ESObjects are internal to the EScript.api module and contain a pointer to the classical JavaScript objects, JSObjects. The Adobe Reader JavaScript engine uses several types of objects including ESObjects and JSObjects. Embedded JavaScript code in PDF files is processed and executed by the EScript.api module in Adobe Reader. CVE-2020-9715īefore we dive into the vulnerability, we need to understand how embedded JavaScript is handled by Adobe Reader.Īdobe Reader has a built-in JavaScript engine based on Mozilla’s SpiderMonkey. The vulnerability analysis that follows is based on Adobe Acrobat Reader DC version 2020.009.20063 running on Windows 10 64-bit. An attacker can exploit this vulnerability to achieve code execution by enticing a user to open a crafted PDF file. This leads to a use-after-free condition. When the same JavaScript object is later accessed, its cache entry is found despite the corresponding data ESObject having been freed. This enables an attacker to cause a data ESObject to be freed, but its pointer to remain intact in the object cache entry.
Although objects may be added to the cache using keys with ANSI or Unicode strings, objects are evicted from the cache by keys that contain only Unicode strings. OverviewĪ use-after-free vulnerability affects the data ESObject cache within the EScript.api module of Adobe Acrobat Reader DC. The exploitation broadly follows the steps outlined in the ZDI blog post, but describes the vulnerability and exploitation steps in more detail. This research was inspired by a detailed blog post by ZDI that analyzed the vulnerability. The vulnerability was discovered by Mark Vincent Yason, who reported it to the Zero Day Initiative (ZDI) disclosure program.
This post analyses CVE-2020-9715, a use-after-free vulnerability affecting several versions of the Adobe Acrobat and Adobe Acrobat Reader products.
0 kommentar(er)
