[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060524213159.42845.qmail@vsecurity.com>
Date: 24 May 2006 21:31:59 -0000
From: advisories@...curity.com
To: bugtraq@...urityfocus.com
Subject: VSR Advisory: PDF Tools AG - PDF Form Filling and Flattening Tool Buffer Overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: PDF Form Filling and Flattening Tool Buffer Overflow
Release Date: 2006-05-23
Application: PDF Tools AG - PDF Form Filling and Flattening Tool
Version: 3.0 (Windows)
(other versions and platforms untested)
Severity: High
Author: George D. Gal <ggal_at_vsecurity.com>
Vendor Status: Vendor Notified, Fix Available
CVE Candidate: CVE-2006-2549
Reference:
http://www.vsecurity.com/bulletins/advisories/2006/pdf-form-filling.txt
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description:
> From the pdf-tools.com website[1]:
"PDF Tools AG is a world leader in PDF (The Adobe Portable Document Format)
programming technology, delivering reliable PDF products to international
customers in virtually all market segments."
"PDF Form Filling and Flattening Tool is a command line tool that can
create, edit, fill in and delete form fields in a PDF document."
Vulnerability Overview:
On April 18th, 2006 VSR has identified a stack overflow in the PDF Tools AG
PDF Form Filling and Flattening tool. Although this is a traditional
command line utility there may be a risk to those users of the application
who use it within web application or a network service, particularly when
relying on user supplied input to generate the PDF form field name or value
pairs.
In situations where user supplied input is used to populate a control file
of name value pairs without sufficient input validation the form field
names are susceptible to overflow. The buffer overflow occurs as a
direct result of unsafe string copy operations to a 256 byte fixed length
buffer. The binary is also susceptible to overflows of the PDF form field
names when specified on the command line instead of within a control file.
The following command may be used to check for the existence of the
vulnerability in the PDF form filling and flattening tool:
./pdformp.exe input.pdf output.pdf `perl -e 'print "A"x260;'`=foo
Vendor Response:
PDF Tools AG was first notified on 2006-04-19. The following time line
outlines the responses from the vendor regarding this issue:
2006-04-20 - Acknowledgment of security notification received from VSR.
Vendor stated that they only support registered customers
of the product.
2006-05-02 - Vendor response acknowledging overflow which will be
resolved in the next pre-release version.
2006-05-10 - Vendor response providing estimated release schedule.
2006-05-15 - Vendor response notifying VSR of publicly released fix.
Recommendation:
PDF Tools AG customers should upgrade to the latest build of the PDF
Form Filling and Flattening tool (build 3.1.0.12) released on
May 10th 2006.
The upgrade is available via:
http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2006-2549
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. PDF Tools AG Form Filling and Flattening Tool
http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerability Disclosure Policy:
http://www.vsecurity.com/disclosurepolicy.html
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright 2006 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFEdM8vTY6Rj3GeBOoRAkWkAJ4xArAz6lAV5VAAdhlUonIuXlTKcwCfTvQF
Wom0EDhnbI/8dkcr9F3ePfE=
=RPRL
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists