iViZ Security

Security Advisories

Adobe Acrobat Reader Memory Corruption Vulnerability

Technical Details

Adobe acrobat reader initializes large memory based on specific values read from the PDF file itself. Mostly this results in access violation but code execution may be possible due to heap corruption. The technical details tested on Acrobat Reader 9.0.0 are as follows: There are two cases for the application to crash. In case A, the function @0177C1AB returns a large value which is copied in ESI register. In case B, the function @0177CAAB returns a large value in EAX register. The values returned by this call instruction are not predictable with the offset at 0x2024. 

    0177C1AB    E8 700D0100     CALL AcroRd_1.0178CF20
    0177C1B0    8BD6            MOV EDX,ESI  ; Case A: ESI is large
    0177C1B2    03F0            ADD ESI,EAX  ; Case B: EAX is large
    0177C1B4    3BD6            CMP EDX,ESI
    0177C1B6    73 2B           JNB SHORT AcroRd_1.0177C1E3
    0177C1B8    8B4424 20       MOV EAX,DWORD PTR SS:[ESP+20]
    0177C1BC    8D3C50          LEA EDI,DWORD PTR DS:[EAX+EDX*2]
    0177C1BF    8B4424 1C       MOV EAX,DWORD PTR SS:[ESP+1C] ; EAX holds the value to be initialized
    0177C1C3    8BCE            MOV ECX,ESI                   ; ECX holds the count; copied from ESI
    0177C1C5    2BCA            SUB ECX,EDX
    0177C1C7    8B5C24 30       MOV EBX,DWORD PTR SS:[ESP+30]
    0177C1CB    66:8BD0         MOV DX,AX
    0177C1CE    C1E2 10         SHL EDX,10
    0177C1D1    66:8BD0         MOV DX,AX
    0177C1D4    D1E9            SHR ECX,1
    0177C1D6    8BC2            MOV EAX,EDX
    0177C1D8    F3:AB           REP STOS DWORD PTR ES:[EDI]   ; EDI points to the target memory and 
 									        ; results in access violation for larger 
										  ; ECX values
A vulnerability like this can possibly be exploited through techniques like heap spray, particularly since Adobe Reader supports embedded javascripts, however this possibility is currently unverified.

Affected Software

Adobe Acrobat Reader 9.0.0
Adobe Acrobat Reader 8.1.3 and earlier
Other versions may also be affected
(The vulnerability affects both Windows and Linux version of Acrobat Reader)

Impact

  • Application Crash
  • Possibly remote code execution

Vendor Response

http://www.adobe.com/support/security/bulletins/apsb09-04.html

Credits

This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd.

Disclosure Timeline

* 25/03/2009: Public Disclosure
* 28/02/2009: Vendor acknowledged receipt of vulnerability details
* 26/02/2009: Vendor replied providing PGP keys
* 25/02/2009: Contacted vendor asking for PGP keys



Back to Security Advisories