SID 1:46670

Report a false positive

Rule Category

FILE-IMAGE

Alert Message

FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt

Rule Explanation

This event is generated when a malformed EMF image is detected traversing the network Impact: Attempted User Privilege Gain Details: This vulnerability is an instance of a heap overflow vulnerability in the image conversion engine when handling Enhanced Metafile Format (EMF) data related to pixel block transfer. In particular, the vulnerability is triggered by a crafted EMF file with invalid specification of the source rectangle with respect to the bitmap buffer header information which causes an out of bounds memory access, due to improper bounds checking when manipulating an array pointer. Attackers can exploit the vulnerability by using the out of bounds access for unintended writes potentially leading to code corruption, control-flow hijack, or information leak attack. Ease of Attack:

What To Look For

No information provided

Known Usage

No public information

False Positives

Known false positives, with the described conditions

Prone to False Positives as EMF isn't a strictly adhering file format.

Contributors

Cisco's Talos Intelligence Group

Rule Groups

No rule groups

CVE

CVE-2018-15940 CVE-2018-15941 CVE-2018-4948

Additional Links

helpx.adobe.com/security/products/acrobat/APSB18-09.html
helpx.adobe.com/security/products/acrobat/APSB18-30.html

Rule Vulnerability

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2018-15940
 Loading description
CVE-2018-15941
 Loading description
CVE-2018-4948
 Loading description