CVE-2013-3346Adobe Reader和Acrobat 記憶體損壞漏洞分析

Ox9A82發表於2016-08-01

   [CNNVD]Adobe Reader和Acrobat 記憶體損壞漏洞(CNNVD-201308-479)

        Adobe Reader和Acrobat都是美國奧多比(Adobe)公司的產品。Adobe Reader是一款免費的PDF檔案閱讀器,Acrobat是一款PDF檔案編輯和轉換工具。
        Adobe Reader和Acrobat中存在安全漏洞。攻擊者可利用該漏洞執行任意程式碼或造成拒絕服務(記憶體損壞)。以下版本受到影響:Adobe Reader和Acrobat 9.5.5之前的9.x版本,10.1.7之前的10.x版本,11.0.03之前的11.x版本。

測試環境是Adobe Reader11+Windows 7。掛載偵錯程式開啟poc後程式異常退出,但是並未中斷在偵錯程式中,在工作管理員中發現Adobe Reader存在2個程式,於是啟用子程式除錯,重新載入,並中斷在偵錯程式中,資訊如下。

eax=00000001 ebx=00000001 ecx=64f7f4ea edx=04bb1078 esi=3ef2cc90 edi=00000000
eip=64f7e84b esp=0016e540 ebp=0016e564 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210213
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll - 
AcroRd32!DllCanUnloadNow+0x150524:
64f7e84b 8b06            mov     eax,dword ptr [esi]  ds:0023:3ef2cc90=????????

我們往前面看一下會發現esi來自ecx,而由於ecx就是this指標,這裡懷疑是物件指標。再後面看一下又有call    dword ptr [eax+364h]。於是重新載入啟用堆分配記錄。如下

1:007> !heap -p -a esi
    address 3eaeac90 found in
    _DPH_HEAP_ROOT @ 4451000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   3136171c:         3eaea000             2000
    778890b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77775674 ntdll!RtlDebugFreeHeap+0x0000002f
    77737aca ntdll!RtlpFreeHeap+0x0000005d
    77702d68 ntdll!RtlFreeHeap+0x00000142
    768af1ac kernel32!HeapFree+0x00000014
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\MSVCR100.dll - 
    6b41016a MSVCR100!free+0x0000001c
    627e1325 AcroRd32!CTJPEGLibInit+0x0000f6d5
    6290c2af AcroRd32!DllCanUnloadNow+0x0010df88
    628b3381 AcroRd32!DllCanUnloadNow+0x000b505a
    6294723b AcroRd32!DllCanUnloadNow+0x00148f14
    628980b1 AcroRd32!DllCanUnloadNow+0x00099d8a
    62e54bbf AcroRd32!CTJPEGRotateOptions::operator=+0x001b0aa3
    628980b1 AcroRd32!DllCanUnloadNow+0x00099d8a
    62cfabca AcroRd32!CTJPEGRotateOptions::operator=+0x00056aae
    62cfb275 AcroRd32!CTJPEGRotateOptions::operator=+0x00057159
    62cf93be AcroRd32!CTJPEGRotateOptions::operator=+0x000552a2
    62da391e AcroRd32!CTJPEGRotateOptions::operator=+0x000ff802
    62da3b7c AcroRd32!CTJPEGRotateOptions::operator=+0x000ffa60
    62da3eca AcroRd32!CTJPEGRotateOptions::operator=+0x000ffdae
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 11.0\Reader\plug_ins\Annots.api
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\plug_ins\Annots.api - 
    64989a3a Annots!PlugInMain+0x00078015
    6498a692 Annots!PlugInMain+0x00078c6d
    6498af61 Annots!PlugInMain+0x0007953c
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 11.0\Reader\plug_ins\EScript.api
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\plug_ins\EScript.api - 
    66e2a8e8 EScript!PlugInMain+0x000392b6
    66dfff65 EScript!PlugInMain+0x0000e933
    66e19749 EScript!PlugInMain+0x00028117
    66e157ec EScript!PlugInMain+0x000241ba
    66e378e6 EScript!PlugInMain+0x000462b4
    66e3786c EScript!PlugInMain+0x0004623a
    66e36951 EScript!PlugInMain+0x0004531f
    66e3626c EScript!PlugInMain+0x00044c3a
    66e342da EScript!PlugInMain+0x00042ca8
    64989e26 Annots!PlugInMain+0x00078401

很明顯是已經釋放的記憶體塊,那我們來看下這個記憶體塊是在哪裡分配的。透過對分配函式下斷向前摸到了這塊記憶體的分配記錄

1:011> !heap -p -a 04878de8  
    address 04878de8 found in
    _DPH_HEAP_ROOT @ 45f1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 48f05e4:          4878de8              214 -          4878000             2000
    77888e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77774ea6 ntdll!RtlDebugAllocateHeap+0x00000030
    77737d96 ntdll!RtlpAllocateHeap+0x000000c4
    777034ca ntdll!RtlAllocateHeap+0x0000023a
    6b7709ee MSVCR100!unlock+0x000000ba
    6b771e32 MSVCR100!calloc_crt+0x00000016
    6b771d93 MSVCR100!mbtowc_l+0x000001be
    6b771e16 MSVCR100!mbtowc_l+0x00000241
    7770af24 ntdll!LdrpCallInitRoutine+0x00000014
    7770b511 ntdll!LdrpInitializeThread+0x0000015b
    7770b298 ntdll!_LdrpInitialize+0x000001ad
    7770b2c5 ntdll!LdrInitializeThunk+0x00000010

最後再看一下重用時的操作

1:007> kp
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
001fe028 64f7e0d2 AcroRd32!DllCanUnloadNow+0x150524
001fe04c 64f7f3e3 AcroRd32!DllCanUnloadNow+0x14fdab
001fe054 64f7d996 AcroRd32!DllCanUnloadNow+0x1510bc
001fe0a0 64f7c68c AcroRd32!DllCanUnloadNow+0x14f66f
001fe0d0 64f7c50e AcroRd32!DllCanUnloadNow+0x14e365
001fe160 64f7c206 AcroRd32!DllCanUnloadNow+0x14e1e7
001fe170 64f7c1a1 AcroRd32!DllCanUnloadNow+0x14dedf
001fe17c 64ed712e AcroRd32!DllCanUnloadNow+0x14de7a
001fe1a8 64f7ae0e AcroRd32!DllCanUnloadNow+0xa8e07
001fe1d8 64f76d1d AcroRd32!DllCanUnloadNow+0x14cae7
001fe1fc 64f76bf1 AcroRd32!DllCanUnloadNow+0x1489f6
001fe214 64f7434c AcroRd32!DllCanUnloadNow+0x1488ca
001fe2ac 64e2e440 AcroRd32!DllCanUnloadNow+0x146025
001fe2d8 64f73a64 AcroRd32!DllCanUnloadNow+0x119
001fe300 653d38ef AcroRd32!DllCanUnloadNow+0x14573d
001fe37c 653d3b7c AcroRd32!CTJPEGRotateOptions::operator=+0xff7d3
001fe390 653d3eca AcroRd32!CTJPEGRotateOptions::operator=+0xffa60
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 11.0\Reader\plug_ins\Annots.api
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\plug_ins\Annots.api - 
001fe39c 63009a3a AcroRd32!CTJPEGRotateOptions::operator=+0xffdae
001fe3b0 6300a692 Annots!PlugInMain+0x78015
001fe3c8 6300af61 Annots!PlugInMain+0x78c6d

 

相關文章