Adobe Reader X and XI for Windows out-of-bounds write in CoolType.dll

[GoogleCodeExporter]

The following access violation was observed in Adobe Reader X and XI for 
Windows:

(1640.1544): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c668000 ebx=00000000 ecx=0c668000 edx=00000000 esi=7fffee47 edi=0c668000
eip=6a861038 esp=002bc038 ebp=002bc060 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
CoolType+0x1038:
6a861038 832000          and     dword ptr [eax],0    ds:0023:0c668000=????????
0:000> !heap -p -a eax
    address 0c668000 found in
    _DPH_HEAP_ROOT @ 50a1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 c4f0c30:          c6581d8             fe28 -          c658000            11000
    73128e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77085ede ntdll!RtlDebugAllocateHeap+0x00000030
    7704a40a ntdll!RtlpAllocateHeap+0x000000c4
    77015ae0 ntdll!RtlAllocateHeap+0x0000023a
    730fa792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71473db8 MSVCR90!malloc+0x00000079
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
002bc060 6a920de3 CoolType+0x1038
002bc088 6a910fd7 CoolType!CTGetVersion+0x19f63
002bc0b8 6a8ec0c0 CoolType!CTGetVersion+0xa157
002bc160 6a86e7f9 CoolType!CTInit+0x37db2
002bc178 6a86fc3f CoolType+0xe7f9
00000000 00000000 CoolType+0xfc3f

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for 
Windows, on Windows 7, with Application Verifier enabled.

- The crash occurs after navigating to the ~6th page of the POC document.

- The “EAX” register points at the end boundary of a heap allocation.

- Based on the type of memory reference of the crashing instruction, we can 
assume this is a heap-based buffer overflow.

- Attached samples: signal_sigsegv_f753bec6_7517_6052.pdf (crashing file), 
6052.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 1:52

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 30 Oct 2014 at 1:54

Attachments:

• signal_sigsegv_f753bec6_7517_6052.zip
• 6052.zip

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:22

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:19

• Added labels: Id-3109

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 10 Dec 2014 at 12:57

• Added labels: CVE-2014-9160

[GoogleCodeExporter]

The vendor communication timeline is as follows:

10/30/14 Vulnerability is reported to Adobe PSIRT.
10/31/14 Adobe PSIRT confirms reception of the reports and assigns internal 
case ID (PSIRT-3109).
12/05/14 Adobe PSIRT informs us that the vulnerability would be fixed in next 
Tuesday's Acrobat and Reader security bulletins, and assigns CVE-2014-9160 for 
the issue.
12/08/14 Adobe PSIRT sends and update claiming that the issue is fixed for 
Windows, but the vendor has been unable to introduce a fix in the update for 
Mac, so the case is kept open until an update is released for Mac.
01/27/15 We send a heads-up to Adobe that the 90 day deadline elapses on the 
next day and we will remove the view restriction.

We have reproduced the crash on a fully updated Adobe Reader for Mac. We are 
currently not aware of any mitigations for the vulnerability.

Original comment by mjurc...@google.com on 27 Jan 2015 at 9:45

[GoogleCodeExporter]

Deadline exceeded - automatically derestricting

Original comment by mjurc...@google.com on 29 Jan 2015 at 12:10

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by cev...@google.com on 9 Feb 2015 at 3:33

• Added labels: Deadline-Exceeded