Shulou(Shulou.com)05/31 Report--

How to analyze the PDF vulnerability CVE-2018-12794, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Brief introduction of vulnerabilities

CVE-2018-12794 is a type obfuscation vulnerability caused by building a XML packet (XML Data Package,XDP) template and performing certain JavaScript operations on the XML form Architecture (XML Forms Architecture,XFA) object, allowing an attacker to force Adobe Reader to reference data from the boundaries of the template object.

In July 2018, the Adobe patch was updated:

Basic information about vulnerabilities

Vulnerability ID:CVE-2018-12794

Vulnerability name: PDF type obfuscation vulnerability

Type of vulnerability: remote code execution

Threat types: type confusion

Impact version: affect 2018.011.20040 and previous versions

Vulnerability testing

System environment: Win7 32

Adobe Reader:2018.011.20040

PoC: https://github.com/thezdi/PoC/tree/master/CVE-2018-12794

PoC analysis

XML Data Package (XDP) is the XML file format created by Adobe Systems. This format allows PDF content or Adobe XML Forms Architecture (XFA) resources to be packaged in a XML container. XDP conforms to the specification of XML 1.0 and can be carried as a stand-alone document or in an PDF document. XDP provides a mechanism for packaging form components in a XML container, and XDP can also package PDF files as well as XML form and template data.

The XFA (XML Forms Architecture) object in the first object stream object executes Java code, which manipulates sub1 and sub2, adding sub1 as a xfa.template object, sub2 as a xfa.from object, and then attaching sub2 to sub1.

Finally, execute the Java code to set the presence property of O2 to inactive, which means to hide the object and exclude it from the event handling. Crash will be triggered when this operation is performed.

Debugging and analysis

After opening the page heap through gflags, open the PoC file with the Windbg append Adobe Acrobat DC. The program stops where the crach occurs.

From the above debugging information, you can see that the exception occurs in the AcroForm.api module. The exception of the value of ecx causes the program crash. Through stack backtracking, you can locate the upper-level function of crash, AcroForm.PlugInMainkeeper 0x979f1, disassemble the function and observe the value of ecx (the value of ecx is directly passed into the crash function).

After disassembling the code, it is found that the value of ecx comes from [eax+esi*8], while esi is only an offset and 0, so the value of ecx is related to eax and comes from [edi+1d4h]. The value of the address is a string, so it is speculated that the value of the string is referenced as a pointer, resulting in crash.

After many debugging, it is found that the value of [edi+1d4h] is different each time, and the value of this address is unknown, as shown in the following figure.

Use the heap command to check that the space size of edi is 140h, guess that it is an object pointer or a piece of requested memory space, and [edi+1d4h] is obviously out of bounds.

Knowing from the code that it is a XFA object, Type-IDs can be displayed using the command uf poi (poi (object address) + 8).

The type is 7C00h, indicating that the heap holds a XFA object.

The virtual table of XFATemplateModelImpl is obtained by cross-reference, and the object size of 140h bytes can be found through the cross-reference constructor.

You can see in the XFATemplateModelFactoryImpl::newModel function that 140h bytes of space have been requested, and guess from the function name that this is a Template object with a size of 140h new.

Cross-reference in the virtual table can locate the corresponding address of initializing the Form object, the space size applied for by the Form object is 270h, the address of [edi+1d4h] should actually be the value in the read Form object, and the size of the Template object is 140h. So the root cause of the vulnerability is that the code uses the function of the Form object to handle the Template object, resulting in a type confusion vulnerability.

After reading the above, have you mastered how to analyze the PDF vulnerability CVE-2018-12794? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.