所需阅读权限 1

[Poc] CVE-2013-2729 Adobe Reader X BMP/RLE heap corruption

本帖最后由 blursight 于 2013-5-17 10:12 编辑

Product: Adobe Reader X
Version: 10.x
Product Homepage: adobe.com
Binary affected: AcroForm.api
Binary Version: 10.1.4.38

Adobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious embeded bmp image triggers a heap overflow.
附件: 您需要登录才可以下载或查看附件。没有帐号?注册

Yeah, Thank you for sample POC .  great work.
n0th!n9 ,d01n9

TOP

有人调试了么》
开启page heap之后显示
===========================================================
VERIFIER STOP 00000008: pid 0xD90: corrupted end stamp

        02871000 : Heap handle
        06C96ED0 : Heap block
        0000012C : Block size
        05270000 : Corrupted stamp
===========================================================

具体应该是堆的哪个字段被修改破坏了呢?

TOP

KK牛已经分析啦
n0th!n9 ,d01n9

TOP

回复 4# bug9er


    刚看到,我勒个去。但是我实际调试跟他的说法差别很大。不知道他什么环境。

TOP

多谢啦!

TOP

Thank You for the POC

TOP

回复 5# blursight
我在虚拟机直接打开的时候说是初始化分布成功,然后虚拟机就自动重启了

TOP

多谢分享

TOP

Yeah, Thank you for sample POC .  great work.

TOP