
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
132 lines
No EOL
3.8 KiB
Text
132 lines
No EOL
3.8 KiB
Text
Sumatra 2.1.1/MuPDF 1.0 Integer Overflow
|
|
=======================================
|
|
|
|
There is an integer overflow on the MuPDF in the lex_number() function
|
|
which can be triggered using a corrupt PDF file with ObjStm.
|
|
|
|
I'm attaching a file that reproduces the problem with the original
|
|
unmodified file. The ObjStm was modified to include big numbers.
|
|
|
|
The easy way to fix is to update to the latest version of MuPDF library.
|
|
|
|
Affected products
|
|
=================
|
|
|
|
MuPDF 1.0 (previous release)
|
|
MuPDF for iOS 1.1 (current release)
|
|
Sumatra 2.1.1 (current stable release)
|
|
|
|
Fixed
|
|
=====
|
|
|
|
MuPDF 1.1
|
|
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f919270b6a732ff45c3ba2d0c105e2b39e9c9bc9
|
|
Sumatra Pre-release version:
|
|
http://blog.kowalczyk.info/software/sumatrapdf/prerelease.html
|
|
|
|
CVE
|
|
====
|
|
CVE-2012-5340
|
|
|
|
Flaw details
|
|
============
|
|
|
|
On the FIXME line occurs an integer overflow, which can be later abused to
|
|
write to memory:
|
|
|
|
File: pdf_lex.c
|
|
static int lex_number(fz_stream *f, pdf_lexbuf *buf, int c)
|
|
{
|
|
.....
|
|
|
|
while (1)
|
|
{
|
|
int c = fz_read_byte(f);
|
|
switch (c)
|
|
{
|
|
case '.':
|
|
goto loop_after_dot;
|
|
case RANGE_0_9:
|
|
i = 10*i + c - '0';
|
|
/* FIXME: Need overflow check here; do we care? */
|
|
break;
|
|
default:
|
|
fz_unread_byte(f);
|
|
/* Fallthrough */
|
|
case EOF:
|
|
if (neg)
|
|
i = -i;
|
|
buf->i = i;
|
|
return PDF_TOK_INT;
|
|
}
|
|
}
|
|
....
|
|
|
|
|
|
file: pdf_repair.c
|
|
static void pdf_repair_obj_stm(pdf_document *xref, int num, int gen)
|
|
{
|
|
....
|
|
|
|
for (i = 0; i < count; i++)
|
|
{
|
|
tok = pdf_lex(stm, &buf);
|
|
if (tok != PDF_TOK_INT)
|
|
fz_throw(ctx, "corrupt object stream (%d %d R)",
|
|
num, gen);
|
|
|
|
n = buf.i; // n can take negative values when an integer
|
|
overflow occurs
|
|
if (n >= xref->len)
|
|
pdf_resize_xref(xref, n + 1);
|
|
|
|
xref->table[n].ofs = num; // Writes
|
|
xref->table[n].gen = i;
|
|
xref->table[n].stm_ofs = 0;
|
|
|
|
POC
|
|
====
|
|
Attached proof of concept.
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/23246.tar.gz
|
|
|
|
!Exploitable output
|
|
===================
|
|
|
|
MuPDF:
|
|
|
|
Description: User Mode Write AV
|
|
Short Description: WriteAV
|
|
Exploitability Classification: EXPLOITABLE
|
|
Recommended Bug Title: Exploitable - User Mode Write AV starting at
|
|
mupdf+0x000000000003e1a6 (Hash=0x0e1a1f61.0x5f702654)
|
|
|
|
User mode write access violations that are not near NULL are exploitable.
|
|
|
|
Sumatra:
|
|
|
|
SumatraPDF!pdf_repair_obj_stms+0x94
|
|
SumatraPDF!pdf_open_document_with_stream+0x2c3
|
|
SumatraPDF!PdfEngineImpl::LoadFromStream+0xaa
|
|
SumatraPDF!PdfEngineImpl::Load+0x179
|
|
SumatraPDF!PdfEngine::CreateFromFile+0x80
|
|
SumatraPDF!EngineManager::CreateEngine+0x82
|
|
SumatraPDF!LoadDocIntoWindow+0x266
|
|
SumatraPDF!LoadDocumentOld+0x41f
|
|
SumatraPDF!LoadDocument+0xc
|
|
SumatraPDF!LoadOnStartup+0x89
|
|
SumatraPDF!WinMain+0x57c
|
|
SumatraPDF!__tmainCRTStartup+0x142
|
|
SumatraPDF!WinMainCRTStartup+0xf
|
|
kernel32!BaseThreadInitThunk+0x12
|
|
ntdll32!RtlInitializeExceptionChain+0x63
|
|
ntdll32!RtlInitializeExceptionChain+0x36
|
|
Instruction Address: 0x00000000775315de
|
|
|
|
Description: User Mode Write AV
|
|
Short Description: WriteAV
|
|
Exploitability Classification: EXPLOITABLE
|
|
Recommended Bug Title: Exploitable - User Mode Write AV starting at
|
|
ntdll32!ZwRaiseException+0x0000000000000012
|
|
(Hash=0x16621b14.0x14396738)
|
|
|
|
User mode write access violations that are not near NULL are exploitable. |