[CNNVD]Adobe Reader和Acrobat 内存损坏漏洞(CNNVD-201308-479)
Adobe Reader和Acrobat都是美国奥多比(Adobe)公司的产品。Adobe Reader是一款免费的PDF文件阅读器,Acrobat是一款PDF文件编辑和转换工具。
Adobe
Reader和Acrobat中存在安全漏洞。攻击者可利用该漏洞执行任意代码或造成拒绝服务(内存损坏)。以下版本受到影响:Adobe
Reader和Acrobat 9.5.5之前的9.x版本,10.1.7之前的10.x版本,11.0.03之前的11.x版本。
测试环境是Adobe Reader11+Windows 7。挂载调试器打开poc后程序异常退出,但是并未中断在调试器中,在任务管理器中发现Adobe Reader存在2个进程,于是启用子进程调试,重新加载,并中断在调试器中,信息如下。
eax=00000001 ebx=00000001 ecx=64f7f4ea edx=04bb1078 esi=3ef2cc90 edi=00000000 eip=64f7e84b esp=0016e540 ebp=0016e564 iopl=0 nv up ei pl nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesAdobeReader 11.0ReaderAcroRd32.dll - AcroRd32!DllCanUnloadNow+0x150524: 64f7e84b 8b06 mov eax,dword ptr [esi] ds:0023:3ef2cc90=????????
我们往前面看一下会发现esi来自ecx,而由于ecx就是this指针,这里怀疑是对象指针。再后面看一下又有call dword ptr [eax+364h]。于是重新加载启用堆分配记录。如下
1:007> !heap -p -a esi address 3eaeac90 found in _DPH_HEAP_ROOT @ 4451000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 3136171c: 3eaea000 2000 778890b2 verifier!AVrfDebugPageHeapFree+0x000000c2 77775674 ntdll!RtlDebugFreeHeap+0x0000002f 77737aca ntdll!RtlpFreeHeap+0x0000005d 77702d68 ntdll!RtlFreeHeap+0x00000142 768af1ac kernel32!HeapFree+0x00000014 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Windowssystem32MSVCR100.dll - 6b41016a MSVCR100!free+0x0000001c 627e1325 AcroRd32!CTJPEGLibInit+0x0000f6d5 6290c2af AcroRd32!DllCanUnloadNow+0x0010df88 628b3381 AcroRd32!DllCanUnloadNow+0x000b505a 6294723b AcroRd32!DllCanUnloadNow+0x00148f14 628980b1 AcroRd32!DllCanUnloadNow+0x00099d8a 62e54bbf AcroRd32!CTJPEGRotateOptions::operator=+0x001b0aa3 628980b1 AcroRd32!DllCanUnloadNow+0x00099d8a 62cfabca AcroRd32!CTJPEGRotateOptions::operator=+0x00056aae 62cfb275 AcroRd32!CTJPEGRotateOptions::operator=+0x00057159 62cf93be AcroRd32!CTJPEGRotateOptions::operator=+0x000552a2 62da391e AcroRd32!CTJPEGRotateOptions::operator=+0x000ff802 62da3b7c AcroRd32!CTJPEGRotateOptions::operator=+0x000ffa60 62da3eca AcroRd32!CTJPEGRotateOptions::operator=+0x000ffdae *** WARNING: Unable to verify checksum for C:Program FilesAdobeReader 11.0Readerplug_insAnnots.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesAdobeReader 11.0Readerplug_insAnnots.api - 64989a3a Annots!PlugInMain+0x00078015 6498a692 Annots!PlugInMain+0x00078c6d 6498af61 Annots!PlugInMain+0x0007953c *** WARNING: Unable to verify checksum for C:Program FilesAdobeReader 11.0Readerplug_insEScript.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesAdobeReader 11.0Readerplug_insEScript.api - 66e2a8e8 EScript!PlugInMain+0x000392b6 66dfff65 EScript!PlugInMain+0x0000e933 66e19749 EScript!PlugInMain+0x00028117 66e157ec EScript!PlugInMain+0x000241ba 66e378e6 EScript!PlugInMain+0x000462b4 66e3786c EScript!PlugInMain+0x0004623a 66e36951 EScript!PlugInMain+0x0004531f 66e3626c EScript!PlugInMain+0x00044c3a 66e342da EScript!PlugInMain+0x00042ca8 64989e26 Annots!PlugInMain+0x00078401
很明显是已经释放的内存块,那我们来看下这个内存块是在哪里分配的。通过对分配函数下断向前摸到了这块内存的分配记录
1:011> !heap -p -a 04878de8 address 04878de8 found in _DPH_HEAP_ROOT @ 45f1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 48f05e4: 4878de8 214 - 4878000 2000 77888e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77774ea6 ntdll!RtlDebugAllocateHeap+0x00000030 77737d96 ntdll!RtlpAllocateHeap+0x000000c4 777034ca ntdll!RtlAllocateHeap+0x0000023a 6b7709ee MSVCR100!unlock+0x000000ba 6b771e32 MSVCR100!calloc_crt+0x00000016 6b771d93 MSVCR100!mbtowc_l+0x000001be 6b771e16 MSVCR100!mbtowc_l+0x00000241 7770af24 ntdll!LdrpCallInitRoutine+0x00000014 7770b511 ntdll!LdrpInitializeThread+0x0000015b 7770b298 ntdll!_LdrpInitialize+0x000001ad 7770b2c5 ntdll!LdrInitializeThunk+0x00000010
最后再看一下重用时的操作
1:007> kp ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 001fe028 64f7e0d2 AcroRd32!DllCanUnloadNow+0x150524 001fe04c 64f7f3e3 AcroRd32!DllCanUnloadNow+0x14fdab 001fe054 64f7d996 AcroRd32!DllCanUnloadNow+0x1510bc 001fe0a0 64f7c68c AcroRd32!DllCanUnloadNow+0x14f66f 001fe0d0 64f7c50e AcroRd32!DllCanUnloadNow+0x14e365 001fe160 64f7c206 AcroRd32!DllCanUnloadNow+0x14e1e7 001fe170 64f7c1a1 AcroRd32!DllCanUnloadNow+0x14dedf 001fe17c 64ed712e AcroRd32!DllCanUnloadNow+0x14de7a 001fe1a8 64f7ae0e AcroRd32!DllCanUnloadNow+0xa8e07 001fe1d8 64f76d1d AcroRd32!DllCanUnloadNow+0x14cae7 001fe1fc 64f76bf1 AcroRd32!DllCanUnloadNow+0x1489f6 001fe214 64f7434c AcroRd32!DllCanUnloadNow+0x1488ca 001fe2ac 64e2e440 AcroRd32!DllCanUnloadNow+0x146025 001fe2d8 64f73a64 AcroRd32!DllCanUnloadNow+0x119 001fe300 653d38ef AcroRd32!DllCanUnloadNow+0x14573d 001fe37c 653d3b7c AcroRd32!CTJPEGRotateOptions::operator=+0xff7d3 001fe390 653d3eca AcroRd32!CTJPEGRotateOptions::operator=+0xffa60 *** WARNING: Unable to verify checksum for C:Program FilesAdobeReader 11.0Readerplug_insAnnots.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesAdobeReader 11.0Readerplug_insAnnots.api - 001fe39c 63009a3a AcroRd32!CTJPEGRotateOptions::operator=+0xffdae 001fe3b0 6300a692 Annots!PlugInMain+0x78015 001fe3c8 6300af61 Annots!PlugInMain+0x78c6d