A double free vulnerability in Adobe Reader was disclosed. CVE-2018-4990 has been assigned to track this vulnerability. Upon successful exploitation an attacker can achieve arbitrary code execution. The vulnerability has been exploited in the wild via crafted pdf document. Adobe has released APSB18-09 to address this vulnerability. Please check the advisory for the list of affected versions.
Vulnerability
As mentioned earlier it is double free vulnerability. The issue occurs due to improper loop counter checks in function JP2KLib!JP2KCopyRect. The loop counter is used to traverse a typedArray. If the de-referenced value is not null its address is freed by a sub routine. This sub_routine is called for 2 out-of-bound addresses.
Exploitation
In the wild CVE-2018-4990 is targeted via crafted PDF file with embedded java script. The script uses a button field object containing a custom JPEG2000 image. The image triggers the vulnerability and uses heap spray to align the memory allocations to gain read and write primitives. Once the primitives are gained it executes a ROP chain built using EScript.api. The ROP chains executes a shellcode that executes another embedded PE file within its self. This executable target CVE-2018-8120 to elevate privilege.
Mitiagation
Please apply the latest patches from Adobe to remedy CVE-2018-4990. Qualys customers can scan their network with QID : 370948 to detect vulnerable machines. The QID checks for vulnerable versions of Acrobat.dll, AcroRd32.dll and nppdf32.dll.
Please continue to follow Qualys Threat Protection for more coverage in this vulnerability.
References
CVE-2018-4990
APSB18-09
Win32k Elevation of Privilege : CVE-2018-8120
A tale of two zero-days
