ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
118 lines
No EOL
10 KiB
Text
118 lines
No EOL
10 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745
|
|
|
|
We have identified the following crash due to an invalid read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
|
|
|
|
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
|
|
|
|
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
|
|
|
|
An example excerpt from the crash log is as follows:
|
|
|
|
--- cut ---
|
|
Program received signal SIGSEGV, Segmentation fault.
|
|
0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
|
|
(gdb) where
|
|
#0 0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
|
|
#1 0x00000000006c53a8 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
|
|
#2 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
|
|
#3 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
|
|
#4 0x00000000006c6364 in CRichTextXML::ParseXML2Text() ()
|
|
#5 0x00000000006c6a33 in CRichTextXML::SetXML(wchar_t const*, wchar_t const*) ()
|
|
#6 0x00000000006c9d49 in CFX_Edit::SetRichTextByXML(wchar_t const*, wchar_t const*, int, int) ()
|
|
#7 0x000000000067e995 in CPWL_Note_Contents::SetRichText(CFX_WideString const&) ()
|
|
#8 0x000000000067e9e5 in CPWL_NoteItem::SetRichContents(CFX_WideString const&) ()
|
|
#9 0x00000000005cbcc7 in CMarkup_Popup::SetNoteContents(CFX_WideString const&, CReader_PageView*) ()
|
|
#10 0x00000000005ca0e7 in CMarkup_Popup::InitNote(CReader_PageView*) ()
|
|
#11 0x00000000005ca420 in CMarkup_Popup::CreateNote(CReader_PageView*, int) ()
|
|
#12 0x00000000005cd578 in CMarkup_Popup::UpdateNote(CReader_PageView*, int) ()
|
|
#13 0x00000000005d2475 in CMarkup_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
|
|
#14 0x00000000006e733e in CTA_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
|
|
#15 0x0000000000640424 in CBA_PageEventHandler::OnPageVisible(CReader_PageView*) ()
|
|
#16 0x0000000000461d1b in CReader_AppEx::OnPageVisible (this=0x14a5120, pDocView=0x19446a0)
|
|
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:2901
|
|
#17 0x0000000000450bec in CReader_ViewPage::DoPageVisibleAction (this=0x1944670)
|
|
at ../../Readerlite/ReaderLite/src/preview.cpp:3204
|
|
x#18 0x000000000044b980 in CPDF_TVPreview::Slot_DoPageVisibleEvent (this=0x1943180)
|
|
at ../../Readerlite/ReaderLite/src/preview.cpp:1443
|
|
#19 0x000000000044e333 in CPDFViewerEventHandler::OnFinishRender (this=0x194c520)
|
|
at ../../Readerlite/ReaderLite/src/preview.cpp:2386
|
|
#20 0x000000000061db28 in CPDFViewerEx::ContinueRendering() ()
|
|
#21 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
|
|
#22 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1943180)
|
|
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
|
|
#23 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#24 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#25 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#26 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#27 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#29 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#30 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#31 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#35 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
---Type <return> to continue, or q <return> to quit---
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#38 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#39 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#40 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#41 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#42 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#43 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#44 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#45 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#46 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#47 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#48 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#49 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
|
|
#50 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
|
|
#51 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
|
|
#52 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
|
|
#53 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
|
|
#54 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
|
|
#55 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
|
|
#56 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#57 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#58 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#59 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
|
|
(gdb) x/10i $rip
|
|
=> 0xab467f <_ZN14CFX_WideStringaSERKS_+51>: cmpq $0x0,0x0(%r13)
|
|
0xab4684 <_ZN14CFX_WideStringaSERKS_+56>: js 0xab4692 <_ZN14CFX_WideStringaSERKS_+70>
|
|
0xab4686 <_ZN14CFX_WideStringaSERKS_+58>: test %rbp,%rbp
|
|
0xab4689 <_ZN14CFX_WideStringaSERKS_+61>: je 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
|
|
0xab468b <_ZN14CFX_WideStringaSERKS_+63>: cmpq $0x0,0x0(%rbp)
|
|
0xab4690 <_ZN14CFX_WideStringaSERKS_+68>: jns 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
|
|
0xab4692 <_ZN14CFX_WideStringaSERKS_+70>: mov 0x8(%rbp),%esi
|
|
0xab4695 <_ZN14CFX_WideStringaSERKS_+73>: lea 0x10(%rbp),%rdx
|
|
0xab4699 <_ZN14CFX_WideStringaSERKS_+77>: mov %rbx,%rdi
|
|
0xab469c <_ZN14CFX_WideStringaSERKS_+80>: callq 0xab45a8 <_ZN14CFX_WideString10AssignCopyEiPKw>
|
|
(gdb) info reg $r13
|
|
r13 0x740000006e 498216206446
|
|
--- cut ---
|
|
|
|
Attached is a proof of concept PDF file.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39942.zip |