... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007
Dark Theme

SSD Advisory – Adobe Acrobat Reader DC Use After Free

Vulnerability Summary
A use-after-free vulnerability exists in Adobe Acrobat Reader DC, which allows attackers execute arbitrary code with the privileges of the current user.
CVE
CVE-2019-7805
Credit
An independent Security Researcher has reported this vulnerability to SSD Secure Disclosure program.
Affected systems

Product Track Affected Versions Platform
Acrobat DC Continuous 2019.010.20100 and earlier versions Windows and macOS
Acrobat Reader DC Continuous 2019.010.20099 and earlier versions Windows and macOS
Acrobat 2017 Classic 2017 2017.011.30140 and earlier version Windows and macOS
Acrobat Reader 2017 Classic 2017 2017.011.30138 and earlier version Windows and macOS
Acrobat DC Classic 2015 2015.006.30495 and earlier versions Windows and macOS
Acrobat Reader DC Classic 2015 2015.006.30493 and earlier versions Windows and macOS

Vendor Response
Adobe fixed this vulnerability and released a public security advisory in May 14, 2019. Adobe Advisory

Vulnerability Details
How to reproduce:
1. Set Paged Heap on for the “AcrodRD32.exe”
2. Open the attached “poc.pdf”, and you will see the crash.

Using WinDbg, we will see the following crash analysis. The test was done on Windows 10. Don’t forget to set Paged Heap on for the “AcroRd32.exe”.

Crash info

ECX register is pointing to a freed memory. It is clear that this is a use-after-free condition.

If you will analyze the “poc.pdf”, several conditions must be met in order to reproduce this crash.

1. A pdf embedding another pdf, when opening the main pdf, the embedded pdf is opened.
2. The embedded pdf should contain JavaScript part. Any JavaScript is enough to trigger the crash.

It seems that as long as the above conditions meet, the poc will succeed.

The attacker can run JavaScript code in the embedded pdf in order to exploit this use-after-free vulnerability.

PoC
The poc.pdf file contains binary data, so we will encode it in base64.

Print Friendly, PDF & Email

Leave a Reply