.api:208161CA mov     ecx, esi
AcroForm.api:208161CC call    near ptr unk_20803DB2
AcroForm.api:208161D1 push    0
AcroForm.api:208161D3 push    1
AcroForm.api:208161D5 mov     ecx, esi
AcroForm.api:208161D7 call    near ptr unk_20816121
AcroForm.api:208161DC pop     esi
AcroForm.api:208161DD retn

 
 

All rights reserved to ITSecTeam Security Research.