SRC-2017-0007 : Adobe Acrobat Pro DC ImageConversion EMF parsing EMR_EXTTEXTOUTA Array Indexing Remote Code Execution Vulnerability
Acrobat Pro DC
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of EMF files. The issue results from the lack of proper validation of user-supplied data in the EMR_EXTTEXTOUTA record, which can result in a out-of-bounds read memory access during array indexing. An attacker can leverage this vulnerability to execute code under the context of the current process.
Upon parsing the crafted EMF file, the following access violation occurs:
(fbc.d4c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=487cc578 ebx=0015d1f0 ecx=48b0eb3c edx=00006544 esi=0007d400 edi=48ac2c00 eip=6286a2ac esp=0015d144 ebp=0015d1d0 iopl=0 nv up ei ng nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210287 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Acrobat DC\Acrobat\MPS.dll - MPS+0xa2ac: 6286a2ac 668b0450 mov ax,word ptr [eax+edx*2] ds:0023:487d9000=????
The vulnerability occurs in sub_1000A050 within MPS.dll:
.text:1000A2A0 loc_1000A2A0: .text:1000A2A0 mov dword ptr [ecx], 0 .text:1000A2A6 lea ecx, [ecx+0Ch] .text:1000A2A9 mov eax, [ebx+4] .text:1000A2AC mov ax, [eax+edx*2] ; out-of-bounds read .text:1000A2B0 inc edx .text:1000A2B1 mov [ecx-0Ch], ax .text:1000A2B5 cmp edx, [ebp+var_44] .text:1000A2B8 jb short loc_1000A2A0
The index is influenced and controlled at offset 0x215 and can be leveraged to read and write out of bounds.
Adobe has issued an update to correct these vulnerabilities. More details can be found at:
- 2016-06-07 – Verified and sent to Adobe PSIRT
- 2017-08-08 – Coordinated public release of advisory
Proof of Concept:
This vulnerability was discovered by Steven Seeley of Source Incite