Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21017 PoC — Acrobat Reader DC 缓冲区错误漏洞

Source
https://github.com/tzwlhack/CVE-2021-21017
Associated Vulnerability
Title:Acrobat Reader DC 缓冲区错误漏洞 (CVE-2021-21017)
Description:Adobe Acrobat Reader是美国奥多比(Adobe)公司的一款PDF查看器。该软件用于打印,签名和注释 PDF。 Acrobat Reader DC 中存在缓冲区错误漏洞,该漏洞源于软件可引起基于堆的缓冲区溢出。未经验证的攻击者可以利用此漏洞在当前用户的上下文中执行任意代码。
Readme
# CVE-2021-21017

## Not another Adobe Reader Byte Order Mark bug :)

```
# IA32 plugin, ver. 2020.013.20074.
char * __cdecl FUN_2581894c(char *base_url,LPCSTR rel_url)
{
  ............................................................
  ............................................................
  if ((base_url != (char *)0x0) && (rel_url != (LPCSTR)0x0)) {
    if ((*base_url == -2) && (base_url[1] == -1)) {
      iVar6 = bytes_len(base_url);
      pcVar7 = base_url + iVar6;
      pcVar8 = rel_url + 2;
      do {
        do {
          cVar3 = *pcVar8;
          pcVar1 = pcVar8 + 2;
          *pcVar7 = cVar3;
          pcVar2 = pcVar7 + 2;
          cVar4 = pcVar8[1];
          pcVar7[1] = cVar4;
          pcVar7 = pcVar2;
          pcVar8 = pcVar1;
        } while (cVar3 != '\0');
      } while (cVar4 != '\0');
    }
    else {
      lstrcatA(base_url,rel_url);
    }
    return base_url;
  }
  .............................................................
  .............................................................
}
```

When building an absolute URL from one relative to a PDF document's `baseURL` to be used by APIs like: `app.launchURL`, `document.submitForm` or `app.media.createPlayer`,
if the the `baseURL` looks to be a `UTF-16BE` string, the relative one is also treated as a `UTF-16BE` string when performing the concatenation, though it is actually an ANSI string.

This may result in Out-of-bounds read access on one hand. On the other hand, when allocating memory to hold the destination buffer, the relative URL is "measured" as an ANSI string. This is of course not enough if OOB read occurs. (string + the `NULL` terminator filling a whole heap chunk).

What does this mean?

## Type confusion => Out of bounds read => Heap overflow => FULL BUKAKE!

## Poc Attached

It will most often result in a crash and occasionally in overwriting an ArrayBuffer's `byteLength` to `0xFF`.

If you have questions feel free to contact me on twitter: https://twitter.com/Zeusb0x

## Detection

The PDF document catalog will have an `URI` entry holding an indirect reference to a dictionary object. This in turn will have a `Base` entry, which is the actual `baseURL`. It will be most likely be present in hexadecimal notation and will start with the characters `\xFE\xFF`. (see PoC). Fortunately this is the only way to change a documents's `baseURL` in a normal, non-privileged context. Trying to do it from `JavaScript` will throw a security exception.
File Snapshot

 [4.0K]  /data/pocs/a6a5eabe866ec45292f0ffd6a49d1c6600ba4a47
├── [ 987]  CVE-2021-21017.js
├── [3.3K]  CVE-2021-21017.pdf
└── [2.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.