CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts
Contents
CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts
Clement Lecigne, Google Threat Analysis Group
The Basics
Disclosure or Patch Date: September, 12, 2023
Product: Adobe Acrobat Reader on Windows and MacOS
Advisory: https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
Affected Versions: 23.003.20284 and earlier versions
First Patched Version: 23.006.20320
Issue/Bug Report: N/A
Patch CL: N/A (closed source)
Bug-Introducing CL: N/A
Reporter(s): Anonymous
The Code
Proof-of-concept:
TTF font with the following bitmap tables.
EBLC : version : 0x20000 numSizes : 0x1 [-] 0th bitmapSizeTable indexSubTableArrayOffset : 0x38 indexTablesSize : 0x100 numberOfIndexSubTables : 0x2 colorRef : 0x0 hori : 0b fe 08 01 00 00 00 00 0b fe 00 00 vert : 00 00 00 00 00 00 00 00 00 00 00 00 startGlyphIndex : 0x4d endGlyphIndex : 0x4e ppemX : 0xfa ppemY : 0xfa bitDepth : 0x1 flags : 0x1 [-] 0th subArray firstGlyphIndex : 0x4d lastGlyphIndex : 0x4d additionalOffsetToIndexSubtable : 0x10 indexFormat : 0x1 imageFormat : 0x8 imageDataOffset : 0x4 offsetArray0 : 0x0 offsetArray1 : 0x0 [-] …
Clement Lecigne, Google Threat Analysis Group
The Basics
Disclosure or Patch Date: September, 12, 2023
Product: Adobe Acrobat Reader on Windows and MacOS
Advisory: https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
Affected Versions: 23.003.20284 and earlier versions
First Patched Version: 23.006.20320
Issue/Bug Report: N/A
Patch CL: N/A (closed source)
Bug-Introducing CL: N/A
Reporter(s): Anonymous
The Code
Proof-of-concept:
TTF font with the following bitmap tables.
EBLC : version : 0x20000 numSizes : 0x1 [-] 0th bitmapSizeTable indexSubTableArrayOffset : 0x38 indexTablesSize : 0x100 numberOfIndexSubTables : 0x2 colorRef : 0x0 hori : 0b fe 08 01 00 00 00 00 0b fe 00 00 vert : 00 00 00 00 00 00 00 00 00 00 00 00 startGlyphIndex : 0x4d endGlyphIndex : 0x4e ppemX : 0xfa ppemY : 0xfa bitDepth : 0x1 flags : 0x1 [-] 0th subArray firstGlyphIndex : 0x4d lastGlyphIndex : 0x4d additionalOffsetToIndexSubtable : 0x10 indexFormat : 0x1 imageFormat : 0x8 imageDataOffset : 0x4 offsetArray0 : 0x0 offsetArray1 : 0x0 [-] …
IoC
https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/
https://exploitshop.wordpress.com/2012/01/18/ms11-087-aka-duqu-vulnerability-in-windows-kernel-mode-drivers-could-allow-remote-code-execution/
https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10
https://www.zerodayinitiative.com/blog/2020/9/2/cve-2020-9715-exploiting-a-use-after-free-in-adobe-reader
https://exploitshop.wordpress.com/2012/01/18/ms11-087-aka-duqu-vulnerability-in-windows-kernel-mode-drivers-could-allow-remote-code-execution/
https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10
https://www.zerodayinitiative.com/blog/2020/9/2/cve-2020-9715-exploiting-a-use-after-free-in-adobe-reader