A heap overflow vulnerability was discovered in Adobe Acrobat Pro DC. The issue occurs due to improper handling of OCG content. Upon successful exploitation an attacker can corrupt memory,control-flow hijack. CVE-2018-4910 has been assigned to track this vulnerability.The issue affects Adobe Acrobat Pro DC 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions
Vulnerability
The issue occurs due to improper checking of length parameter for an array. setIntent is one of the methods supported by OCGs. This method is implemented in Escript.api. The method allocates an array where the variable holding the size parameter is overflowed. The subsequent code copies the content of a larger attacker controlled array in to it without proper boundary checks. The size of the attacker array is set in such a way that it overflows the local variable. A PoC for this vulnerability is available.
Mitigation
Please apply the latest patches from Adobe to address CVE-2018-4910. Qualys customer can scan their network using QID: 370776 to detect vulnerable machines.
Please continue to follow Qualys Threat protection for more information on this vulnerability.
References
MALICIOUS INTENT USING ADOBE ACROBAT’S OCG SETINTENT
Adobe Acrobat Pro DC OCG setIntent Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2018-4910
Security updates available for Adobe Acrobat and Reader | APSB18-02
Creating and using layers (OCGs) with Acrobat JavaScript