lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 16 May 2018 14:49:15 +0800
From: "bear.xiong" <bear.xiong@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] PDFParser vulnerability

PDFParser vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
A tool to parse pdf file.

Affected version:
=====
lastest version

Vulnerability Description:
==========================
1. The  ObjReader::ReadObj() function in ObjReader.cpp in PDFParser allow remote attackers to cause a remote code execution (stack buffer overflow) via a crafted pdf file.

./PDFParser stack-buffer-overflow.pdf

==46431==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe6c7fb350 at pc 0x000000534f7c bp 0x7ffe6c7f3310 sp 0x7ffe6c7f3308
WRITE of size 1 at 0x7ffe6c7fb350 thread T0
    #0 0x534f7b in ObjReader::ReadObj() /home/xxx/PDFParser/src/ObjReader.cpp:53:12
    #1 0x537d27 in PDF::PDF(InputStream*) /home/xxx/PDFParser/src/PDF.cpp:78:51
    #2 0x536073 in Run(char const*, RendererFactory::RendererType) /home/xxx/PDFParser/src/PDFParser.cpp:24:13
    #3 0x536073 in main /home/xxx/PDFParser/src/PDFParser.cpp:164
    #4 0x7f71d393582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x4211e8 in _start (/home/xxx/PDFParser/build/PDFParser+0x4211e8)

Address 0x7ffe6c7fb350 is located in stack of thread T0 at offset 32816 in frame
    #0 0x533a3f in ObjReader::ReadObj() /home/xxx/PDFParser/src/ObjReader.cpp:16

  This frame has 2 object(s):
    [32, 36) 'str.i' (line 175)
    [48, 32816) 'str' (line 22) <== Memory access at offset 32816 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
    
Reproducer:
stack-buffer-overflow.pdf
CVE:
CVE-2018-11128

===============================
Best,
Webin security lab - dbapp security Ltd



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ