Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN
Find out more

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Zscaler ThreatLabz Discovers Multiple Product Bugs in Adobe Acrobat

KAI LU, BRETT STONE-GROSS
April 22, 2022 - 4 min read
Security Insights

Contents

  1. Article
  2. More blogs

In April 2022, Adobe released security update APSB22-16. This update fixed five product bugs that Zscaler’s ThreatLabz reported in Adobe Acrobat that are related to EMF (Enhanced Metafile Format) parsing. Adobe determined that Acrobat is secure by default for converting EMF to PDF. Specifically, abuse requires administrative privileges to modify the registry and add HKLM keys in order to enable the feature of the conversion from EMF to PDF.  As a result, Adobe treated these five issues as regular product bugs instead of security bugs. Nevertheless, in this blog, we will present details related to these discoveries.

 

Known Affected Software

  • Acrobat DC 22.001.20085 and earlier versions
  • Acrobat 2020 20.005.30314 and earlier versions  (Windows) 20.005.30311 and earlier versions (macOS)
  • Acrobat 2017 17.012.30205 and earlier versions    

 

Steps to Reproduce

  1. Enable Page Heap in Acrobat.exe
  2. Follow the following instructions to enable the feature of converting an EMF file to a PDF shown below:Figure
  3. Open the EMF PoC in Adobe Acrobat

 

Case Studies

Case 1 - Heap Buffer Overflow

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes a heap buffer overflow when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 1 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure

Figure 1. Comparison between a normal EMF file and the minimized PoC file that triggers a heap buffer overflow

Adobe Acrobat will produce the following crash shown in Figure 2.

Figure

Figure 2. Adobe Acrobat EMF to PDF heap buffer overflow crash

Case 2: Use-After-Free

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes a use-after-free crash when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 3 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure

Figure 3. Comparison between a normal EMF file and the minimized PoC file that triggers a use-after-free crash

Adobe Acrobat will produce the following crash shown in Figure 4.

Figure

Figure 4. Adobe Acrobat EMF to PDF use-after-free crash

Case 3: Out-of-Bounds Read

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes an out-of-bounds read when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 5 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure

Figure 5. Comparison between a normal EMF file and the minimized PoC file that triggers out-of-bounds read

Adobe Acrobat will produce the following crash shown in Figure 6.

Figure

Figure 6. Adobe Acrobat EMF to PDF out-of-bounds read crash

Case 4: Heap Buffer Overflow

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, which causes a heap buffer overflow when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record. Figure 7 shows a comparison between a properly structured EMF file with a minimized PoC file that triggers this vulnerability.

Figure

Figure 7. Comparison between a normal EMF file and the minimized PoC file that triggers a heap buffer overflow

Adobe Acrobat will produce the following crash shown in Figure 8.

Figure

Figure 8. Adobe Acrobat EMF to PDF heap buffer overflow crash

Case 5:  Null Pointer Dereference

This bug can be triggered via opening a malformed EMF file in Adobe Acrobat, to produce a null pointer dereference crash as shown in Figure 9.

Figure

Figure 9. Adobe Acrobat EMF to PDF Null pointer dereference crash

Summary

In EMF records, the Comment record types define formats for specifying arbitrary private data, embedding records in other metafile formats, and adding new or special-purpose commands. Since an EMR_COMMENT record can contain arbitrary private data, ThreatLabz has found that it can be a potential attack vector. As presented in these case studies, four bugs were discovered by ThreatLabz in Adobe Acrobat when Adobe Acrobat improperly processes Enhanced Metafile Format (EMF) data related to the handling of the EMR_COMMENT record, in addition to a null pointer dereference.
 

Mitigation

All users of Adobe Acrobat and Reader are encouraged to upgrade to the latest version of the software. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities.

PDF.Exploit.EMF2PDFMemoryCorruption

 

Reference

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/e081b202-429d-4c34-b21c-a0ad501858a6

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/e0137630-f3ad-492c-bde9-e68866e255ba

https://helpx.adobe.com/security/acknowledgements.html

https://helpx.adobe.com/security/products/acrobat/apsb22-16.html

 

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.