[<prev] [next>] [day] [month] [year] [list]
Message-Id: <092819A8-CCFF-4963-8A1D-708CB98DB39F@dbappsecurity.com.cn>
Date: Wed, 16 May 2018 14:49:15 +0800
From: "bear.xiong" <bear.xiong@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] PDFParser vulnerability
PDFParser vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
A tool to parse pdf file.
Affected version:
=====
lastest version
Vulnerability Description:
==========================
1. The ObjReader::ReadObj() function in ObjReader.cpp in PDFParser allow remote attackers to cause a remote code execution (stack buffer overflow) via a crafted pdf file.
./PDFParser stack-buffer-overflow.pdf
==46431==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe6c7fb350 at pc 0x000000534f7c bp 0x7ffe6c7f3310 sp 0x7ffe6c7f3308
WRITE of size 1 at 0x7ffe6c7fb350 thread T0
#0 0x534f7b in ObjReader::ReadObj() /home/xxx/PDFParser/src/ObjReader.cpp:53:12
#1 0x537d27 in PDF::PDF(InputStream*) /home/xxx/PDFParser/src/PDF.cpp:78:51
#2 0x536073 in Run(char const*, RendererFactory::RendererType) /home/xxx/PDFParser/src/PDFParser.cpp:24:13
#3 0x536073 in main /home/xxx/PDFParser/src/PDFParser.cpp:164
#4 0x7f71d393582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x4211e8 in _start (/home/xxx/PDFParser/build/PDFParser+0x4211e8)
Address 0x7ffe6c7fb350 is located in stack of thread T0 at offset 32816 in frame
#0 0x533a3f in ObjReader::ReadObj() /home/xxx/PDFParser/src/ObjReader.cpp:16
This frame has 2 object(s):
[32, 36) 'str.i' (line 175)
[48, 32816) 'str' (line 22) <== Memory access at offset 32816 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
Reproducer:
stack-buffer-overflow.pdf
CVE:
CVE-2018-11128
===============================
Best,
Webin security lab - dbapp security Ltd
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists