Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite by Piotr Bania http://www.piotrbania.com Orginal url: http://www.piotrbania.com/all/adv/adobe-acrobat-adv.txt Severity: Critical - Possible remote code execution. CVE ID: CVE-2006-5857 Time line: 03/09/2006 - Advisory sent to ADOBE PSIRT 03/09/2006 - Initial Vendor Response 11/09/2006 - Vendor confirms the vulnerability. 09/01/2007 - Security Bulletin ready, advisory released. Software affected: Adobe Reader 7.0.8 and earlier - all platforms. Tested on: * Adobe Reader 7.0.8 and 7.0.3 (Windows) * Adobe Reader 7.0.8 on (LINUX ) I. BACKGROUND Adobe Reader is the most popular program for viewing documents in Adobe Portable Document Format (PDF). More information at: http://www.adobe.com/products/acrobat/. II. DESCRIPTION The problem exists when the Adobe product is trying to render a specially crafted PDF file. Take a look a this code snipet: ----// SNIP SNIP //------------------------------------------------- 0:000> u 08009d3f CoolType+0x9d3f: 08009d3f 83e904 sub ecx,0x4 08009d42 890da07a1d08 mov [CoolType!CTCleanup+0xb393b (081d7aa0)],ecx 08009d48 ffb49070feffff push dword ptr [eax+edx*4-0x190] 08009d4f 8b09 mov ecx,[ecx] 08009d51 51 push ecx 08009d52 ff506c call dword ptr [eax+0x6c] ; (*) 08009d55 59 pop ecx 08009d56 59 pop ecx ----// SNIP SNIP //------------------------------------------------- Instruction at 0x08009d52 call the location which address is stored at [eax+0x6c]. Value of the eax points somewhere inside the allocated heap memory block, as shown here: ----// SNIP SNIP //------------------------------------------------- ... K: 199 -> [*] HeapAlloc(0x3E0000,0x0,0x4(4))=0x16F6FF8 end at: 0x16F6FFC K: 200 -> [*] HeapAlloc(0x3E0000,0x0,0x4F4(1268))=0x16F6958 end at: 0x16F6E4C K: 201 -> [*] HeapAlloc(0x3E0000,0x0,0xFE30(65072))=0x16F6E58 end at: 0x1706C88 K: 202 -> [*] HeapAlloc(0x3E0000,0x0,0x304(772))=0x1706C90 end at: 0x1706F94 K: 203 -> [*] HeapAlloc(0x3E0000,0x0,0xFE24(65060))=0x1706FA0 end at: 0x1716DC4 <- THIS ONE ----// SNIP SNIP //------------------------------------------------- [EAX+0x6c] points to 0x222C offset from begining of the last heap memory block. When specially badly created PDF file is being render, there exist a possibility to cause a memory corruption, which leads to the overwrite of the subroutine address stored at [eax+0x6c]. Here's the debugger snipet, after calling overwritten [eax+0x6c] (note the heap base block is different then previously mentioned, its just another independent session): ----// SNIP SNIP //------------------------------------------------- (25a0.2170): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=016f4320 ebx=00000000 ecx=baadf00d edx=00000069 esi=016f4ab9 edi=016f14b4 eip=baadf00d esp=0012deec ebp=0012df80 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll - baadf00d ?? ??? ----// SNIP SNIP //------------------------------------------------- The attacker can control EIP register, this may lead to a potencial code exection in context of current user. III. IMPACT Successful exploitation may allow the attacker to run arbitrary code in context of user running Adobe Reader. IV. VENDOR RESPONSE All pathes are available, via auto-update or http://www.adobe.com/go/getreader/ V. POC CODE Due to severity of this vulnerability i will not disclose any POC codes.