CVE-2019-8044 : Detail

CVE-2019-8044

9.8
/
Critical
82.54%V3
Network
2019-08-20
17h57 +00:00
2020-07-06
15h38 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a double free vulnerability. Successful exploitation could lead to arbitrary code execution .

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-415 Double Free
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

[email protected]
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 47279

Publication date : 2019-08-14 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

We have observed the following crash in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- ======================================= VERIFIER STOP 00000007: pid 0x2C1C: Heap block already freed. 0C441000 : Heap handle for the heap owning the block. 147E6638 : Heap block being freed again. 00000010 : Size of the heap block. 00000000 : Not used ======================================= This verifier stop is not continuable. Process will be terminated when you use the `go' debugger command. ======================================= (2c1c.491c): Break instruction exception - code 80000003 (first chance) eax=66e603a0 ebx=00000000 ecx=000001a1 edx=0536c661 esi=66e5dd88 edi=0c441000 eip=66e53ae6 esp=0536c948 ebp=0536cb5c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 vrfcore!VerifierStopMessageEx+0x5b6: 66e53ae6 cc int 3 0:000> kb # ChildEBP RetAddr Args to Child 00 0536cb5c 66e58038 66e5d258 00000007 0c441000 vrfcore!VerifierStopMessageEx+0x5b6 01 0536cb80 66d6da5e 00000007 66d61cbc 0c441000 vrfcore!VfCoreRedirectedStopMessage+0x88 02 0536cbd8 66d6b8a8 00000007 66d61cbc 0c441000 verifier!VerifierStopMessage+0x8e 03 0536cc44 66d6bdea 0c441000 00000004 147e6638 verifier!AVrfpDphReportCorruptedBlock+0x1b8 04 0536cca0 66d6c302 0c441000 147e6638 00000004 verifier!AVrfpDphCheckNormalHeapBlock+0x11a 05 0536ccc0 66d6ab43 0c441000 0c640000 01000002 verifier!AVrfpDphNormalHeapFree+0x22 06 0536cce4 77305359 0c440000 01000002 147e6638 verifier!AVrfDebugPageHeapFree+0xe3 07 0536cd54 7725ad86 147e6638 ab70558b 00000000 ntdll!RtlDebugFreeHeap+0x3c 08 0536ceb0 7725ac3d 00000000 147e6638 00000000 ntdll!RtlpFreeHeap+0xd6 09 0536cf04 66e5aad0 0c440000 00000000 147e6638 ntdll!RtlFreeHeap+0x7cd 0a 0536cf20 74a2db1b 0c440000 00000000 147e6638 vrfcore!VfCoreRtlFreeHeap+0x20 0b 0536cf34 74a2dae8 147e6638 00000000 0536cf54 ucrtbase!_free_base+0x1b 0c 0536cf44 0f012849 147e6638 16fd32f8 0536d068 ucrtbase!free+0x18 WARNING: Stack unwind information not available. Following frames may be wrong. 0d 0536cf54 0f6d6441 147e6638 31577737 0536d0b8 AcroRd32!AcroWinMainSandbox+0x6a49 0e 0536d068 0f6c20a4 0536d0d8 00000001 00000b20 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18bb1 0f 0536d230 0f6bf15d 00000000 00000000 00000000 AcroRd32!CTJPEGTiledContentWriter::operator=+0x4814 10 0536d264 0f6b209f 1771f6b4 1771f6b4 194f9078 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18cd 11 0536d278 0f6a5007 194f9078 000033f8 2037a088 AcroRd32!AX_PDXlateToHostEx+0x34404f 12 0536d32c 0f0a57c9 1771f6b4 19053d28 0f0a5730 AcroRd32!AX_PDXlateToHostEx+0x336fb7 13 0536d350 0f0a56c3 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x4c809 14 0536d370 0f02e7e1 0536d390 1cb80970 0013d690 AcroRd32!DllCanUnloadNow+0x4c703 15 0536d398 0f02e78d 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x229e1 16 0536d3ac 0f0e8a5b 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x2298d 17 0536d3c8 0f1f4315 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x8fa9b 18 0536d42c 0f6568a8 00000000 00000e44 205378ac AcroRd32!CTJPEGDecoderHasMoreTiles+0x1a15 19 0536d4ac 0f56ae8d 0536d4cc 0536d4dc 315773af AcroRd32!AX_PDXlateToHostEx+0x2e8858 1a 0536d4f0 10d5da8c 17b908d0 0536d55c bb3e57b9 AcroRd32!AX_PDXlateToHostEx+0x1fce3d 1b 0536d56c 10d5e053 0536d5b8 bb3e5771 00000000 AGM!AGMGetVersion+0x16e3c 1c 0536d5a4 10fffb4c 193d706c 0536d5b8 fffffff9 AGM!AGMGetVersion+0x17403 1d 0536d5bc 10cd9a32 0536d650 bb3e5855 17c76ff8 AGM!AGMGetVersion+0x2b8efc 1e 0536da80 10cd75d6 0536df90 17c76ff8 0536df04 AGM!AGMInitialize+0x40c02 1f 0536df24 10cd4133 0536df90 17c76ff8 0536e124 AGM!AGMInitialize+0x3e7a6 20 0536e144 10cd2370 19891678 18f911e8 17c616f8 AGM!AGMInitialize+0x3b303 21 0536e320 10cd0dec 19891678 18f911e8 bb3e61b9 AGM!AGMInitialize+0x39540 22 0536e36c 10cfffbf 19891678 18f911e8 17150de0 AGM!AGMInitialize+0x37fbc 23 0536e398 10cffb7f 18f911e8 bb3e66d1 17150de0 AGM!AGMInitialize+0x6718f 24 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66d4f 0:000> !heap -p -a 147E6638 address 147e6638 found in _HEAP @ c640000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 147e6610 0009 0000 [00] 147e6638 00010 - (free DelayedFree) 66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6 66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3 77305359 ntdll!RtlDebugFreeHeap+0x0000003c 7725ad86 ntdll!RtlpFreeHeap+0x000000d6 7725ac3d ntdll!RtlFreeHeap+0x000007cd 66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020 74a2db1b ucrtbase!_free_base+0x0000001b 74a2dae8 ucrtbase!free+0x00000018 f012849 AcroRd32!AcroWinMainSandbox+0x00006a49 f6d6430 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00018ba0 f6c20a4 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00004814 f6bf15d AcroRd32!CTJPEGTiledContentWriter::operator=+0x000018cd f6b209f AcroRd32!AX_PDXlateToHostEx+0x0034404f f6a5007 AcroRd32!AX_PDXlateToHostEx+0x00336fb7 f0a57c9 AcroRd32!DllCanUnloadNow+0x0004c809 f0a56c3 AcroRd32!DllCanUnloadNow+0x0004c703 f02e7e1 AcroRd32!AcroWinMainSandbox+0x000229e1 f02e78d AcroRd32!AcroWinMainSandbox+0x0002298d f0e8a5b AcroRd32!DllCanUnloadNow+0x0008fa9b f1f4315 AcroRd32!CTJPEGDecoderHasMoreTiles+0x00001a15 f6568a8 AcroRd32!AX_PDXlateToHostEx+0x002e8858 f56ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d 10d5da8c AGM!AGMGetVersion+0x00016e3c 10d5e053 AGM!AGMGetVersion+0x00017403 10fffb4c AGM!AGMGetVersion+0x002b8efc 10cd9a32 AGM!AGMInitialize+0x00040c02 10cd75d6 AGM!AGMInitialize+0x0003e7a6 10cd4133 AGM!AGMInitialize+0x0003b303 10cd2370 AGM!AGMInitialize+0x00039540 10cd0dec AGM!AGMInitialize+0x00037fbc 10cfffbf AGM!AGMInitialize+0x0006718f --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option enabled in Application Verifier. - The crash occurs immediately after opening the PDF document. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to a single byte at offset 0x172b4, which appears to reside inside a binary JP2 image stream. It was modified from 0x1C to 0xFF. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47279.zip

Products Mentioned

Configuraton 0

Adobe>>Acrobat_dc >> Version From (including) 15.006.30060 To (excluding) 15.006.30499

Adobe>>Acrobat_dc >> Version From (including) 15.008.20082 To (excluding) 19.012.20036

Adobe>>Acrobat_dc >> Version From (including) 17.011.30059 To (excluding) 17.011.30144

Adobe>>Acrobat_reader_dc >> Version From (including) 15.006.30060 To (excluding) 15.006.30499

Adobe>>Acrobat_reader_dc >> Version From (including) 15.008.20082 To (excluding) 19.012.20036

Adobe>>Acrobat_reader_dc >> Version From (including) 17.011.30059 To (excluding) 17.011.30144

Apple>>Macos >> Version -

Microsoft>>Windows >> Version -

References