It’s hard to see vulnerabilities caused by malformed strings nowadays not to mention those with exploitable vulnerabilities. It’s not surprising because all the unsafe functions are banned by SDL in modern software development, but if the developers did not use the security enhanced functions correctly, it may lead to critical security vulnerabilities.
In the case of Adobe Reader, some security enhanced string handling functions have been included but the developers used those functions incorrectly. It’s not a big deal in general cases, however, a type confusion condition can also be triggered easily when handling a malformed string. We can leverage these two conditions to achieve code execution under some circumstances.
This presentation will discuss an interesting kind of vulnerability which was caused by malformed strings in Adobe Reader. More precisely, four exploitable vulnerabilities will be discussed in detail. Two of them can achieve information disclosure. The other two can achieve code execution directly.