Threat Research

Analysis of CVE-2016-4203 - Adobe Acrobat and Reader CoolType Handling Heap Overflow Vulnerability

By Kai Lu | July 20, 2016

Summary

Recently, Adobe patched some security vulnerabilities in Adobe Acrobat and Reader. One of them is a heap buffer overflow vulnerability (CVE-2016-4203) I recently discovered. In this blog, we want to share our analysis of this vulnerability.

Proof of Concept

This vulnerability can be reproduced by opening the PoC file “poc_minimized.pdf” with Adobe Reader DC. When opened, AcroRd32.exe crashes, and the crash information is shown below:

(8de0.6bc4): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=097eeeed ebx=00000015 ecx=097ef6e0 edx=0000cc6c esi=2952d000 edi=00000024

eip=0959a23c esp=2911e5f8 ebp=2911e608 iopl=0         nv up ei pl nz na po nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202

CoolType!CTInit+0x45ef1:

0959a23c 0fb606          movzx   eax,byte ptr [esi]         ds:002b:2952d000=??

 

0:022> kb

 # ChildEBP RetAddr  Args to Child             

WARNING: Stack unwind information not available. Following frames may be wrong.

00 2911e608 09598db1 097eee15 097ef564 097ef44c CoolType!CTInit+0x45ef1

01 2911e674 095939a0 17e9cc38 17e9cd98 17e9cd58 CoolType!CTInit+0x44a66

02 2911e6d0 095935c3 17e9cc38 17e9cd98 17e9cd58 CoolType!CTInit+0x3f655

03 2911e720 0958d9a3 17e9cc38 17e9cd98 17e9cd58 CoolType!CTInit+0x3f278

04 2911e784 0958d79c 00000001 2911e7d8 00000001 CoolType!CTInit+0x39658

05 2911e79c 095a6cb0 2911e8a8 2911e7d8 1a99cf68 CoolType!CTInit+0x39451

06 2911e8fc 095a6996 1a99cf68 097f61a8 2911ea88 CoolType!CTInit+0x52965

07 2911eac4 095a614e 2911ecb8 00000000 097f6480 CoolType!CTInit+0x5264b

08 2911eb90 095a506f 773dfa00 00000000 00000001 CoolType!CTInit+0x51e03

09 2911ef58 095a468a 00000025 20f02fec 00001088 CoolType!CTInit+0x50d24

0a 2911ef98 095a3691 20f02fe0 00000002 2911f028 CoolType!CTInit+0x5033f

0b 2911f100 095a32c7 2911f518 2911f8ac 0000044a CoolType!CTInit+0x4f346

0c 2911f150 0908a44c 145aae2c 2911f518 2911f8ac CoolType!CTInit+0x4ef7c

0d 2911f258 0906bab0 2911f34c 00000000 21d6629c AGM!AGMInitialize+0x51bf0

0e 2911f268 0906b98f 00000000 f7510c27 20d6cf70 AGM!AGMInitialize+0x33254

0f 2911f280 0906ba9c 00000081 21cb6d00 21cb6d00 AGM!AGMInitialize+0x33133

10 2911f9ac 0906182e 090004ca 00001fa0 2911fa01 AGM!AGMInitialize+0x33240

11 2911f9bc 09080a4d 21d76fe8 00000053 00000000 AGM!AGMInitialize+0x28fd2

12 2911fa01 00000000 c8000000 5021ca6f 0027c3d2 AGM!AGMInitialize+0x481f1

 

0:022> !heap -p -a esi

    address 2952d000 found in

    _DPH_HEAP_ROOT @ 3d01000

    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)

                                                       293c3924:         2952cf40               c0 -         2952c000             2000

    6a749abc verifier!AVrfDebugPageHeapAllocate+0x0000023c

    7749d836 ntdll!RtlDebugAllocateHeap+0x0000003c

    773ffb40 ntdll!RtlpAllocateHeap+0x000000f0

    773fdecb ntdll!RtlpAllocateHeapInternal+0x0000027b

    773fdc2e ntdll!RtlAllocateHeap+0x0000002e

    6854ed63 MSVCR120!malloc+0x00000049 [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 92]

    095550fc CoolType!CTInit+0x00000db1

    095589db CoolType!CTInit+0x00004690

    …

 

Analysis

This vulnerability is an instance of a heap buffer overflow vulnerability. Let’s look into this specially crafted PDF file first. The comparison between the normal PDF file and the minimized PoC file is shown below.

Figure 1. The PoC File vs The Original PDF File

Figure 2. Parsing of The PoC File with 010 Editor

From Figures 1 and 2 we can see the only difference between the original PDF file and the PoC file is a single byte at offset 0x30e3, located in obj 17. The object structure is shown below.

17 0 obj

<

/Length 14790

/Filter [/FlateDecode]

/DecodeParms [null]

>> 

stream

endstream

endobj

 

The question is, what type of data does this object store? We found that the following object in the PDF file references obj 17:

8 0 obj

<

/FontFile2 17 0 R

/FontName /AAAAAA+ComicSansMS

/Flags 32

/ItalicAngle 0

/Ascent 1102

/Descent -312

/CapHeight 0

/StemV 0

/Type /FontDescriptor

/CIDSet 19 0 R

>> 

endobj

 

From the field “/FontFile2 17 0 R”, we know that obj 17 stores a font file.  The data of the font file is encoded with FlateDecode in obj 17. For more information on deflate, please refer to https://tools.ietf.org/html/rfc1951.

 

Zlib is a C library which implements the deflate algorithm. We can use it to decompress the data in obj 17. The decompressed data of obj 17 in the PoC file is stored in the file output.dat, which has a length of 0x4650. The decompressed data of obj 17 in the original PDF file is stored in the file output_original.dat which also has a length of 0x4650. The following is the comparison between output.dat and output_original.dat:

Figure 3. The PoC Font File (output.dat) vs The Original Font File (output_original.dat)

We can see that about one hundred bytes are different.  The next question, then, is to figure out what data triggers this vulnerability. Some debugging skills are needed. Let’s go back to Windbg first.

0:022> r

eax=097eeeed ebx=00000015 ecx=097ef6e0 edx=0000cc6c esi=2952d000 edi=00000024

eip=0959a23c esp=2911e5f8 ebp=2911e608 iopl=0         nv up ei pl nz na po nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202

CoolType!CTInit+0x45ef1:

0959a23c 0fb606          movzx   eax,byte ptr [esi]         ds:002b:2952d000=??

 

0:022> !heap -p -a esi

    address 2952d000 found in

    _DPH_HEAP_ROOT @ 3d01000

    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)

                                                       293c3924:         2952cf40               c0 -         2952c000             2000

    6a749abc verifier!AVrfDebugPageHeapAllocate+0x0000023c

    7749d836 ntdll!RtlDebugAllocateHeap+0x0000003c

    773ffb40 ntdll!RtlpAllocateHeap+0x000000f0

    773fdecb ntdll!RtlpAllocateHeapInternal+0x0000027b

    773fdc2e ntdll!RtlAllocateHeap+0x0000002e

    6854ed63 MSVCR120!malloc+0x00000049 [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 92]

    095550fc CoolType!CTInit+0x00000db1

    095589db CoolType!CTInit+0x00004690

    …

 

0:022> db 2952cf40 Lc0

2952cf40  00 02 00 b3 ff fb 01 bf-05 da 00 0b 00 23 00 55  .............#.U

2952cf50  40 36 06 38 00 1e 12 1e-06 20 25 30 25 50 25 c0  @6.8..... %0%P%.

2952cf60  25 04 80 25 90 25 a0 25-03 09 38 03 18 15 1b 18  %..%.%.%..8.....

2952cf70  38 0f 21 1f 25 2f 25 3f-25 7f 25 04 1f 0c bf 0c  8.!.%/%?%.%.....

2952cf80  02 50 0c 7f 0c 02 0c 25-10 d6 5d 71 5d 7d c4 c4  .P.....%..]q]}..

2952cf90  18 fd 7d c4 c4 18 10 7d-d4 18 ed 5d 71 00 3f 2f  ..}....}...]q.?/

2952cfa0  10 d6 ed 31 30 01 22 26-35 34 36 33 32 1f 00 ed  ...10."&54632...

2952cfb0  02 03 14 16 00 ed 06 23-22 26 35 34 26 35 34 12  .......#"&54&54.

2952cfc0  35 34 36 33 32 1f 00 ed-02 01 4a 30 46 46 30 30  54632.....J0FF00

2952cfd0  45 45 03 07 36 2c 2b 37-07 14 37 2b 2b 37 14 04  EE..6,+7..7++7..

2952cfe0  f2 44 30 30 44 44 30 30-44 fc d4 3c ef 3c 2c 38  .D00DD00D..<.<,8

2952cff0  38 2c 3c ef 3c 5e 01 19-5e 2d 38 38 2d 5e fe e7  8,<.<^..^-88-^..

 

From the above output, an out of bounds memory access is triggered when handling a heap buffer with size 0xc0 and starting at 0x2952cf40.  Next, we search some data from this heap buffer, like |00 02 00 b3| in output.dat.

Figure 4. The Result of Data Searching in output.dat

We find it at offset 0x2d0b, and it only appears once. We then use TTFTemplate.bt in 010 Editor to parse the font file, and find |00 02 00 B3| is in the ‘glyp’ table. Next, we extract the data with size 0xc0 in the ‘glyp’ table from output.dat and output_original.dat respectively, and save them as glyph_poc.dat and glyph_original.dat. The following is the comparison between them.

Figure 5. The Comparison Between glyph_poc.dat And glyph_original.dat

As you can see, there are three differences between them. The 'glyf' table contains the data that defines the appearance of the glyphs in the font. This includes specification of the points that describe the contours that make up a glyph outline, and the instructions that grid-fit that glyph. The 'glyf' table supports the definition of simple glyphs and compound glyphs, that is, glyphs that are made up of other glyphs. The number of glyphs in the font is restricted only by the value stated in the 'head' table. The order in which glyphs are placed in a font is arbitrary.

Each glyph begins with the following header:

Obviously, glyph_poc.dat stores a simple glyph because the first two bytes 0x0002 is greater than zero.

The structure of a simple glyph is shown below:

Based on the specification of the ‘glyph’ table above, we try to parse it by marking different colors as follows.

Figure 6. Parsing of The Simple glyph

Then we trace how Adobe Reader handles the simple glyph. We set the following breakpoint in Windbg.

bu CoolType!CTInit+0x44a61 " .if((poi(poi(poi(esp+0xc))) & 0x0`ffffffff) = 0x0`b3000200) { .printf \"hit:\\n\";} .else {gc}"

 

When the breakpoint is hit, we get the following debug information:

0:021> g

(8de0.6bc4): C++ EH exception - code e06d7363 (first chance)

hit:

eax=097ef6e0 ebx=097ef6d0 ecx=097eeda0 edx=2911e6fc esi=097ef758 edi=097ef756

eip=09598dac esp=2911e610 ebp=2911e674 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

CoolType!CTInit+0x44a61:

09598dac e8f1110000      call    CoolType!CTInit+0x45c57 (09599fa2)

 

0:022> dds esp

2911e610  097eee00 CoolType!CTGetVersion+0x1dd1c8    -->param1

2911e614  097ef510 CoolType!CTGetVersion+0x1dd8d8    -->param2

2911e618  097ef3bc CoolType!CTGetVersion+0x1dd784    -->param3

2911e61c  097ef6e0 CoolType!CTGetVersion+0x1ddaa8    -->param4

2911e620  17e9cd98                                                                  -->param5

2911e624  00000001                                                                -->param6

2911e628  00000002                                                                  -->param7

2911e62c  097eee58 CoolType!CTGetVersion+0x1dd220

2911e630  097eee60 CoolType!CTGetVersion+0x1dd228

2911e634  097ef756 CoolType!CTGetVersion+0x1ddb1e

2911e638  097ef758 CoolType!CTGetVersion+0x1ddb20

2911e63c  2911e6c4

2911e640  2911e6c8

2911e644  097ef6d0 CoolType!CTGetVersion+0x1dda98

2911e648  17e9cdc4

2911e64c  17e9cf84

2911e650  00000015

 

0:022> dd 097ef6e0 L4

097ef6e0  2952cf40 2952cf4a 2952d000 00000000

 

0:022> db 2952cf40  lc0

2952cf40  00 02 00 b3 ff fb 01 bf-05 da 00 0b 00 23 00 55  .............#.U

2952cf50  40 36 06 38 00 1e 12 1e-06 20 25 30 25 50 25 c0  @6.8..... %0%P%.

2952cf60  25 04 80 25 90 25 a0 25-03 09 38 03 18 15 1b 18  %..%.%.%..8.....

2952cf70  38 0f 21 1f 25 2f 25 3f-25 7f 25 04 1f 0c bf 0c  8.!.%/%?%.%.....

2952cf80  02 50 0c 7f 0c 02 0c 25-10 d6 5d 71 5d 7d c4 c4  .P.....%..]q]}..

2952cf90  18 fd 7d c4 c4 18 10 7d-d4 18 ed 5d 71 00 3f 2f  ..}....}...]q.?/

2952cfa0  10 d6 ed 31 30 01 22 26-35 34 36 33 32 1f 00 ed  ...10."&54632...

2952cfb0  02 03 14 16 00 ed 06 23-22 26 35 34 26 35 34 12  .......#"&54&54.

2952cfc0  35 34 36 33 32 1f 00 ed-02 01 4a 30 46 46 30 30  54632.....J0FF00

2952cfd0  45 45 03 07 36 2c 2b 37-07 14 37 2b 2b 37 14 04  EE..6,+7..7++7..

2952cfe0  f2 44 30 30 44 44 30 30-44 fc d4 3c ef 3c 2c 38  .D00DD00D..<.<,8

2952cff0  38 2c 3c ef 3c 5e 01 19-5e 2d 38 38 2d 5e fe e7  8,<.<^..^-88-^..

 

0:022> !heap -p -a 2952cf40 

    address 2952cf40 found in

    _DPH_HEAP_ROOT @ 3d01000

    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)

                                                       293c3924:         2952cf40               c0 -         2952c000             2000

    6a749abc verifier!AVrfDebugPageHeapAllocate+0x0000023c

    7749d836 ntdll!RtlDebugAllocateHeap+0x0000003c

    773ffb40 ntdll!RtlpAllocateHeap+0x000000f0

    773fdecb ntdll!RtlpAllocateHeapInternal+0x0000027b

    773fdc2e ntdll!RtlAllocateHeap+0x0000002e

    6854ed63 MSVCR120!malloc+0x00000049 [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 92]

    095550fc CoolType!CTInit+0x00000db1

    095589db CoolType!CTInit+0x00004690

    ...

 

From the above output, the heap buffer at address 0x2952cf40 with size 0xc0 stores the simple glyph. It matches the data in glyph_poc.dat. The address 0x2952cf4a points to endPtsOfContours[2], and the address 0x2952d000 points to the end of the simple glyph.

The following are the values of some fields in the simple glyph.

endPtsOfContours [0]:   00 0b  

endPtsOfContours [1]:  00 23

instructionLength: 00 55 

instructions[n]:   40 36 06 38 00 1e 12 1e-06 20 25 30 25 50 25 c0 

                              25 04 80 25 90 25 a0 25-03 09 38 03 18 15 1b 18

                              38 0f 21 1f 25 2f 25 3f-25 7f 25 04 1f 0c bf 0c

                             02 50 0c 7f 0c 02 0c 25-10 d6 5d 71 5d 7d c4 c4 

                            18 fd 7d c4 c4 18 10 7d-d4 18 ed 5d 71 00 3f 2f 

                            10 d6 ed 31 30

Flags[]: ……
xCoordinates[ ]
: …….
yCoordinates[ ]: …….

 

We continued to trace how the ‘flags’ field in the simple glyph are handled. In IDA Pro, the following is the code branch of handling the ‘flags’ field. Its length is 0x24(endPtsOfContours [1] + 1=0x23+0x1=0x24).

Figure 7. The Branch of Handling the ‘flags’ Field

In Windbg, we get the following debug info:

0:022> bu 0959a132

 

0:022> g

Breakpoint 1 hit

eax=0000004d ebx=097eee00 ecx=00000000 edx=00000024 esi=2952cfa5 edi=00000000

eip=0959a132 esp=2911e5f8 ebp=2911e608 iopl=0         nv up ei ng nz ac pe cy

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297

CoolType!CTInit+0x45de7:

0959a132 8bca            mov     ecx,edx

 

0:022> db esi

2952cfa5  01 22 26 35 34 36 33 32-1f 00 ed 02 03 14 16 00  ."&54632........

2952cfb5  ed 06 23 22 26 35 34 26-35 34 12 35 34 36 33 32  ..#"&54&54.54632

2952cfc5  1f 00 ed 02 01 4a 30 46-46 30 30 45 45 03 07 36  .....J0FF00EE..6

2952cfd5  2c 2b 37 07 14 37 2b 2b-37 14 04 f2 44 30 30 44  ,+7..7++7...D00D

2952cfe5  44 30 30 44 fc d4 3c ef-3c 2c 38 38 2c 3c ef 3c  D00D..<.<,88,<.<

2952cff5  5e 01 19 5e 2d 38 38 2d-5e fe e7 ?? ?? ?? ?? ??  ^..^-88-^..?????

2952d005  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

2952d015  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

 

0:022> db ebx

097eee00  01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

097eee10  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

097eee20  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

097eee30  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

097eee40  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

097eee50  00 00 00 00 00 00 00 00-00 00 0c 00 00 00 00 00  ................

097eee60  0b 00 23 00 00 00 00 00-00 00 00 00 00 00 00 00  ..#.............

097eee70  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

 

The buffer at address 0x097eee00 is used to store the result of parsing the ‘flags’ field.

The following C code in function sub_8049FA2 from IDA Pro is used to handle the ‘flags’ field:

//parse the Flags field which length is 0x24, the result is stored in param a1.  v20 points to the offset of data in the glyph object.

do 

      {

        if ( v14 )

        {

          v28 -= v14;

          v54 = v28;

          if ( v28 < 0 )

            return 5133;

          if ( v14 )

          {

            LOBYTE(v50) = *(v27 - 1);

            memset(v27, v50, v14);

            v27 += v14;

            do

              --v14;

            while ( v14 );

            v28 = v54;

          }

        }

        else

        {

          v29 = *(_BYTE *)v20;

          *v27 = *(_BYTE *)v20;

          if ( v29 & 8 )

          {

            if ( ++v20 > *(_DWORD *)(a4 + 8) )

              return 5133;

            v14 = *(_BYTE *)v20;

          }

          ++v20;

          ++v27;

          --v28;

          if ( v20 > *(_DWORD *)(a4 + 8) )

            return 5133;

        }

      }

      while ( v28 > 0 );

      if ( v14 )

        return 5121;

      v30 = v55;

      v31 = 0;

      v32 = (char *)a1;  // a1 stores the result of parsing Flags field. |01 22 26 35 34 36 33 32 1f ed ed ed 03 14 16 00 ed ed ed ed ed ed ed 23 22 26 35 34 26 35 34 12 35 34 36 33|

      v33 = 0;

      v51 = a1;

      v48 = 0;

 

After the parsing of the ‘flags’ field is finished, we see the following debug info:

0:022> t

eax=097ef6e0 ebx=097eee24 ecx=00000000 edx=00000006 esi=2952cfc4 edi=00060000

eip=0959a1ab esp=2911e5f8 ebp=2911e608 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

CoolType!CTInit+0x45e60:

0959a1ab 8b7d30          mov     edi,dword ptr [ebp+30h] ss:002b:2911e638=00000024                       

 

0:022> db ebx-24 L30

097eee00  01 22 26 35 34 36 33 32-1f ed ed ed 03 14 16 00  ."&54632........

097eee10  ed ed ed ed ed ed ed 23-22 26 35 34 26 35 34 12  .......#"&54&54.

097eee20  35 34 36 33 00 00 00 00-00 00 00 00 00 00 00 00  5463............               

 

0:022> db esi

2952cfc4  32 1f 00 ed 02 01 4a 30-46 46 30 30 45 45 03 07  2.....J0FF00EE..

2952cfd4  36 2c 2b 37 07 14 37 2b-2b 37 14 04 f2 44 30 30  6,+7..7++7...D00

2952cfe4  44 44 30 30 44 fc d4 3c-ef 3c 2c 38 38 2c 3c ef  DD00D..<.<,88,<.

2952cff4  3c 5e 01 19 5e 2d 38 38-2d 5e fe e7 ?? ?? ?? ??  <^..^-88-^..????

2952d004  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

2952d014  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

2952d024  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

2952d034  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

 

From Figure 5, we can see that three different bytes are located in the ‘flags’ field.  This leads to a very different result. 

The result is stored in a buffer at address 0x097eee00, and its size is 0x24. Then the buffer is used to parse the xCoordinates[ ] and yCoordinates[ ] fields.  The following C code in function sub_8049FA2 from IDA Pro is used to handle the xCoordinates[ ] field:

v48 = 0;

      if ( v55 > 0 )  //handling xCoordinates, the result is stored in param a3. 

        {

        v34 = 0;

        do

        {

          v35 = *v32;

          if ( v35 & 2 )

          {

            v36 = (v35 & 0x10) == 0;

            v37 = *(_BYTE *)v20;

            if ( v36 )

              v34 -= v37;

            else

              v34 += v37;

            ++v20;

          }

          else if ( !(v35 & 0x10) )

          {

            v38 = *(_BYTE *)(v20 + 1);

            v34 += _byteswap_ushort(*(_WORD *)v20);

            v33 = v48;

            v20 += 2;

          }

          *(_DWORD *)a3 = v34;

          a3 += 4;

          v32 = (char *)v51 + 1;

          v51 = (char *)v51 + 1;

          v30 = v55;

          if ( v20 > *(_DWORD *)(a4 + 8) )

            return 5133;

          v48 = ++v33;

        }

        while ( v33 < v55 );

      }

 

After handling ‘xCoordinates’ is finished, we find the following debug info:

0:022> t

eax=097eee24 ebx=00000000 ecx=00000024 edx=0000efeb esi=2952cfeb edi=00000024

eip=0959a224 esp=2911e5f8 ebp=2911e608 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

CoolType!CTInit+0x45ed9:

0959a224 895d28          mov     dword ptr [ebp+28h],ebx ss:002b:2911e630=097eee24

 

0:022> db esi

2952cfeb  3c ef 3c 2c 38 38 2c 3c-ef 3c 5e 01 19 5e 2d 38  <.<,88,<.<^..^-8

2952cffb  38 2d 5e fe e7 ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  8-^..???????????

2952d00b  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

2952d01b  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

 

0:022> dd 097ef3bc L40

097ef3bc  0000321f 0000321f 00003132 00003132

097ef3cc  00003132 00003134 00003135 0000317f

097ef3dc  000031af 000077f5 ffffa825 ffffed6a

097ef3ec  ffffed67 ffffed67 ffffed6e 0000239a

097ef3fc  00004ed1 000055e5 ffff8d10 ffffb847

097ef40c  ffffcc4b ffffbe8f ffffeebf ffffee7b

097ef41c  ffffee37 ffffee07 ffffee07 ffffee07

097ef42c  ffffedd7 ffffedd7 ffffedd7 ffffee1b

097ef43c  ffffee1b ffffee1b ffffef17 ffffefeb

097ef44c  00000000 00000000 00000000 00000000

097ef45c  00000000 00000000 00000000 00000000

097ef46c  00000000 00000000 00000000 00000000

097ef47c  00000000 00000000 00000000 00000000

097ef48c  00000000 00000000 00000000 00000000

097ef49c  00000000 00000000 00000000 00000000

097ef4ac  00000000 00000000 00000000 00000000

 

Next, the following C code in function sub_8049FA2 from IDA Pro is used to handle the yCoordinates[ ] field:

if ( v30 > 0 )   // handle yCoordinates, the result is stored in param a2. 

      {    //v20 points to the following buffer.

                  2952cfeb  3c ef 3c 2c 38 38 2c 3c-ef 3c 5e 01 19 5e 2d 38  <.<,88,<.<^..^-8

                  2952cffb  38 2d 5e fe e7 ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  8-^..???????????

 

        v39 = (char *)a1; // a1 stores the result of parsing the Flags field. |01 22 26 35 34 36 33 32 1f ed ed ed 03 14 16 00 ed ed ed ed ed ed ed 23 22 26 35 34 26 35 34 12 35 34 36 33|

 

        v40 = 0;

        v41 = a4;

        do

        {

          v42 = *v39;

          if ( v42 & 4 )

          {

            v36 = (v42 & 0x20) == 0;

            v43 = *(_BYTE *)v20;   //crash here!

            if ( v36 )

              v40 -= v43;

            else

              v40 += v43;

            ++v20;

          }

          else if ( !(v42 & 0x20) )

          {

            v44 = *(_BYTE *)(v20 + 1);

            v40 += _byteswap_ushort(*(_WORD *)v20);

            v41 = a4;

            v20 += 2;

          }

          v45 = (_DWORD *)a2;

          a2 += 4;

          *v45 = v40;

          *(_BYTE *)a1 &= 1u;

          v39 = (char *)a1 + 1;

          a1 = (char *)a1 + 1;

          if ( v20 > *(_DWORD *)(v41 + 8) )

            return 5133;

        }

        while ( ++v31 < v55 );  //v55 is 0x24

      }

 

When the crash occurs, we see the following debug info, shown below:

0:022> t

eax=097eeeed ebx=00000015 ecx=097ef6e0 edx=0000cc6c esi=2952d000 edi=00000024

eip=0959a23c esp=2911e5f8 ebp=2911e608 iopl=0         nv up ei pl nz na po nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202

CoolType!CTInit+0x45ef1:

0959a23c 0fb606          movzx   eax,byte ptr [esi]         ds:002b:2952d000=??

 

0:022> t

(8de0.6bc4): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=097eeeed ebx=00000015 ecx=097ef6e0 edx=0000cc6c esi=2952d000 edi=00000024

eip=0959a23c esp=2911e5f8 ebp=2911e608 iopl=0         nv up ei pl nz na po nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202

CoolType!CTInit+0x45ef1:

0959a23c 0fb606          movzx   eax,byte ptr [esi]         ds:002b:2952d000=??

 

0:022> dd 097ef510

097ef510  00003cef 00003cef 00003d2b 00003d57

097ef520  00003d8f 00003dc7 00003dc7 00003dc7

097ef530  00003d9b 00003dd7 00003ec6 00003f02

097ef540  ffff9d03 ffff9cea ffff9c8c ffffc9c4

097ef550  ffffc9fc ffffca29 ffffca87 ffffcb85

097ef560  ffffcc6c 00000000 00000000 00000000

097ef570  00000000 00000000 00000000 00000000

097ef580  00000000 00000000 00000000 00000000

 

0:022> db esi L10

2952d000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

 

Because ebx is smaller than edi, the loop condition is still true and the program continues to parse the yCoordinates[ ] field. While esi points to the end of the simple glyph, it causes an out of bounds memory access.

In summary, this vulnerability is a typical heap buffer overflow vulnerability. In particular, the vulnerability is caused by a crafted PDF file which includes an invalid font file. It causes an out of bounds memory access, due to improper bounds checking when manipulating an array pointer. Attackers can exploit the vulnerability by using the out of bounds access for unintended reads, writes, or frees – potentially leading to code corruption, control-flow hijack, or information leak attack.

Mitigation

All users of Adobe Acrobat and Reader are encouraged to upgrade to the latest version of these software. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature Adobe.Acrobat.Reader.CoolType.TTF.Memory.Corruption.