Adobe Digital Editions 4.0 | Crash Log | Fuzzing | AFL-FUZZ | XSS.Cx

Adobe Digital Editions 4.0 | Bug Report | Crash Logs | Fuzzing Comments | XSS.Cx

Program received signal EXC_BAD_ACCESS, Could not access memory.

Reason: 13 at address: 0x0000000000000000

0x00000001086a87e8 in non-virtual thunk to rmsdk::zip::FilteredStream::deleteThis() ()

Last updated on January 4, 2015 at 2000 GMT

TL;DR Fuzzing of Adobe Digital Editions 4.0 yields non-virtual thunks and other common coding failures resulting in Remote Code Execution.

Note: The Adobe Bug Report Platform isn’t available for over a week; this Crash Report for Adobe Digital Editions 4.0 is now Public Domain.

Features of Adobe Digital Editions - A richer reading experience with EPUB 3 support. The support for EPUB 3 standard allows you a richer reading experience, including: more consistent rendering of audio and video content; support for right to left reading; dynamic image resizing without loss in clarity, support for multi-column layouts, interactive quizzes, better rendering of math formulas, and huge improvements in support for read-aloud and assistive technologies.

XSS.Cx became interested in the ePUB File Format when looking at Malicious eBooks available on the Internet (and in your favorite online stores!)

In the Context of Phishing Prevention, this snippet of the ePUB Spec for Content Conformance caught our collective attention:

If the ePUB Spec for Content Conformance didn’t raise your eyebrows, look at this snippet for the ePUB Spec for Scripting that got us Fuzzing:

The ePUB Apps are a Renderer without a proper Security Model. ePUB App Highlights:

No SOP
Embedded WebKit, LibXML2, READIUM, MDOM, Tetraphilia PDF and other unaudited code
Access to File:// and other FooBar()

This POST begins with a simple sum-of-the-parts of what is linked to Adobe Digital Editions 4.

=======================================================================

server:~ xss$ otool /Applications/Adobe\ Digital\ Editions.app/Contents/MacOS/Adobe\ Digital\ Editions

=======================================================================

/Applications/Adobe Digital Editions.app/Contents/MacOS/Adobe Digital Editions:

/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 537.74.9)

@executable_path/../Frameworks/ePub3.dylib (compatibility version 1.0.0, current version 1.0.0)

@executable_path/../Frameworks/SimpleHTTPServer.dylib (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 20.0.0)

/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)

/usr/lib/libcurl.4.dylib (compatibility version 7.0.0, current version 8.0.0)

/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)

/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 55471.14.0)

/usr/lib/libicucore.A.dylib (compatibility version 1.0.0, current version 51.1.0)

/usr/lib/libxml2.2.dylib (compatibility version 10.0.0, current version 10.9.0)

/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 157.0.0)

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1056.13.0)

/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 120.0.0)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 48.0.0)

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1265.19.0)

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 59.0.0)

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 855.14.0)

Time to fire up gdb and generate a Crash and hope for a First Chance Exception.

=================================================================================================

server:~ xss$ gdb /Applications/Adobe\ Digital\ Editions.app/Contents/MacOS/Adobe\ Digital\ Editions

=================================================================================================

** DO NOT PRELOAD LIBRARIES!!

(gdb) run

0x00007fff9284d52e in mach_msg_trap ()

(gdb) c

Continuing.

Program received signal EXC_BAD_ACCESS, Could not access memory.

Reason: 13 at address: 0x0000000000000000

0x00000001086a87e8 in non-virtual thunk to rmsdk::zip::FilteredStream::deleteThis() ()

(gdb) bt

#0 0x00000001086a87e8 in non-virtual thunk to rmsdk::zip::FilteredStream::deleteThis() ()

#1 0x00000001086aca5c in image::ImageDocument::~ImageDocument ()

#2 0x00000001086ac9ea in image::ImageDocument::~ImageDocument ()

#3 0x00000001086d1ed5 in pxf::ExternalObjectStruct::~ExternalObjectStruct ()

#4 0x000000010894f01a in uft::BlockHead::freeBlock ()

#5 0x00000001084c03c9 in uft::Value::~Value ()

#6 0x00000001085af0ff in xda::ExternalObjectHandler::~ExternalObjectHandler ()

#7 0x00000001085af0c2 in xda::ExternalObjectHandler::~ExternalObjectHandler ()

#8 0x000000010894f01a in uft::BlockHead::freeBlock ()

#9 0x00000001084c03c9 in uft::Value::~Value ()

#10 0x0000000108959bb6 in uft::DictStruct::~DictStruct ()

#11 0x000000010894f01a in uft::BlockHead::freeBlock ()

#12 0x000000010894f4fc in uft::Value::operator= ()

#13 0x0000000108959d72 in uft::DictStruct::makeEmpty ()

#14 0x000000010896909d in WisDOMTree::~WisDOMTree ()

#15 0x000000010897babb in WisDOMTraversal::~WisDOMTraversal ()

#16 0x000000010894f01a in uft::BlockHead::freeBlock ()

#17 0x00000001084c03c9 in uft::Value::~Value ()

#18 0x0000000108959bb6 in uft::DictStruct::~DictStruct ()

#19 0x000000010894f01a in uft::BlockHead::freeBlock ()

#20 0x00000001084c03c9 in uft::Value::~Value ()

#21 0x0000000108967f2f in MetroWisDOM::~MetroWisDOM ()

#22 0x0000000108967ede in MetroWisDOM::~MetroWisDOM ()

#23 0x00000001086bedf9 in pxf::PXFRenderer::~PXFRenderer ()

#24 0x00000001086bed44 in pxf::PXFRenderer::~PXFRenderer ()

#25 0x000000010868d6d1 in package::Subdocument::freeDocument ()

#26 0x0000000108694a2c in package::PackageRenderer::swapOutSubrenderers ()

#27 0x000000010869474f in package::PackageRenderer::navigateToLocation ()

#28 0x00000001084c412a in reader_navigateToBookmark ()

#29 0x0000000108483c4a in -[ReadingViewController(TocBookmark) tocItemSelectionDidChange:] ()

#30 0x00007fff8a3f7cbc in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ ()

#31 0x00007fff8a2e91b4 in _CFXNotificationPost ()

#32 0x00007fff91eb4ea1 in -[NSNotificationCenter postNotificationName:object:userInfo:] ()

#33 0x00007fff91f18abb in __NSFireDelayedPerform ()

#34 0x00007fff8a38eb44 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ ()

#35 0x00007fff8a38e7d3 in __CFRunLoopDoTimer ()

#36 0x00007fff8a401d9d in __CFRunLoopDoTimers ()

#37 0x00007fff8a34b268 in __CFRunLoopRun ()

#38 0x00007fff8a34a838 in CFRunLoopRunSpecific ()

#39 0x00007fff96ca343f in RunCurrentEventLoopInMode ()

#40 0x00007fff96ca30be in ReceiveNextEventCommon ()

#41 0x00007fff96ca2ffb in _BlockUntilNextEventMatchingListInModeWithFilter ()

#42 0x00007fff9287e6d1 in _DPSNextEvent ()

#43 0x00007fff9287de80 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()

#44 0x00007fff92871e23 in -[NSApplication run] ()

#45 0x00007fff9285d2d4 in NSApplicationMain ()

#46 0x000000010844c2e4 in start ()

(gdb) si

Program received signal EXC_BAD_ACCESS, Could not access memory.

Reason: 13 at address: 0x0000000000000000

0x00000001086a87e8 in non-virtual thunk to rmsdk::zip::FilteredStream::deleteThis() ()

(gdb) stepi

Program received signal EXC_BAD_ACCESS, Could not access memory.

Reason: 13 at address: 0x0000000000000000

0x00000001086a87e8 in non-virtual thunk to rmsdk::zip::FilteredStream::deleteThis() ()

(gdb) bt

#0 0x00000001086a87e8 in non-virtual thunk to rmsdk::zip::FilteredStream::deleteThis() ()

#1 0x00000001086aca5c in image::ImageDocument::~ImageDocument ()

#2 0x00000001086ac9ea in image::ImageDocument::~ImageDocument ()

#3 0x00000001086d1ed5 in pxf::ExternalObjectStruct::~ExternalObjectStruct ()

#4 0x000000010894f01a in uft::BlockHead::freeBlock ()

#5 0x00000001084c03c9 in uft::Value::~Value ()

#6 0x00000001085af0ff in xda::ExternalObjectHandler::~ExternalObjectHandler ()

#7 0x00000001085af0c2 in xda::ExternalObjectHandler::~ExternalObjectHandler ()

#8 0x000000010894f01a in uft::BlockHead::freeBlock ()

#9 0x00000001084c03c9 in uft::Value::~Value ()

#10 0x0000000108959bb6 in uft::DictStruct::~DictStruct ()

#11 0x000000010894f01a in uft::BlockHead::freeBlock ()

#12 0x000000010894f4fc in uft::Value::operator= ()

#13 0x0000000108959d72 in uft::DictStruct::makeEmpty ()

#14 0x000000010896909d in WisDOMTree::~WisDOMTree ()

#15 0x000000010897babb in WisDOMTraversal::~WisDOMTraversal ()

#16 0x000000010894f01a in uft::BlockHead::freeBlock ()

#17 0x00000001084c03c9 in uft::Value::~Value ()

#18 0x0000000108959bb6 in uft::DictStruct::~DictStruct ()

#19 0x000000010894f01a in uft::BlockHead::freeBlock ()

#20 0x00000001084c03c9 in uft::Value::~Value ()

#21 0x0000000108967f2f in MetroWisDOM::~MetroWisDOM ()

#22 0x0000000108967ede in MetroWisDOM::~MetroWisDOM ()

#23 0x00000001086bedf9 in pxf::PXFRenderer::~PXFRenderer ()

#24 0x00000001086bed44 in pxf::PXFRenderer::~PXFRenderer ()

#25 0x000000010868d6d1 in package::Subdocument::freeDocument ()

#26 0x0000000108694a2c in package::PackageRenderer::swapOutSubrenderers ()

#27 0x000000010869474f in package::PackageRenderer::navigateToLocation ()

#28 0x00000001084c412a in reader_navigateToBookmark ()

#29 0x0000000108483c4a in -[ReadingViewController(TocBookmark) tocItemSelectionDidChange:] ()

#30 0x00007fff8a3f7cbc in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ ()

#31 0x00007fff8a2e91b4 in _CFXNotificationPost ()

#32 0x00007fff91eb4ea1 in -[NSNotificationCenter postNotificationName:object:userInfo:] ()

#33 0x00007fff91f18abb in __NSFireDelayedPerform ()

#34 0x00007fff8a38eb44 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ ()

#35 0x00007fff8a38e7d3 in __CFRunLoopDoTimer ()

#36 0x00007fff8a401d9d in __CFRunLoopDoTimers ()

#37 0x00007fff8a34b268 in __CFRunLoopRun ()

#38 0x00007fff8a34a838 in CFRunLoopRunSpecific ()

#39 0x00007fff96ca343f in RunCurrentEventLoopInMode ()

#40 0x00007fff96ca30be in ReceiveNextEventCommon ()

#41 0x00007fff96ca2ffb in _BlockUntilNextEventMatchingListInModeWithFilter ()

#42 0x00007fff9287e6d1 in _DPSNextEvent ()

#43 0x00007fff9287de80 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()

#44 0x00007fff92871e23 in -[NSApplication run] ()

#45 0x00007fff9285d2d4 in NSApplicationMain ()

#46 0x000000010844c2e4 in start ()

(gdb) bt full

#0 0x00000001086a87e8 in non-virtual thunk to rmsdk::zip::FilteredStream::deleteThis() ()