search

Temptationx / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Reader X for Windows out-of-bounds read/write in CoolType.dll #140

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The following access violation was observed in Adobe Reader X for Windows:

(1354.17ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0bf736f0 ebx=00000004 ecx=0bf82000 edx=00000013 esi=0bf73684 edi=00003a44
eip=6a4ee64b esp=002cc130 ebp=002cc1a8 iopl=0         ov up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a87
CoolType!CTGetVersion+0x177cb:
6a4ee64b 8b01            mov     eax,dword ptr [ecx]  ds:0023:0bf82000=????????
0:000> u
CoolType!CTGetVersion+0x177cb:
6a4ee64b 8b01            mov     eax,dword ptr [ecx]
6a4ee64d 03c3            add     eax,ebx
6a4ee64f 8bd0            mov     edx,eax
6a4ee651 c1fa18          sar     edx,18h
6a4ee654 8811            mov     byte ptr [ecx],dl
6a4ee656 41              inc     ecx
6a4ee657 8bd0            mov     edx,eax
6a4ee659 c1fa10          sar     edx,10h
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
002cc1a8 0bf73684 CoolType!CTGetVersion+0x177cb
002cc238 6a4ed2c1 0xbf73684
002cc264 6a4ef942 CoolType!CTGetVersion+0x16441
002cc28c 6a4cfe8d CoolType!CTGetVersion+0x18ac2
002cc2bc 6a4e9f6c CoolType!CTInit+0x4bb7f
002cc474 6a45cc11 CoolType!CTGetVersion+0x130ec
002cc47c 71484673 CoolType+0x2cc11

Notes:

- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with 
Application Verifier enabled. We are unable to reproduce on Adobe Reader XI 
(11.0.09) in the same configuration.

- The crash occurs after navigating to the 3rd page of the POC document.

- The “ECX” register points into the end of a heap region of size 0x10000.

- Based on the type of memory reference following the crashing instruction, we 
can assume this is a heap-based buffer overflow.

- Attached samples: signal_sigsegv_f742dfef_7517_6052.pdf (crashing file), 
6052.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 1:10

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:23

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:24