In July 2022, Adobe released a security update for vulnerabilities in Adobe Acrobat and Reader. The update fixed a vulnerability that is identified as CVE-2022-34233 discovered by the Zscaler ThreatLabz research team. In this blog, we present our analysis of CVE-2022-34233, a Use-After-Free vulnerability in Adobe Acrobat and Reader.
Vulnerability Description
CVE-2022-34233 is a Use-After-Free vulnerability that could potentially lead to the disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Known Affected Software Configurations
- Acrobat DC Continuous 22.001.20142 and earlier versions in Windows & macOS
- Acrobat Reader DC Continuous 22.001.20142 and earlier versions in Windows & macOS
- Acrobat 2020 Classic 2020 20.005.30334 and earlier versions (Win)
- Acrobat 2020 Classic 2020 20.005.30331 and earlier versions (Mac)
- Acrobat Reader 2020 Classic 2020 20.005.30334 and earlier versions (Win)
- Acrobat Reader 2020 Classic 2020 20.005.30331 and earlier versions (Mac)
- Acrobat 2017 Classic 2017 17.012.30229 and earlier versions (Win)
- Acrobat 2017 Classic 2017 17.012.30227 and earlier versions (Mac)
- Acrobat Reader 2017 Classic 2017 17.012.30229 and earlier versions (Win)
- Acrobat Reader 2017 Classic 2017 17.012.30227 and earlier versions (Mac)
Proof of Concept
The vulnerability can be triggered by opening a malicious PDF file. Zscaler ThreatLabz created a PoC file that will cause the following crash. To reproduce this issue, the following steps can be performed:
- Enable Page Heap in Acrobat.exe
- In Windbg, open Executable -> File name: Acrobat.exe -> Arguments: /path/to/poc.pdf, then enable Debug child processes also -> Open. Next, issue the command g in Windbg multiple times.
- Adobe Acrobat will cause a crash after a while. The following crash will be produced: