Adobe Reader All Versions Memory Corruption - APB11-16 (CVE-2011-2098)

Document created by Robert Dell'Immagine Employee on May 7, 2012Last modified by Robert Dell'Immagine Employee on May 8, 2012
Version 3Show Document
  • View in full screen mode

INTRODUCTION
According to Adobe, "Adobe Reader software is the global standard for electronic document sharing. It is the only PDF file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files."
 
Adobe Reader does not properly parse a .pdf file with a jp2 element, which causes a corruption in module JP2KLIB.dll when opening a malformed file. 
 
This problem was confirmed in the following versions of Adobe Reader and Windows, but other versions may be also affected.
 
Adobe Reader X on WinXP SP3
Adobe Reader 9 on WinXP SP3

Adobe addressed the vulnerability in APS11-16 (http://www.adobe.com/support/security/bulletins/apsb11-16.html)


  CVSS Scoring System
 
The CVSS score is: 9
      Base Score: 10
      Temporal Score: 9
We used the following values to calculate the scores:
      Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
      Temporal score is: E:POC/RL:U/RC:C
 
TRIGGERING THE PROBLEM
  To trigger the problem a PoC file (poc.pdf) is available to interested parties.  
 
DETAILS
  (c5c.c64): Access violation - code c0000005 (!!! second chance !!!)
  eax=8197c6e1 ebx=00000003 ecx=0012dd8c edx=02184761 esi=00000040 edi=01162e64
  eip=1000aa3c esp=0012dcf4 ebp=0012dd8c iopl=0         ov up ei pl nz na po cy
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a03
  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 10.0\Reader\JP2KLib.dll -
  JP2KLib!JP2KCodeStm::operator=+0x984c:
  1000aa3c 8a40ff          mov     al,byte ptr [eax-1]        ds:0023:8197c6e0=??
  Missing image name, possible paged-out or corrupt data.
  Missing image name, possible paged-out or corrupt data.
  0:000> !exploitable
  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 10.0\Reader\AGM.dll -
  Exploitability Classification: UNKNOWN
  Recommended Bug Title: Data from Faulting Address may be used as a return value starting at JP2KLib!JP2KCodeStm::operator=+0x000000000000984c (Hash=0x7150245a.0x4e1b0c34)
 
The data from the faulting address may later be used as a return value from this function.
 
  0:000> u
  JP2KLib!JP2KCodeStm::operator=+0x984c:
  1000aa3c 8a40ff          mov     al,byte ptr [eax-1]
  1000aa3f 88410c          mov     byte ptr [ecx+0Ch],al
  1000aa42 c20800          ret     8
  1000aa45 55              push    ebp
  1000aa46 8bec            mov     ebp,esp
  1000aa48 51              push    ecx
  1000aa49 56              push    esi
  1000aa4a 33f6            xor     esi,esi
 
  0:000> k
  ChildEBP RetAddr 
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0012dd8c 02184761 JP2KLib!JP2KCodeStm::operator=+0x984c
  0012de0c 1004cd7a AcroRd32_12a0000!parallelTaskManagerBuilder+0x4709ed
  0012de40 100500df JP2KLib!JP2KCopyRect+0x1156d
  0012de6c 100515d7 JP2KLib!JP2KCopyRect+0x148d2
  0012deec 1005291d JP2KLib!JP2KCopyRect+0x15dca
  0012df58 1000acf9 JP2KLib!JP2KCopyRect+0x17110
  0012e030 100471e7 JP2KLib!JP2KCodeStm::operator=+0x9b09
  0012e070 1004878c JP2KLib!JP2KCopyRect+0xb9da
  0012e094 1005b26b JP2KLib!JP2KCopyRect+0xcf7f
  0012e0f4 01643ebc JP2KLib!JP2KImageDecodeTileInterleaved+0x2a
  0012e168 01618a04 AcroRd32_12a0000!AVAcroALM_IsFeatureEnabled+0x17d8ed
  0012e1dc 0604e4f9 AcroRd32_12a0000!AVAcroALM_IsFeatureEnabled+0x152435
  0012e27c 06086073 AGM!AGMInitialize+0x43d35
  0012e2f4 06086297 AGM!AGMTerminate+0x15777
  0012e32c 0633ea19 AGM!AGMTerminate+0x1599b
  0012e340 0604bfbd AGM!AGMTerminate+0x2ce11d
  00000000 00000000 AGM!AGMInitialize+0x417f9
 
CREDITS
This vulnerability was discovered by Rodrigo Rubira Branco, (https://twitter.com/bsdaemon), Qualys Director of Vulnerability and Malware Research.

Attachments

    Outcomes