SRC-2017-0007 : Adobe Acrobat Pro DC ImageConversion EMF parsing EMR_EXTTEXTOUTA Array Indexing Remote Code Execution Vulnerability

CVE ID:

CVE-2017-11262

CVSS Score:

6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Vendors:

Adobe

Affected Products:

Adobe Acrobat Pro DC

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of EMF files. The issue results from the lack of proper validation of user-supplied data in the EMR_EXTTEXTOUTA record, which can result in a out-of-bounds read memory access during array indexing. An attacker can leverage this vulnerability to execute code under the context of the current process.

Upon parsing the crafted EMF file, the following access violation occurs:

(fbc.d4c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=487cc578 ebx=0015d1f0 ecx=48b0eb3c edx=00006544 esi=0007d400 edi=48ac2c00
eip=6286a2ac esp=0015d144 ebp=0015d1d0 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210287
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Acrobat DC\Acrobat\MPS.dll - 
MPS+0xa2ac:
6286a2ac 668b0450        mov     ax,word ptr [eax+edx*2]  ds:0023:487d9000=????

The vulnerability occurs in sub_1000A050 within MPS.dll:

.text:1000A2A0 loc_1000A2A0:
.text:1000A2A0                 mov     dword ptr [ecx], 0
.text:1000A2A6                 lea     ecx, [ecx+0Ch]
.text:1000A2A9                 mov     eax, [ebx+4]
.text:1000A2AC                 mov     ax, [eax+edx*2]            ; out-of-bounds read
.text:1000A2B0                 inc     edx
.text:1000A2B1                 mov     [ecx-0Ch], ax
.text:1000A2B5                 cmp     edx, [ebp+var_44]
.text:1000A2B8                 jb      short loc_1000A2A0

The index is influenced and controlled at offset 0x215 and can be leveraged to read and write out of bounds.

Vendor Response:

Adobe has issued an update to correct these vulnerabilities. More details can be found at:
https://helpx.adobe.com/security/products/acrobat/apsb17-24.html

Disclosure Timeline:

  • 2016-06-07 – Verified and sent to Adobe PSIRT
  • 2017-08-08 – Coordinated public release of advisory

Proof of Concept:

https://github.com/sourceincite/poc/blob/master/SRC-2017-0007.emf

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite