Reading Backwards – Controlling an Integer Underflow in Adobe ReaderDecember 18, 2017 | Abdul-Aziz Hariri
This is the first in our series of Top 5 interesting cases from 2017. Each of these bugs has some element that sets them apart from the approximately 1,000 advisories released by the program this year. We begin with a former Pwn2Own winner submitting an Adobe Reader bug using a rarely seen vector.
One of the reasons that we chose this vulnerability to be one of the top 5 is the fact that it’s an integer underflow leading to code execution, which is something that we don’t see that often. Besides that, this vulnerability is the result of a failed patch for ZDI-16-555/CVE-2016-6947 – a bug also reported by Sebastian.
The following is a snippet of the artistic XML Data Package (XDP) that Sebastian used to trigger and control the vulnerability. As you can see, it contains a set of nested subform elementsThe following is a snippet of the artistic XML Data Package (XDP) that Sebastian used to trigger and control the vulnerability contains a set of nested subform elements:
The event handler in the XDP form will be hit before the nested subform elements are parsed and allocated. Sebastian leveraged the event handler to execute code that allowed him to create array buffers of size 0x280 and fill them with specific values that would result in the array being filled with 0xaaaaaaaabbbbbbbb.
When the handler finishes execution, the subform elements are parsed and the array buffer will be placed right after our controlled JS array.
The end result shows the control:
Later in the execution, it is possible for an attacker to control a vtable-pointer to achieve execution of arbitrary code within the sandboxed renderer process. Additional vulnerabilities would be needed to escape the sandbox and elevate privileges, but this bug is a nice piece of a Pwn2Own-worthy exploit puzzle.
The nature of this vulnerability, along with the fact that it was a failed patch, made it stand out as one of this year’s best. Sebastian’s technique for controlling the crashes in both the 2016 and 2017 vulnerability reports shows the power of fully understanding XDP event handling. Props to Sebastian for the great vulnerability report!