CVE-2024-20730
An integer overflow vulnerability exists in the font file processing functionality of Adobe Acrobat Reader 2023.006.20380. A specially crafted font file embedded into a PDF can trigger this vulnerability, which can lead to a buffer overflow and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2023.006.20380
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-680 - Integer Overflow to Buffer Overflow
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe acrobat supports parsing of embedded font files in the PDF. This vulnerability is related to OpenType font format. An OpenType font file starts with a table directory (TableDirectory ) followed by one or more table record (TableRecord) entries. The structure of TableDirectory is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x04 sfntVersion (0x00010000 or 0x4F54544F )
0x04 0x02 numTables
0x06 0x02 searchRange
0x08 0x02 entrySelector
0x0c 0x02 rangeShift
If the value of the sfntVersion field is 0x00010000, the font contains TrueType data. The CFF data will be present if the value of sfntVersion is 0x4F54544F (‘OTTO). The numTables field specifies the number of TableRecord entries present in the font file. The structure of a TableRecord entry is as follows:
Offset Size Name
------ ----- ----------------------------------
0x00 0x04 tableTag
0x04 0x04 tableChecksum
0x08 0x04 tableOffset
0x0C 0x04 tablelength
tableTag is the name of TableRecord. The tableOffset field specifies the offset of the table from the beginning of the file. The tablelength indicates the length of the table. The structure of each TableRecord depends on the type of table, which is defined by the tableTag. This vulnerability occurs when the the value of the tableTag field is the string CPAL, which indicates the table type is Color Palette Table (CPAL).
CPAL is an optional table that defines a palette of colors for use with color fonts. CPAL table starts with a header. The structure of the CPAL table header is as follows:
Offset Size Name
------ -------- --------------------------------------
0x00 0x02 cpalVersion
0x02 0x02 numPaletteEntries
0x04 0x02 numPalettes (np)
0x06 0x02 numColorRecords
0x08 0x04 colorRecordsArrayOffset
0x0C 0x02 * np colorRecordIndices[numPalettes]
cpalVersion indicates the version of the header. The numPaletteEntries field defines the number of palette entries in each palette. The numPalettes field indicates the number of palettes in the table. The numColorRecords specifies the number of color records. In the application, the following code is responsible for processing a CPAL table:
Breakpoint 0 hit
eax=ae876fe8 ebx=6cd309d4 ecx=00000000 edx=ae876fe8 esi=a2e06fb0 edi=ae876fe8
eip=6caee424 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e014:
6caee424 6a00 push 0
0:021> p
eax=ae876fe8 ebx=6cd309d4 ecx=00000000 edx=ae876fe8 esi=a2e06fb0 edi=ae876fe8
eip=6caee426 esp=58d9f2a8 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e016:
6caee426 ff750c push dword ptr [ebp+0Ch] ss:002b:58d9f2fc=58d9f33c
0:021> p
eax=ae876fe8 ebx=6cd309d4 ecx=00000000 edx=ae876fe8 esi=a2e06fb0 edi=ae876fe8
eip=6caee429 esp=58d9f2a4 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e019:
6caee429 56 push esi
0:021> dd esi
a2e06fb0 6ca31cf0 6cc25c30 6cc25ac0 6ca34f10
a2e06fc0 6cc25a60 6cc25b40 6ca34fd0 6cc25aa0
a2e06fd0 6ca314e0 6ca31cb0 00000000 6cc259d0
a2e06fe0 6cc25a10 00000000 00000000 00000000
a2e06ff0 6cd309d4 adcb6fa0 0000005a 00000000
a2e07000 ???????? ???????? ???????? ????????
a2e07010 ???????? ???????? ???????? ????????
a2e07020 ???????? ???????? ???????? ????????
0:021> db adcb6fa0 <------------------- (1)
adcb6fa0 00 00 80 00 80 00 00 13-00 00 00 0e 00 00 00 00 ................
adcb6fb0 00 ff 80 80 80 ff c0 c0-c0 ff ff ff ff ff 00 00 ................
adcb6fc0 ff ff 00 7b ff ff 38 d4-ff ff 00 f0 ff ff 00 ff ...{..8.........
adcb6fd0 08 ff 00 ff 99 ff 3d f2-b2 ff f0 ff 00 ff ff dd ......=.........
adcb6fe0 00 ff f0 f5 a7 ff ff 40-00 ff ff 88 00 ff ff 00 .......@........
adcb6ff0 bb ff 88 00 ff ff b2 67-ff ff d0 d0 d0 d0 d0 d0 .......g........
adcb7000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
adcb7010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:021> p
eax=ae876fe8 ebx=6cd309d4 ecx=00000000 edx=ae876fe8 esi=a2e06fb0 edi=ae876fe8
eip=6caee42a esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e01a:
6caee42a 8b760c mov esi,dword ptr [esi+0Ch] ds:002b:a2e06fbc=6ca34f10
0:021> p
eax=ae876fe8 ebx=6cd309d4 ecx=00000000 edx=ae876fe8 esi=6ca34f10 edi=ae876fe8
eip=6caee42d esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e01d:
6caee42d 8bce mov ecx,esi
0:021> p
eax=ae876fe8 ebx=6cd309d4 ecx=6ca34f10 edx=ae876fe8 esi=6ca34f10 edi=ae876fe8
eip=6caee42f esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e01f:
6caee42f ff1530e6c56c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc5e630)] ds:002b:6cc5e630={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:021> p
eax=0d9469e2 ebx=6cd309d4 ecx=6ca34f10 edx=04000005 esi=6ca34f10 edi=ae876fe8
eip=6caee435 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4e025:
6caee435 ffd6 call esi {CoolType!CTInit+0x218b0 (6ca34f10)}
0:021> p
eax=00000000 ebx=6cd309d4 ecx=00000000 edx=00000000 esi=6ca34f10 edi=ae876fe8
eip=6caee437 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4e027:
6caee437 83c40c add esp,0Ch
0:021> p
eax=00000000 ebx=6cd309d4 ecx=00000000 edx=00000000 esi=6ca34f10 edi=ae876fe8
eip=6caee43a esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e02a:
6caee43a 0fb7c0 movzx eax,ax
0:021> p
eax=00000000 ebx=6cd309d4 ecx=00000000 edx=00000000 esi=6ca34f10 edi=ae876fe8
eip=6caee43d esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e02d:
6caee43d 8945c8 mov dword ptr [ebp-38h],eax ss:002b:58d9f2b8=58d9f344
0:021> p
eax=00000000 ebx=6cd309d4 ecx=00000000 edx=00000000 esi=6ca34f10 edi=ae876fe8
eip=6caee440 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e030:
6caee440 8b4510 mov eax,dword ptr [ebp+10h] ss:002b:58d9f300=a2e06fb0
0:021> p
eax=a2e06fb0 ebx=6cd309d4 ecx=00000000 edx=00000000 esi=6ca34f10 edi=ae876fe8
eip=6caee443 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e033:
6caee443 6a02 push 2
0:021> pc
eax=a2e06fb0 ebx=6cd309d4 ecx=6ca34f10 edx=00000000 esi=6ca34f10 edi=ae876fe8
eip=6caee44e esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e03e:
6caee44e ff1530e6c56c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc5e630)] ds:002b:6cc5e630={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:021> p
eax=0d9469e2 ebx=6cd309d4 ecx=6ca34f10 edx=04000005 esi=6ca34f10 edi=ae876fe8
eip=6caee454 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4e044:
6caee454 ffd6 call esi {CoolType!CTInit+0x218b0 (6ca34f10)} ;<---------------------------------- (2)
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee456 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e046:
6caee456 83c40c add esp,0Ch
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee459 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e049:
6caee459 0fb7c0 movzx eax,ax
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee45c esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e04c:
6caee45c 8945e4 mov dword ptr [ebp-1Ch],eax ss:002b:58d9f2d4=6ca31385 ;<-------------------------- (3)
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee45f esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e04f:
6caee45f 8b4510 mov eax,dword ptr [ebp+10h] ss:002b:58d9f300=a2e06fb0
0:021> p
eax=a2e06fb0 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee462 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e052:
6caee462 6a04 push 4
0:021> p
eax=a2e06fb0 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee464 esp=58d9f2a8 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e054:
6caee464 ff750c push dword ptr [ebp+0Ch] ss:002b:58d9f2fc=58d9f33c
0:021> p
eax=a2e06fb0 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee467 esp=58d9f2a4 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e057:
6caee467 8b700c mov esi,dword ptr [eax+0Ch] ds:002b:a2e06fbc=6ca34f10
0:021> p
eax=a2e06fb0 ebx=6cd309d4 ecx=00000000 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee46a esp=58d9f2a4 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e05a:
6caee46a 8bce mov ecx,esi
0:021> p
eax=a2e06fb0 ebx=6cd309d4 ecx=6ca34f10 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee46c esp=58d9f2a4 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e05c:
6caee46c 50 push eax
0:021> p
eax=a2e06fb0 ebx=6cd309d4 ecx=6ca34f10 edx=00000002 esi=6ca34f10 edi=ae876fe8
eip=6caee46d esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e05d:
6caee46d ff1530e6c56c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc5e630)] ds:002b:6cc5e630={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:021> p
eax=0d9469e2 ebx=6cd309d4 ecx=6ca34f10 edx=04000005 esi=6ca34f10 edi=ae876fe8
eip=6caee473 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4e063:
6caee473 ffd6 call esi {CoolType!CTInit+0x218b0 (6ca34f10)} ;<---------------------------------- (4)
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000004 esi=6ca34f10 edi=ae876fe8
eip=6caee475 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e065:
6caee475 83c40c add esp,0Ch
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000004 esi=6ca34f10 edi=ae876fe8
eip=6caee478 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e068:
6caee478 0fb7c0 movzx eax,ax
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000004 esi=6ca34f10 edi=ae876fe8
eip=6caee47b esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e06b:
6caee47b 8945e0 mov dword ptr [ebp-20h],eax ss:002b:58d9f2d0=58d9f2ec ;<---------------------------------- (5)
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00000000 edx=00000004 esi=6ca34f10 edi=ae876fe8
eip=6caee47e esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e06e:
6caee47e 8b4510 mov eax,dword ptr [ebp+10h] ss:002b:58d9f300=a2e06fb0
[...]
0:021> p
eax=0000000e ebx=6cd309d4 ecx=0000000e edx=adcb6fa0 esi=6ca34fd0 edi=ae876fe8
eip=6caee4b3 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0a3:
6caee4b3 8b4de4 mov ecx,dword ptr [ebp-1Ch] ss:002b:58d9f2d4=00008000
0:021> p
eax=0000000e ebx=6cd309d4 ecx=00008000 edx=adcb6fa0 esi=6ca34fd0 edi=ae876fe8
eip=6caee4b6 esp=58d9f2a0 ebp=58d9f2f0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4e0a6:
6caee4b6 83c40c add esp,0Ch
0:021> p
eax=0000000e ebx=6cd309d4 ecx=00008000 edx=adcb6fa0 esi=6ca34fd0 edi=ae876fe8
eip=6caee4b9 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0a9:
6caee4b9 8945d8 mov dword ptr [ebp-28h],eax ss:002b:58d9f2c8=6ca3148b
0:021> p
eax=0000000e ebx=6cd309d4 ecx=00008000 edx=adcb6fa0 esi=6ca34fd0 edi=ae876fe8
eip=6caee4bc esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0ac:
6caee4bc 8b45e0 mov eax,dword ptr [ebp-20h] ss:002b:58d9f2d0=00008000
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00008000 edx=adcb6fa0 esi=6ca34fd0 edi=ae876fe8
eip=6caee4bf esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0af:
6caee4bf 0fb7c9 movzx ecx,cx
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00008000 edx=adcb6fa0 esi=6ca34fd0 edi=ae876fe8
eip=6caee4c2 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0b2:
6caee4c2 0fb7c0 movzx eax,ax
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00008000 edx=adcb6fa0 esi=6ca34fd0 edi=ae876fe8
eip=6caee4c5 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0b5:
6caee4c5 8bd1 mov edx,ecx
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00008000 edx=00008000 esi=6ca34fd0 edi=ae876fe8
eip=6caee4c7 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0b7:
6caee4c7 0fafd0 imul edx,eax ; <--------------------------------- (6)
0:021> p
eax=00008000 ebx=6cd309d4 ecx=00008000 edx=40000000 esi=6ca34fd0 edi=ae876fe8
eip=6caee4ca esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0ba:
6caee4ca 894df0 mov dword ptr [ebp-10h],ecx ss:002b:58d9f2e0=00000001
:021> p
eax=00008000 ebx=6cd309d4 ecx=00008000 edx=40000000 esi=6ca34fd0 edi=ae876fe8
eip=6caee4cd esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0bd:
6caee4cd 8b4ddc mov ecx,dword ptr [ebp-24h] ss:002b:58d9f2cc=00000013
0:021>
eax=00008000 ebx=6cd309d4 ecx=00000013 edx=40000000 esi=6ca34fd0 edi=ae876fe8
eip=6caee4d0 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0c0:
6caee4d0 8945ec mov dword ptr [ebp-14h],eax ss:002b:58d9f2dc=00000050
0:021>
eax=00008000 ebx=6cd309d4 ecx=00000013 edx=40000000 esi=6ca34fd0 edi=ae876fe8
eip=6caee4d3 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0c3:
6caee4d3 0fb7c1 movzx eax,cx
0:021>
eax=00000013 ebx=6cd309d4 ecx=00000013 edx=40000000 esi=6ca34fd0 edi=ae876fe8
eip=6caee4d6 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0c6:
6caee4d6 8955cc mov dword ptr [ebp-34h],edx ss:002b:58d9f2bc=6cc31385
0:021>
eax=00000013 ebx=6cd309d4 ecx=00000013 edx=40000000 esi=6ca34fd0 edi=ae876fe8
eip=6caee4d9 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4e0c9:
6caee4d9 8945f4 mov dword ptr [ebp-0Ch],eax ss:002b:58d9f2e4=b26f6fd0
At [1], we can observe the content of the CPAL table. The method called at (2) returns the value of the numPaletteEntries fields of the CPAL table. The register eax contains numPaletteEntries, and its value can be observed at (3). The method called at (4) reads numPalettes of the CPAL table. We can examine its value, contained by eax, at (5). At (6), a totalPalette variable is calculated by multiplying numPaletteEntries and numPalettes. Later on, the totalPalette variable is used to calculate a buffer size without any validation. We can observe the following in the debugger:
0:021> g
Breakpoint 1 hit
eax=ffffffff ebx=6cd309d4 ecx=a0946ffd edx=11511004 esi=0000005d edi=ae876fe8
eip=6caee5b9 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4e1a9:
6caee5b9 8b45cc mov eax,dword ptr [ebp-34h] ss:002b:58d9f2bc=40000000 ; <--------------------------------- (7)
0:021> p
eax=40000000 ebx=6cd309d4 ecx=a0946ffd edx=11511004 esi=0000005d edi=ae876fe8
eip=6caee5bc esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4e1ac:
6caee5bc 8b33 mov esi,dword ptr [ebx] ds:002b:6cd309d4=6ca31480
0:021> p
eax=40000000 ebx=6cd309d4 ecx=a0946ffd edx=11511004 esi=6ca31480 edi=ae876fe8
eip=6caee5be esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4e1ae:
6caee5be 8bce mov ecx,esi
0:021> p
eax=40000000 ebx=6cd309d4 ecx=6ca31480 edx=11511004 esi=6ca31480 edi=ae876fe8
eip=6caee5c0 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4e1b0:
6caee5c0 c1e002 shl eax,2 ; <--------------------------------- (8)
0:021> p
eax=00000000 ebx=6cd309d4 ecx=6ca31480 edx=11511004 esi=6ca31480 edi=ae876fe8
eip=6caee5c3 esp=58d9f2ac ebp=58d9f2f0 iopl=0 ov up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a47
CoolType!CTCleanup+0x4e1b3:
6caee5c3 50 push eax
0:021> p
eax=00000000 ebx=6cd309d4 ecx=6ca31480 edx=11511004 esi=6ca31480 edi=ae876fe8
eip=6caee5c4 esp=58d9f2a8 ebp=58d9f2f0 iopl=0 ov up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a47
CoolType!CTCleanup+0x4e1b4:
6caee5c4 53 push ebx
0:021> p
eax=00000000 ebx=6cd309d4 ecx=6ca31480 edx=11511004 esi=6ca31480 edi=ae876fe8
eip=6caee5c5 esp=58d9f2a4 ebp=58d9f2f0 iopl=0 ov up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a47
CoolType!CTCleanup+0x4e1b5:
6caee5c5 ff1530e6c56c call dword ptr [CoolType!CTGetVersion+0x1529a0 (6cc5e630)] ds:002b:6cc5e630={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:021> p
eax=0d946290 ebx=6cd309d4 ecx=6ca31480 edx=10010400 esi=6ca31480 edi=ae876fe8
eip=6caee5cb esp=58d9f2a4 ebp=58d9f2f0 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4e1bb:
6caee5cb ffd6 call esi {CoolType!CTInit+0x1de20 (6ca31480)} ; <--------------------------------- (9)
0:021> p
eax=9dc06ff8 ebx=6cd309d4 ecx=00000000 edx=00000000 esi=6ca31480 edi=ae876fe8
eip=6caee5cd esp=58d9f2a4 ebp=58d9f2f0 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTCleanup+0x4e1bd:
6caee5cd 8365f800 and dword ptr [ebp-8],0 ss:002b:58d9f2e8=0000005d
0:021> dd eax ; <--------------------------------- (10)
9dc06ff8 d0d0d0c0 d0d0d0d0 ???????? ????????
9dc07008 ???????? ???????? ???????? ????????
9dc07018 ???????? ???????? ???????? ????????
9dc07028 ???????? ???????? ???????? ????????
9dc07038 ???????? ???????? ???????? ????????
9dc07048 ???????? ???????? ???????? ????????
9dc07058 ???????? ???????? ???????? ????????
9dc07068 ???????? ???????? ???????? ????????
In the above code, the totalPalette variable is read at (7). The vulnerable buffer size is calculated at (8) by multiplying 4 and totalPalette. The malloc is called at (9).
This vulnerability occurs when the value of this product (4 * numPaletteEntries * numPalettes) is greater than 0xFFFFFFFF. If the value exceeds 0xFFFFFFFF, it can wrap around and become a very small number. In our case, the multiplication overflows to 0, causing malloc to be called with this invalid size. The vulnerable buffer with the invalid size allocated by malloc can be observed at (10). The crash occurs when a loop tries to write (4 * numPaletteEntries * numPalettes) bytes to the buffer. This can be observed in a debugger at the time of the crash:
0:021> g
(1d4.156c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffc0c0c0 ebx=00000002 ecx=00000002 edx=9dc06ff8 esi=6ca34f10 edi=a2e06fb0
eip=6caee612 esp=58d9f2ac ebp=58d9f2f0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
CoolType!CTCleanup+0x4e202:
6caee612 89048a mov dword ptr [edx+ecx*4],eax ds:002b:9dc07000=???????? <------------------------- (11)
0:021> dd edx
9dc06ff8 ff000000 ff808080 ???????? ????????
9dc07008 ???????? ???????? ???????? ????????
9dc07018 ???????? ???????? ???????? ????????
9dc07028 ???????? ???????? ???????? ????????
9dc07038 ???????? ???????? ???????? ????????
9dc07048 ???????? ???????? ???????? ????????
9dc07058 ???????? ???????? ???????? ????????
9dc07068 ???????? ???????? ???????? ????????
0:021> u
CoolType!CTCleanup+0x4e202:
6caee612 89048a mov dword ptr [edx+ecx*4],eax
6caee615 41 inc ecx
6caee616 8b45f4 mov eax,dword ptr [ebp-0Ch]
6caee619 43 inc ebx
6caee61a 894df8 mov dword ptr [ebp-8],ecx
6caee61d 3b5df0 cmp ebx,dword ptr [ebp-10h]
6caee620 7ccd jl CoolType!CTCleanup+0x4e1df (6caee5ef)
6caee622 8b4dec mov ecx,dword ptr [ebp-14h]
0:021> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 58d9f2f0 6cae72f9 6cd309d4 58d9f33c a2e06fb0 CoolType!CTCleanup+0x4e202
01 58d9f350 6cae70d5 00000000 6cada4d5 b3d46bd8 CoolType!CTCleanup+0x46ee9
02 58d9f3a4 6cae52b1 00000000 00000000 b26f6fd0 CoolType!CTCleanup+0x46cc5
03 58d9f3b8 6cb05778 00000000 58d9f408 6cc0be24 CoolType!CTCleanup+0x44ea1
04 58d9f3c4 6cc0be24 00000000 6cada379 79f96da8 CoolType!CTCleanup+0x65368
05 58d9f408 6cee2907 b3d46bd8 00000000 58d9f448 CoolType!CTGetVersion+0x100194
06 58d9f468 6cdb0f97 a67c2b00 58d9f68c f4427e0d AGM!AGMGetVersion+0xc1257
07 58d9fa44 6cdaef64 3ed3bae4 96952f70 a67c2b00 AGM!AGMInitialize+0x37997
08 58d9fc08 6cdacd22 3ed3bae4 96952f70 f4427801 AGM!AGMInitialize+0x35964
09 58d9fc48 6cdcb44b 3ed3bae4 96952f70 9c35aff0 AGM!AGMInitialize+0x33722
0a 58d9fc6c 6cdabc10 00000301 6cdcb005 96952f70 AGM!AGMInitialize+0x51e4b
0b 58d9fc74 6cdcb005 96952f70 9aefad00 9aefad18 AGM!AGMInitialize+0x32610
0c 58d9fc94 6cddb2bf 96952f70 f4427949 9aefad18 AGM!AGMInitialize+0x51a05
0d 58d9fcc4 6cdc9e01 f44278b1 58d9fd98 6cdc9d60 AGM!AGMInitialize+0x61cbf
0e 58d9fd00 6cdcaa84 96952f70 f4427971 a237cf58 AGM!AGMInitialize+0x50801
0f 58d9fd18 6d67c0e2 8d49d96d 9aefad18 58d9fd0c AGM!AGMInitialize+0x51484
10 58d9fd38 6d68c7f2 9b2e4f30 9b2e4ec8 58d9fd50 AcroRd32!CTJPEGReader::operator=+0x96842
11 58d9fd54 6d68abec a237cf84 8d49d9e5 8d00ef90 AcroRd32!CTJPEGReader::operator=+0xa6f52
12 58d9fdb4 6d69d440 8d49da45 3d534fb8 595b6ff8 AcroRd32!CTJPEGReader::operator=+0xa534c
13 58d9fe14 6d69c99e 8d49da6d 6d69c470 4ad56ff8 AcroRd32!CTJPEGReader::operator=+0xb7ba0
14 58d9fe3c 6d69c481 1cacfc50 6d69c470 58d9fe5c AcroRd32!CTJPEGReader::operator=+0xb70fe
15 58d9fe4c 76eefcc9 4ad56ff8 76eefcb0 58d9feb8 AcroRd32!CTJPEGReader::operator=+0xb6be1
16 58d9fe5c 77a77c6e 4ad56ff8 01a5ba23 00000000 KERNEL32!BaseThreadInitThunk+0x19
17 58d9feb8 77a77c3e ffffffff 77a98c0f 00000000 ntdll!__RtlUserThreadStart+0x2f
18 58d9fec8 00000000 6d69c470 4ad56ff8 00000000 ntdll!_RtlUserThreadStart+0x1b
At (11), the debugger output shows a crash due to access violation with PageHeap enabled. Access violation is caused by an attempted write to out-of-bounds memory. Exploiting this vulnerability allows attackers to write arbitrary data adjacent to heap memory, which can lead to further memory corruption and arbitrary code execution.
The vendor released a security bulletin at: https://helpx.adobe.com/security/products/acrobat/apsb24-07.html Patches can be found linked from this site
2023-12-19 - Vendor Disclosure
2024-02-13 - Vendor Patch Release
2024-02-15 - Public Release
Discovered by KPC of Cisco Talos.