{"id":19,"date":"2009-10-17T04:12:39","date_gmt":"2009-10-17T10:12:39","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=19"},"modified":"2009-10-17T04:12:39","modified_gmt":"2009-10-17T10:12:39","slug":"xpdf-integer-overflow-which-causes-heap-overflow-and-null-pointer-derefernce","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=19","title":{"rendered":"Xpdf &#8211; Integer overflow which causes heap overflow and NULL pointer derefernce."},"content":{"rendered":"<p>Last few weeks I was talking(mailing) with Derek (xpdf developer &#8211; btw. really nice guy) about some vulnerabilities in his product. 14th of October he published path for bugs (not only my vulnerabilites) so i decide to release advisory&#8230;<\/p>\n<p><!--more--><\/p>\n<p>Oryginal advisory you can find <a href=\"http:\/\/site.pi3.com.pl\/adv\/xpdf.txt\" target=\"_blank\">here<\/a>&#8230; I want to write about this vulnerabilites on blog for several reasons:<\/p>\n<p>1) This is interesting bug in draw image function<\/p>\n<p>2) This vulnerability exists NOT only in xpdf application<\/p>\n<p>3) Adobe Acrobat Reader is vulnerable to this attack too (but ONLY Linux version !!!)<\/p>\n<p>4) Adobe Acrobat Reader didn&#8217;t know about this bug but in his last release fix this vulnerability.<\/p>\n<p>First reason you can analyse in advisory but what about others? Vulnerable is:<\/p>\n<p>*) xpdf<\/p>\n<p>*) libpoppler (so it implies vulnerability in for example evince software &#8211; default pdf reader in Fedora Linux &#8211; I made PoC for this software).<\/p>\n<p>*) Adobe Acrobat Reader ONLY for Linux (versions up to 9.1.1 &#8211; 9.1.2 and 9.1.3 aren&#8217;t vuln)<\/p>\n<p>*) Maybe others?<\/p>\n<p>Ok let&#8217;s analyse Adobe Acrobat vuln in version 9.1.1:<\/p>\n<p># gdb &#8211;pid=&lt;smth&gt;<\/p>\n<p>&#8230;<\/p>\n<p>&#8230;<\/p>\n<p>(gdb) c<br \/>\nContinuing.<\/p>\n<p>Missing separate debuginfo for \/opt\/A911\/Adobe\/Reader9\/Reader\/intellinux\/plug_ins\/EFS.api<\/p>\n<p>Program received signal SIGSEGV, Segmentation fault.<br \/>\n0x01499e6d in memmove () from \/lib\/libc.so.6<br \/>\nMissing separate debuginfos, use: debuginfo-install GConf2-2.26.2-1.fc11.i586 ORBit2-2.14.17-1.fc11.i586 gamin-0.1.10-4.fc11.i586 gvfs-1.2.3-12.fc11.i586 libidn-1.9-4.i586 nss-mdns-0.10-7.fc11.i586(gdb) bt<br \/>\n#0\u00a0 0x01499e6d in memmove () from \/lib\/libc.so.6<br \/>\n#1\u00a0 0x08a95bdf in ?? ()<br \/>\n#2\u00a0 0x28371a0a in ?? ()<br \/>\n#3\u00a0 0x0d2e66aa in ?? ()<br \/>\n#4\u00a0 0x8e15b1fe in ?? ()<br \/>\n#5\u00a0 0x8e15b1fe in ?? ()<br \/>\n#6\u00a0 0xbffb5f7c in ?? ()<br \/>\n#7\u00a0 0x089e2189 in ?? ()<\/p>\n<p>Backtrace stopped: previous frame identical to this frame (corrupt stack?)<\/p>\n<p>(gdb) x\/i $eip<br \/>\n0x1499e6d &lt;memmove+77&gt;:\u00a0\u00a0 \u00a0rep movsl %ds:(%esi),%es:(%edi)<br \/>\n(gdb) i r esi edi ds es ecx<br \/>\nesi\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x27b72ffe\u00a0\u00a0 \u00a0666316798<br \/>\nedi\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x42bfe35e\u00a0\u00a0 \u00a01119871838<br \/>\nds\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x7b\u00a0\u00a0 \u00a0123<br \/>\nes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x7b\u00a0\u00a0 \u00a0123<br \/>\necx\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x6a23256\u00a0\u00a0 \u00a0111293014<br \/>\n(gdb)<\/p>\n<p>So we have hard evidence that this is probably integer overflow vuln which causes heap overflow vulnerability \ud83d\ude42<\/p>\n<p>PoC for Adobe Acrobat Reader in versions\u00a0 =&lt; 9.1.1 &#8211; private&#8230; yet \ud83d\ude42<\/p>\n<p>Btw. What do you think about this vulnerability? I&#8217;m waiting for comments! \ud83d\ude1b<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last few weeks I was talking(mailing) with Derek (xpdf developer &#8211; btw. really nice guy) about some vulnerabilities in his product. 14th of October he published path for bugs (not only my vulnerabilites) so i decide to release advisory&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-19","post","type-post","status-publish","format-standard","hentry","category-bughunt","category-exploiting"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/19","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=19"}],"version-history":[{"count":2,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/19\/revisions"}],"predecessor-version":[{"id":21,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/19\/revisions\/21"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=19"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=19"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=19"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}