CVE-2019-8042 : Detail

CVE-2019-8042

9.8
/
Critical
Overflow
38.67%V3
Network
2019-08-20
17h56 +00:00
2020-07-06
15h38 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution .

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-787 Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 [email protected]
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 47769

Publication date : 2019-12-10
23h00 +00:00
Author : Google Security Research
EDB Verified : Yes

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=707779e0 ebx=25876c38 ecx=052faab8 edx=707703a4 esi=707703d4 edi=25876e34 eip=10e6c29e esp=052fa89c ebp=052fa8a4 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212 CoolType!CTInit+0x3913e: 10e6c29e 8902 mov dword ptr [edx],eax ds:002b:707703a4=31a03194 0:000> u @eip-14 CoolType!CTInit+0x3912a: 10e6c28a 8b7d0c mov edi,dword ptr [ebp+0Ch] 10e6c28d 8b571c mov edx,dword ptr [edi+1Ch] 10e6c290 8b7720 mov esi,dword ptr [edi+20h] 10e6c293 035508 add edx,dword ptr [ebp+8] 10e6c296 8b4724 mov eax,dword ptr [edi+24h] 10e6c299 037508 add esi,dword ptr [ebp+8] 10e6c29c 03c6 add eax,esi 10e6c29e 8902 mov dword ptr [edx],eax 0:000> ? poi(edi+1c) Evaluate expression: -690332 = fff57764 0:000> ? poi(ebp+8) Evaluate expression: 1887538240 = 70818c40 0:000> !heap -p -a 70818c40 address 70818c40 found in _DPH_HEAP_ROOT @ bfc1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 723d3b94: 70818c40 173c0 - 70818000 19000 unknown!fillpattern 0f32a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77f24b26 ntdll!RtlDebugAllocateHeap+0x0000003c 77e7e3e6 ntdll!RtlpAllocateHeap+0x000000f6 77e7cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 77e7ccee ntdll!RtlAllocateHeap+0x0000003e 0f48aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 77c2f1f6 ucrtbase!_malloc_base+0x00000026 5fbefc39 AcroRd32!AcroWinMainSandbox+0x00003ec9 10e37991 CoolType!CTInit+0x00004831 10e38e1b CoolType!CTInit+0x00005cbb 10e68870 CoolType!CTInit+0x00035710 10e683dc CoolType!CTInit+0x0003527c 10e67d25 CoolType!CTInit+0x00034bc5 10e65902 CoolType!CTInit+0x000327a2 10e633f2 CoolType!CTInit+0x00030292 10e62719 CoolType!CTInit+0x0002f5b9 10e620e8 CoolType!CTInit+0x0002ef88 10e62000 CoolType!CTInit+0x0002eea0 108f36f1 AGM!AGMInitialize+0x0002a881 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 052fa8a4 10e6bde2 70818c40 25876e34 70818c40 CoolType!CTInit+0x3913e 01 052fa918 10e6bd06 052faab4 052fa9e4 00000001 CoolType!CTInit+0x38c82 02 052fa930 10e6bce7 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38ba6 03 052fa944 10e6bb4f 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38b87 04 052fa968 10e6b8b0 052facd8 73330f68 110f7080 CoolType!CTInit+0x389ef 05 052fab08 10e6abf9 73330f68 110f7080 052facd8 CoolType!CTInit+0x38750 06 052fad64 10e65b0c 052fb054 052faddc 00000000 CoolType!CTInit+0x37a99 07 052fb07c 10e633f2 000007c6 00000000 00000000 CoolType!CTInit+0x329ac 08 052fb14c 10e62719 65babff0 00000001 052fb1dc CoolType!CTInit+0x30292 09 052fb964 10e620e8 6aa0a9b4 052fb97c 6aa0a990 CoolType!CTInit+0x2f5b9 0a 052fb9e4 10e62000 6aa0a9b4 6aa0a99c 73fdc4da CoolType!CTInit+0x2ef88 0b 052fba24 108f36f1 7155bd90 6aa0a9b4 6aa0a99c CoolType!CTInit+0x2eea0 0c 052fba38 108e023e 6aa0a99c 108e01d0 331cbd80 AGM!AGMInitialize+0x2a881 0d 052fba4c 108df007 331cbd8c 10d84a18 00000001 AGM!AGMInitialize+0x173ce 0e 052fba84 108f0bcc c1574612 1733a7d0 00000000 AGM!AGMInitialize+0x16197 0f 052fbb4c 0f327c7a 0bfc16cc 052fbb78 0f3291ab AGM!AGMInitialize+0x27d5c --- cut --- Notes: - The crash looks very similar to the one reported in Issue #1891 in June 2019, and fixed in August 2019 as CVE-2019-8042. The stack trace and context are nearly identical. It is possible that this is an unfixed variant of the previous vulnerability. - Reproduces on Adobe Acrobat Reader DC (2019.012.20040) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-690332 in the above case). - Attached samples: poc[1-4].pdf (crashing files). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47769.zip
Exploit Database EDB-ID : 47276

Publication date : 2019-08-14
22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (4c84.1e3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=13842768 ebx=14b6d730 ecx=1383e108 edx=13832820 esi=13832850 edi=14b6d92c eip=1062a82e esp=1383def0 ebp=1383def8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 CoolType!CTInit+0x37aa7: 1062a82e 8902 mov dword ptr [edx],eax ds:002b:13832820=???????? 0:022> u @eip-14 CoolType!CTInit+0x37a93: 1062a81a 8b7d0c mov edi,dword ptr [ebp+0Ch] 1062a81d 8b571c mov edx,dword ptr [edi+1Ch] 1062a820 8b7720 mov esi,dword ptr [edi+20h] 1062a823 035508 add edx,dword ptr [ebp+8] 1062a826 8b4724 mov eax,dword ptr [edi+24h] 1062a829 037508 add esi,dword ptr [ebp+8] 1062a82c 03c6 add eax,esi 1062a82e 8902 mov dword ptr [edx],eax 0:022> ? poi(edi+1c) Evaluate expression: -56136 = ffff24b8 0:022> ? poi(ebp+8) Evaluate expression: 327418728 = 13840368 0:022> !heap -p -a 13840368 address 13840368 found in _DPH_HEAP_ROOT @ bd61000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) bd639c0: 13840368 190c94 - 13840000 192000 unknown!fillpattern 66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 0e96fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 105f74d4 CoolType!CTInit+0x0000474d 105f8888 CoolType!CTInit+0x00005b01 106270cf CoolType!CTInit+0x00034348 10626c61 CoolType!CTInit+0x00033eda 106265a2 CoolType!CTInit+0x0003381b 10623c6f CoolType!CTInit+0x00030ee8 10621d55 CoolType!CTInit+0x0002efce 106210e9 CoolType!CTInit+0x0002e362 1062096c CoolType!CTInit+0x0002dbe5 10620893 CoolType!CTInit+0x0002db0c 645138e1 AGM!AGMInitialize+0x0002aab1 0:022> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 1383def8 1062a372 13840368 14b6d92c 13840368 CoolType!CTInit+0x37aa7 01 1383df6c 1062a296 1383e104 1383e034 00000001 CoolType!CTInit+0x375eb 02 1383df84 1062a277 1383e104 1383e034 16977160 CoolType!CTInit+0x3750f 03 1383df98 10629d00 1383e104 1383e034 16977160 CoolType!CTInit+0x374f0 04 1383dfb8 10629a71 1383e328 16977160 00000000 CoolType!CTInit+0x36f79 05 1383e158 10628ea7 16977160 108a00a0 1383e328 CoolType!CTInit+0x36cea 06 1383e3b4 10623e89 1383e6a8 1383e430 00000000 CoolType!CTInit+0x36120 07 1383e6d0 10621d55 00000001 00000000 00000000 CoolType!CTInit+0x31102 08 1383e7a0 106210e9 16d43ec0 00000009 1383e834 CoolType!CTInit+0x2efce 09 1383efb8 1062096c 188f40ec 1383efd0 188f40c8 CoolType!CTInit+0x2e362 0a 1383f038 10620893 188f40ec 188f40d4 393d9f99 CoolType!CTInit+0x2dbe5 0b 1383f070 645138e1 14c73e6c 188f40ec 10882280 CoolType!CTInit+0x2db0c 0c 1383f084 644ffb1e 188f40d4 644ffab0 1737c5f0 AGM!AGMInitialize+0x2aab1 0d 1383f098 644fe8e7 1737c5fc 649a09f8 00000001 AGM!AGMInitialize+0x16cee 0e 1383f0d0 6451041c 30146add 13db5c78 00000000 AGM!AGMInitialize+0x15ab7 0f 1383f17c 772fcd28 0ad60000 1383f1b0 66d6922c AGM!AGMInitialize+0x275ec 10 1383f190 00000000 66d69238 772fcd10 0ad64d80 ntdll!RtlReleaseStackTrace+0x18 --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-56136 in the above case). - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to three bytes at offsets 0x2bd4c, 0x2bd4d and 0x2d5b8 (0x00 => 0xff in all cases). These bytes reside inside of a TrueType font stream. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47276.zip

Products Mentioned

Configuraton 0

Adobe>>Acrobat_dc >> Version From (including) 15.006.30060 To (excluding) 15.006.30499

Adobe>>Acrobat_dc >> Version From (including) 15.008.20082 To (excluding) 19.012.20036

Adobe>>Acrobat_dc >> Version From (including) 17.011.30059 To (excluding) 17.011.30144

Adobe>>Acrobat_reader_dc >> Version From (including) 15.006.30060 To (excluding) 15.006.30499

Adobe>>Acrobat_reader_dc >> Version From (including) 15.008.20082 To (excluding) 19.012.20036

Adobe>>Acrobat_reader_dc >> Version From (including) 17.011.30059 To (excluding) 17.011.30144

Apple>>Macos >> Version -

Microsoft>>Windows >> Version -

References