Xpdf – Integer overflow which causes heap overflow and NULL pointer derefernce. : pi3 blog

Last few weeks I was talking(mailing) with Derek (xpdf developer – btw. really nice guy) about some vulnerabilities in his product. 14th of October he published path for bugs (not only my vulnerabilites) so i decide to release advisory…

Oryginal advisory you can find here… I want to write about this vulnerabilites on blog for several reasons:

1) This is interesting bug in draw image function

2) This vulnerability exists NOT only in xpdf application

3) Adobe Acrobat Reader is vulnerable to this attack too (but ONLY Linux version !!!)

4) Adobe Acrobat Reader didn’t know about this bug but in his last release fix this vulnerability.

First reason you can analyse in advisory but what about others? Vulnerable is:

*) xpdf

*) libpoppler (so it implies vulnerability in for example evince software – default pdf reader in Fedora Linux – I made PoC for this software).

*) Adobe Acrobat Reader ONLY for Linux (versions up to 9.1.1 – 9.1.2 and 9.1.3 aren’t vuln)

*) Maybe others?

Ok let’s analyse Adobe Acrobat vuln in version 9.1.1:

# gdb –pid=<smth>

(gdb) c
Continuing.

Missing separate debuginfo for /opt/A911/Adobe/Reader9/Reader/intellinux/plug_ins/EFS.api

Program received signal SIGSEGV, Segmentation fault.
0x01499e6d in memmove () from /lib/libc.so.6
Missing separate debuginfos, use: debuginfo-install GConf2-2.26.2-1.fc11.i586 ORBit2-2.14.17-1.fc11.i586 gamin-0.1.10-4.fc11.i586 gvfs-1.2.3-12.fc11.i586 libidn-1.9-4.i586 nss-mdns-0.10-7.fc11.i586(gdb) bt
#0  0x01499e6d in memmove () from /lib/libc.so.6
#1  0x08a95bdf in ?? ()
#2  0x28371a0a in ?? ()
#3  0x0d2e66aa in ?? ()
#4  0x8e15b1fe in ?? ()
#5  0x8e15b1fe in ?? ()
#6  0xbffb5f7c in ?? ()
#7  0x089e2189 in ?? ()

Backtrace stopped: previous frame identical to this frame (corrupt stack?)

(gdb) x/i $eip
0x1499e6d <memmove+77>:    rep movsl %ds:(%esi),%es:(%edi)
(gdb) i r esi edi ds es ecx
esi            0x27b72ffe    666316798
edi            0x42bfe35e    1119871838
ds             0x7b    123
es             0x7b    123
ecx            0x6a23256    111293014
(gdb)

So we have hard evidence that this is probably integer overflow vuln which causes heap overflow vulnerability 🙂

PoC for Adobe Acrobat Reader in versions  =< 9.1.1 – private… yet 🙂

Btw. What do you think about this vulnerability? I’m waiting for comments! 😛

Comments

  1. xort on 10.21.2009

    Yea, you’ll find alot of vulns in the plugins. Some are cross arch – some arnt. Try embedding a AIFF file on load and playing with the bitrate flag for some more fun in adobe’s world -xort

  2. prodeus on 10.21.2009

    cool, another spoiled acrobat bug

  3. xort on 10.21.2009

    bleh, I got dozens more of these. adobe bugs are weak, so are people who cry about them.

  4. admin on 10.22.2009

    @xort:
    Thanks for information 🙂 If only have free time, I’ll play with AIFF 🙂

    @prodeus:
    This vuln works only in Linux Adobe Acrobat Readers and not in latest version so it isn’t so “hot bug” 🙂

  5. zajefajnyx on 11.23.2009

    Chcemy wiecej 😀

Leave a Reply




CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.