v4ng3l1s / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Reader X and XI for Windows object use-after-free in AcroForm.api #141

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following access violation was observed in Adobe Reader X and XI for 
Windows:

(14e0.1488): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1cfbefcc ebx=00000000 ecx=c0c0c0c0 edx=1dcd2968 esi=1a8fb280 edi=65fcf1dc
eip=658c20d9 esp=0021e124 ebp=0021e14c iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010286
AcroForm+0x20d9:
658c20d9 ff4904          dec     dword ptr [ecx+4]    ds:0023:c0c0c0c4=????????
0:000> u @$scopeip-6
AcroForm+0x20d3:
658c20d3 8b0e            mov     ecx,dword ptr [esi]
658c20d5 85c9            test    ecx,ecx
658c20d7 740b            je      AcroForm+0x20e4 (658c20e4)
658c20d9 ff4904          dec     dword ptr [ecx+4]
658c20dc 7506            jne     AcroForm+0x20e4 (658c20e4)
658c20de 8b01            mov     eax,dword ptr [ecx]
658c20e0 6a01            push    1
658c20e2 ff10            call    dword ptr [eax]
0:000> dd esi
1a8fb280  c0c0c0c0 00000000 00000000 00000000
1a8fb290  00000000 65ec9008 1632d9dc 00000000
1a8fb2a0  c0c0c0c0 65ec9008 1632d9dc c0c0729e
1a8fb2b0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
1a8fb2c0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
1a8fb2d0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
1a8fb2e0  c0c0c0c0 c0c0c0c0 1a8fb380 c0c0c0c0
1a8fb2f0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0:000> ? esi
Evaluate expression: 445624960 = 1a8fb280
0:000> !heap -p -a esi
    address 1a8fb280 found in
    _DPH_HEAP_ROOT @ 4a91000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                1a743d00:         1a8f0328             ccd8 -         1a8f0000             e000
    6bcd8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77085ede ntdll!RtlDebugAllocateHeap+0x00000030
    7704a40a ntdll!RtlpAllocateHeap+0x000000c4
    77015ae0 ntdll!RtlAllocateHeap+0x0000023a
    7313a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71473db8 MSVCR90!malloc+0x00000079
    658d16c9 AcroForm!PlugInMain+0x0000b5d3
    658d1782 AcroForm!PlugInMain+0x0000b68c
    658d185e AcroForm!PlugInMain+0x0000b768
    658d1260 AcroForm!PlugInMain+0x0000b16a
    658d13d5 AcroForm!PlugInMain+0x0000b2df
    65bb8bbe AcroForm!DllUnregisterServer+0x0027a076
    65bb8c93 AcroForm!DllUnregisterServer+0x0027a14b
    65d8e64a AcroForm!DllUnregisterServer+0x0044fb02
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0021e14c 65bd00a6 AcroForm+0x20d9
0021e174 65d49566 AcroForm!DllUnregisterServer+0x29155e
0021e194 65c2b91f AcroForm!DllUnregisterServer+0x40aa1e
00000000 00000000 AcroForm!DllUnregisterServer+0x2ecdd7

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for 
Windows, on Windows 7, with Application Verifier enabled.

- The “ESI” register points into a busy heap region, which is partially 
filled with 0xc0 bytes because Application Verifier is enabled.

- The type of the crash and the memory context suggests that this is a 
use-after-free vulnerability: object fields and methods are accessed from 
memory which has been freed and assigned to some other allocation.

- In some cases, the application crashes inside of a virtual method belonging 
to another class. This implies that another (incompatible) object is allocated 
in the memory in question after the "free", but before the "use", thus 
illustrating the exploitability degree of this vulnerability.

- Attached samples: signal_sigsegv_f4716324_2848_2913.pdf (crashing file), 
2913.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 30 Oct 2014 at 1:21

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 30 Oct 2014 at 5:23

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 31 Oct 2014 at 10:23

GoogleCodeExporter commented 9 years ago
http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by mjurc...@google.com on 10 Dec 2014 at 1:01