adobe acrobat reader dc for windows double free due to malformed jp2 stream

▸▸▸ Exploit & Vulnerability >>   dos exploit & windows vulnerability




Online Vulnerability Scanner Tools
adobe acrobat reader dc for windows double free due to malformed jp2 stream Code Code... 
				
We have observed the following crash in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:

--- cut ---
=======================================
VERIFIER STOP 00000007: pid 0x2C1C: Heap block already freed. 

	0C441000 : Heap handle for the heap owning the block.
	147E6638 : Heap block being freed again.
	00000010 : Size of the heap block.
	00000000 : Not used


=======================================
This verifier stop is not continuable. Process will be terminated 
when you use the `go' debugger command.

=======================================

(2c1c.491c): Break instruction exception - code 80000003 (first chance)
eax=66e603a0 ebx=00000000 ecx=000001a1 edx=0536c661 esi=66e5dd88 edi=0c441000
eip=66e53ae6 esp=0536c948 ebp=0536cb5c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
vrfcore!VerifierStopMessageEx+0x5b6:
66e53ae6 cc              int     3

0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 0536cb5c 66e58038 66e5d258 00000007 0c441000 vrfcore!VerifierStopMessageEx+0x5b6
01 0536cb80 66d6da5e 00000007 66d61cbc 0c441000 vrfcore!VfCoreRedirectedStopMessage+0x88
02 0536cbd8 66d6b8a8 00000007 66d61cbc 0c441000 verifier!VerifierStopMessage+0x8e
03 0536cc44 66d6bdea 0c441000 00000004 147e6638 verifier!AVrfpDphReportCorruptedBlock+0x1b8
04 0536cca0 66d6c302 0c441000 147e6638 00000004 verifier!AVrfpDphCheckNormalHeapBlock+0x11a
05 0536ccc0 66d6ab43 0c441000 0c640000 01000002 verifier!AVrfpDphNormalHeapFree+0x22
06 0536cce4 77305359 0c440000 01000002 147e6638 verifier!AVrfDebugPageHeapFree+0xe3
07 0536cd54 7725ad86 147e6638 ab70558b 00000000 ntdll!RtlDebugFreeHeap+0x3c
08 0536ceb0 7725ac3d 00000000 147e6638 00000000 ntdll!RtlpFreeHeap+0xd6
09 0536cf04 66e5aad0 0c440000 00000000 147e6638 ntdll!RtlFreeHeap+0x7cd
0a 0536cf20 74a2db1b 0c440000 00000000 147e6638 vrfcore!VfCoreRtlFreeHeap+0x20
0b 0536cf34 74a2dae8 147e6638 00000000 0536cf54 ucrtbase!_free_base+0x1b
0c 0536cf44 0f012849 147e6638 16fd32f8 0536d068 ucrtbase!free+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0d 0536cf54 0f6d6441 147e6638 31577737 0536d0b8 AcroRd32!AcroWinMainSandbox+0x6a49
0e 0536d068 0f6c20a4 0536d0d8 00000001 00000b20 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18bb1
0f 0536d230 0f6bf15d 00000000 00000000 00000000 AcroRd32!CTJPEGTiledContentWriter::operator=+0x4814
10 0536d264 0f6b209f 1771f6b4 1771f6b4 194f9078 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18cd
11 0536d278 0f6a5007 194f9078 000033f8 2037a088 AcroRd32!AX_PDXlateToHostEx+0x34404f
12 0536d32c 0f0a57c9 1771f6b4 19053d28 0f0a5730 AcroRd32!AX_PDXlateToHostEx+0x336fb7
13 0536d350 0f0a56c3 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x4c809
14 0536d370 0f02e7e1 0536d390 1cb80970 0013d690 AcroRd32!DllCanUnloadNow+0x4c703
15 0536d398 0f02e78d 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x229e1
16 0536d3ac 0f0e8a5b 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x2298d
17 0536d3c8 0f1f4315 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x8fa9b
18 0536d42c 0f6568a8 00000000 00000e44 205378ac AcroRd32!CTJPEGDecoderHasMoreTiles+0x1a15
19 0536d4ac 0f56ae8d 0536d4cc 0536d4dc 315773af AcroRd32!AX_PDXlateToHostEx+0x2e8858
1a 0536d4f0 10d5da8c 17b908d0 0536d55c bb3e57b9 AcroRd32!AX_PDXlateToHostEx+0x1fce3d
1b 0536d56c 10d5e053 0536d5b8 bb3e5771 00000000 AGM!AGMGetVersion+0x16e3c
1c 0536d5a4 10fffb4c 193d706c 0536d5b8 fffffff9 AGM!AGMGetVersion+0x17403
1d 0536d5bc 10cd9a32 0536d650 bb3e5855 17c76ff8 AGM!AGMGetVersion+0x2b8efc
1e 0536da80 10cd75d6 0536df90 17c76ff8 0536df04 AGM!AGMInitialize+0x40c02
1f 0536df24 10cd4133 0536df90 17c76ff8 0536e124 AGM!AGMInitialize+0x3e7a6
20 0536e144 10cd2370 19891678 18f911e8 17c616f8 AGM!AGMInitialize+0x3b303
21 0536e320 10cd0dec 19891678 18f911e8 bb3e61b9 AGM!AGMInitialize+0x39540
22 0536e36c 10cfffbf 19891678 18f911e8 17150de0 AGM!AGMInitialize+0x37fbc
23 0536e398 10cffb7f 18f911e8 bb3e66d1 17150de0 AGM!AGMInitialize+0x6718f
24 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66d4f

0:000> !heap -p -a 147E6638 
    address 147e6638 found in
    _HEAP @ c640000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        147e6610 0009 0000  [00]   147e6638    00010 - (free DelayedFree)
        66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6
        66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3
        77305359 ntdll!RtlDebugFreeHeap+0x0000003c
        7725ad86 ntdll!RtlpFreeHeap+0x000000d6
        7725ac3d ntdll!RtlFreeHeap+0x000007cd
        66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020
        74a2db1b ucrtbase!_free_base+0x0000001b
        74a2dae8 ucrtbase!free+0x00000018
        f012849 AcroRd32!AcroWinMainSandbox+0x00006a49
        f6d6430 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00018ba0
        f6c20a4 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00004814
        f6bf15d AcroRd32!CTJPEGTiledContentWriter::operator=+0x000018cd
        f6b209f AcroRd32!AX_PDXlateToHostEx+0x0034404f
        f6a5007 AcroRd32!AX_PDXlateToHostEx+0x00336fb7
        f0a57c9 AcroRd32!DllCanUnloadNow+0x0004c809
        f0a56c3 AcroRd32!DllCanUnloadNow+0x0004c703
        f02e7e1 AcroRd32!AcroWinMainSandbox+0x000229e1
        f02e78d AcroRd32!AcroWinMainSandbox+0x0002298d
        f0e8a5b AcroRd32!DllCanUnloadNow+0x0008fa9b
        f1f4315 AcroRd32!CTJPEGDecoderHasMoreTiles+0x00001a15
        f6568a8 AcroRd32!AX_PDXlateToHostEx+0x002e8858
        f56ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d
        10d5da8c AGM!AGMGetVersion+0x00016e3c
        10d5e053 AGM!AGMGetVersion+0x00017403
        10fffb4c AGM!AGMGetVersion+0x002b8efc
        10cd9a32 AGM!AGMInitialize+0x00040c02
        10cd75d6 AGM!AGMInitialize+0x0003e7a6
        10cd4133 AGM!AGMInitialize+0x0003b303
        10cd2370 AGM!AGMInitialize+0x00039540
        10cd0dec AGM!AGMInitialize+0x00037fbc
        10cfffbf AGM!AGMInitialize+0x0006718f
--- cut ---

Notes:

- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option enabled in Application Verifier.

- The crash occurs immediately after opening the PDF document.

- Attached samples: poc.pdf (crashing file), original.pdf (original file).

- We have minimized the difference between the original and mutated files down to a single byte at offset 0x172b4, which appears to reside inside a binary JP2 image stream. It was modified from 0x1C to 0xFF.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47279.zip

Adobe acrobat reader dc for windows double free due to malformed jp2 stream Vulnerability / Exploit Source : Adobe acrobat reader dc for windows double free due to malformed jp2 stream



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.