SBN

Zscaler ThreatLabz Discovers Multiple Product Bugs in Adobe Acrobat

In April 2022, Adobe released security update APSB22-16. This update fixed five product bugs that Zscaler’s ThreatLabz reported in Adobe Acrobat that are related to EMF (Enhanced Metafile Format) parsing. Adobe determined that Acrobat is secure by default for converting EMF to PDF. Specifically, abuse requires administrative privileges to modify the registry and add HKLM keys in order to enable the feature of the conversion from EMF to PDF. As a result, Adobe treated these five issues as regular product bugs instead of security bugs. Nevertheless, in this blog, we will present details related to these discoveries.

Known Affected Software

Acrobat DC 22.001.20085 and earlier versions
Acrobat 2020 20.005.30314 and earlier versions (Windows) 20.005.30311 and earlier versions (macOS)
Acrobat 2017 17.012.30205 and earlier versions    

Steps to Reproduce

Enable Page Heap in Acrobat.exe
Follow the following instructions to enable the feature of converting an EMF file to a PDF shown below:
Open the EMF PoC in Adobe Acrobat

Case Studies

Case 1 – Heap Buffer Overflow

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes a heap buffer overflow when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 1 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure 1. Comparison between a normal EMF file and the minimized PoC file that triggers a heap buffer overflow

Adobe Acrobat will produce the following crash shown in Figure 2.

Figure 2. Adobe Acrobat EMF to PDF heap buffer overflow crash

Case 2: Use-After-Free

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes a use-after-free crash when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 3 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure 3. Comparison between a normal EMF file and the minimized PoC file that triggers a use-after-free crash

Adobe Acrobat will produce the following crash shown in Figure 4.

Figure 4. Adobe Acrobat EMF to PDF use-after-free crash

Case 3: Out-of-Bounds Read

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes an out-of-bounds read when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 5 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure 5. Comparison between a normal EMF file and the minimized PoC file that triggers out-of-bounds read

Adobe Acrobat will produce the following crash shown in Figure 6.

Figure 6. Adobe Acrobat EMF to PDF out-of-bounds read crash

Case 4: Heap Buffer Overflow

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes a heap buffer overflow when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 7 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure 7. Comparison between a normal EMF file and the minimized PoC file that triggers a heap buffer overflow

Adobe Acrobat will produce the following crash shown in Figure 8.

Figure 8. Adobe Acrobat EMF to PDF heap buffer overflow crash

Case 5: Null Pointer Dereference

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, to produce a null pointer dereference crash as shown in Figure 9.

Figure 9. Adobe Acrobat EMF to PDF Null pointer dereference crash

Summary

In EMF records, the Comment record types define formats for specifying arbitrary private data, embedding records in other metafile formats, and adding new or special-purpose commands. Since an EMR_COMMENT record can contain arbitrary private data, ThreatLabz has found that it can be a potential attack vector. As presented in these case studies, four bugs were discovered by ThreatLabz in Adobe Acrobat when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record, in addition to a null pointer dereference.

Mitigation

All users of Adobe Acrobat and Reader are encouraged to upgrade to the latest version of the software. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities.

PDF.Exploit.EMF2PDFMemoryCorruption

Reference

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/e081b202-429d-4c34-b21c-a0ad501858a6

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/e0137630-f3ad-492c-bde9-e68866e255ba

https://helpx.adobe.com/security/acknowledgements.html

https://helpx.adobe.com/security/products/acrobat/apsb22-16.html

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed authored by Kai Lu. Read the original post at: https://www.zscaler.com/blogs/security-research/zscaler-threatlabz-discovers-multiple-product-bugs-adobe-acrobat