Zscaler ThreatLabz Discovers Multiple Product Bugs in Adobe Acrobat

0

In April 2022, Adobe released security update APSB22-16. This update has fixed five product bugs reported by Zscaler’s ThreatLabz in Adobe Acrobat related to Enhanced Metafile Format (EMF) analysis. Adobe has determined that Acrobat is safe by default for converting EMF to PDF. Specifically, the abuse requires administrative privileges to modify the registry and add HKLM keys to enable the EMF to PDF conversion feature. As a result, Adobe treated these five issues as regular product bugs instead of security bugs. Nevertheless, in this blog, we will present details related to these findings.

Known Affected Software

Acrobat DC 22.001.20085 and earlier
Acrobat 2020 20.005.30314 and earlier (Windows) 20.005.30311 and earlier (macOS)
Acrobat 2017 17.012.30205 and earlier versions

Steps to reproduce

Enable page heap in Acrobat.exe
Follow the instructions below to enable the EMF to PDF conversion feature shown below:
Open the PoC EMF in Adobe Acrobat

Case studies

Case 1 – Heap Buffer Overflow

This bug can be triggered by opening a malformed EMF file in Adobe Acrobat, which causes a buffer overflow when Adobe Acrobat incorrectly processes Enhanced Metafile Format (EMF) data related to file handling. ‘EMR_COMMENT record. Figure 1 shows a comparison between a properly structured EMF file and a minified PoC file that triggers this vulnerability.

Figure 1. Comparison between a normal EMF file and the minimized PoC file that triggers a buffer overflow

Adobe Acrobat will produce the following crash shown in Figure 2.

Figure 2. Adobe Acrobat EMF to PDF buffer overflow crash

Case 2: Use after release

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, causing a crash after use when Adobe Acrobat incorrectly processes Enhanced Metafile Format (EMF) data related to record handling EMR_COMMENT. Figure 3 shows a comparison between a properly structured EMF file and a reduced PoC file that triggers this vulnerability.

Figure 3. Comparison between a normal EMF file and the minimized PoC file that triggers a use-after-release crash

Adobe Acrobat will produce the following crash shown in Figure 4.

Figure 4. Adobe Acrobat EMF to PDF use-after-free crash

Case 3: Reading out of range

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes out-of-bounds playback when Adobe Acrobat incorrectly processes Enhanced Metafile Format (EMF) data related to record handling EMR_COMMENT. Figure 5 shows a comparison between a properly structured EMF file and a minified PoC file that triggers this vulnerability.

Figure 5. Comparison between a normal EMF file and the minimized PoC file that triggers an out-of-bounds read

Adobe Acrobat will produce the following crash shown in Figure 6.

Figure 6. Adobe Acrobat EMF to PDF read out of bounds crash

Case 4: Heap Buffer Overflow

This bug can be triggered by opening a malformed EMF file in Adobe Acrobat, which causes a buffer overflow when Adobe Acrobat incorrectly processes Enhanced Metafile Format (EMF) data related to file handling. ‘EMR_COMMENT record. Figure 7 shows a comparison between a properly structured EMF file and a reduced PoC file that triggers this vulnerability.

Figure 7. Comparison between a normal EMF file and the minimized PoC file that triggers a buffer overflow

Adobe Acrobat will produce the following crash shown in Figure 8.

Figure 8. Adobe Acrobat EMF to PDF Buffer Overflow Crash

Case 5: Null pointer dereference

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, to produce a null pointer dereference crash, as shown in Figure 9.

Figure 9. Adobe Acrobat EMF to PDF Null pointer dereference crash

Summary

In EMF records, Comment record types define formats for specifying arbitrary private data, embedding records in other metafile formats, and adding new or special commands. Because an EMR_COMMENT record can contain arbitrary private data, ThreatLabz discovered that it can be a potential attack vector. As featured in these case studies, four bugs were discovered by ThreatLabz in Adobe Acrobat when Adobe Acrobat incorrectly handles Enhanced Metafile Format (EMF) data related to handling the EMR_COMMENT record, in addition to a dereferencing of null pointer.

Mitigation

All Adobe Acrobat and Reader users are encouraged to upgrade to the latest version of the software. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities.

PDF.Exploit.EMF2PDFMemoryCorruption

Reference

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/e081b202-429d-4c34-b21c-a0ad501858a6

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/e0137630-f3ad-492c-bde9-e68866e255ba

https://helpx.adobe.com/security/acknowledgments.html

https://helpx.adobe.com/security/products/acrobat/apsb22-16.html

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed written by Kai Lu. Read the original post at: https://www.zscaler.com/blogs/security-research/zscaler-threatlabz -discovers-multiple-product-bugs-adobe-acrobat

Share.

About Author

Comments are closed.