Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21017 PoC — Acrobat Reader DC Heap-based Buffer Overflow Vulnerability Could Lead To Arbitrary Code Execution

Source
https://github.com/ZeusBox/CVE-2021-21017
Associated Vulnerability
Title:Acrobat Reader DC Heap-based Buffer Overflow Vulnerability Could Lead To Arbitrary Code Execution (CVE-2021-21017)
Description:Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Readme
# CVE-2021-21017

## Not another Adobe Reader Byte Order Mark bug :)

```
# IA32 plugin, ver. 2020.013.20074.
char * __cdecl FUN_2581894c(char *base_url,LPCSTR rel_url)
{
  ............................................................
  ............................................................
  if ((base_url != (char *)0x0) && (rel_url != (LPCSTR)0x0)) {
    if ((*base_url == -2) && (base_url[1] == -1)) {
      iVar6 = bytes_len(base_url);
      pcVar7 = base_url + iVar6;
      pcVar8 = rel_url + 2;
      do {
        do {
          cVar3 = *pcVar8;
          pcVar1 = pcVar8 + 2;
          *pcVar7 = cVar3;
          pcVar2 = pcVar7 + 2;
          cVar4 = pcVar8[1];
          pcVar7[1] = cVar4;
          pcVar7 = pcVar2;
          pcVar8 = pcVar1;
        } while (cVar3 != '\0');
      } while (cVar4 != '\0');
    }
    else {
      lstrcatA(base_url,rel_url);
    }
    return base_url;
  }
  .............................................................
  .............................................................
}
```

When building an absolute URL from one relative to a PDF document's `baseURL` to be used by APIs like: `app.launchURL`, `document.submitForm` or `app.media.createPlayer`,
if the the `baseURL` looks to be a `UTF-16BE` string, the relative one is also treated as a `UTF-16BE` string when performing the concatenation, though it is actually an ANSI string.

This may result in Out-of-bounds read access on one hand. On the other hand, when allocating memory to hold the destination buffer, the relative URL is "measured" as an ANSI string. This is of course not enough if OOB read occurs. (string + the `NULL` terminator filling a whole heap chunk).

What does this mean?

## Type confusion => Out of bounds read => Heap overflow => FULL BUKAKE!

## Poc Attached

It will most often result in a crash and occasionally in overwriting an ArrayBuffer's `byteLength` to `0xFF`.

If you have questions feel free to contact me on twitter: https://twitter.com/Zeusb0x

## Detection

The PDF document catalog will have an `URI` entry holding an indirect reference to a dictionary object. This in turn will have a `Base` entry, which is the actual `baseURL`. It will be most likely be present in hexadecimal notation and will start with the characters `\xFE\xFF`. (see PoC). Fortunately this is the only way to change a documents's `baseURL` in a normal, non-privileged context. Trying to do it from `JavaScript` will throw a security exception.
File Snapshot

 [4.0K]  /data/pocs/06ba49715f3ef5a46a53cdad7e62f6e871453e5d
├── [ 987]  CVE-2021-21017.js
├── [3.3K]  CVE-2021-21017.pdf
└── [2.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →