ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
122 lines
No EOL
11 KiB
Text
122 lines
No EOL
11 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=743
|
|
|
|
We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
|
|
|
|
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
|
|
|
|
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
|
|
|
|
An example excerpt from the crash log is as follows:
|
|
|
|
--- cut ---
|
|
Program received signal SIGSEGV, Segmentation fault.
|
|
0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
|
|
(gdb) info reg $rdx
|
|
rdx 0x90ff9fc23e15101d -7998498756572671971
|
|
(gdb) where
|
|
#0 0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
|
|
#1 0x0000000000922297 in kdu_supp::kdu_region_decompressor::start(kdu_core::kdu_codestream, kdu_supp::kdu_channel_mapping*, int, int, int, kdu_core::kdu_dims, kdu_core::kdu_coords, kdu_core::kdu_coords, bool, kdu_core::kdu_component_access_mode, bool, kdu_core::kdu_thread_env*, kdu_core::kdu_thread_queue*) ()
|
|
#2 0x00000000008bd50d in CJPX_Decoder::Start(unsigned char*, int, int, unsigned char*) ()
|
|
#3 0x00000000007f8d77 in CPDF_DIBSource::StartLoadJpxBitmap() ()
|
|
#4 0x00000000007f9137 in CPDF_DIBSource::CreateDecoder() ()
|
|
#5 0x00000000007fadb0 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) ()
|
|
#6 0x00000000007f2f74 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
|
|
#7 0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
|
|
#8 0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
|
|
#9 0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
|
|
#10 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
|
|
#11 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
|
|
#12 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
|
|
#13 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
|
|
#14 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
|
|
#15 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
|
|
#16 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
|
|
#17 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
|
|
#18 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
|
|
#19 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
|
|
#20 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1946d30)
|
|
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
|
|
#21 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#22 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#23 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#24 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#25 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#27 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, Q---Type <return> to continue, or q <return> to quit---
|
|
Region const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#35 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#37 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#38 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#39 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#40 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#41 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#42 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#43 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#44 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#45 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
|
|
#46 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#47 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
|
|
#48 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
|
|
#49 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
|
|
#50 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
|
|
#51 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
|
|
#52 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
|
|
#53 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
|
|
#54 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#55 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
|
|
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#56 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
|
|
#57 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
|
|
(gdb) x/10i $rip
|
|
=> 0x8ee95d <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+135>: mov 0x4(%rdx),%rcx
|
|
0x8ee961 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+139>: mov %rcx,(%rbx)
|
|
0x8ee964 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+142>:
|
|
movslq 0x320(%rax),%rcx
|
|
0x8ee96b <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+149>: mov 0x4(%rbx),%esi
|
|
0x8ee96e <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+152>:
|
|
movzbl 0x19(%rdx,%rcx,1),%ecx
|
|
0x8ee973 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+157>: shl %cl,%esi
|
|
0x8ee975 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+159>:
|
|
movslq 0x320(%rax),%rcx
|
|
0x8ee97c <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+166>: mov %esi,0x4(%rbx)
|
|
0x8ee97f <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+169>:
|
|
movzbl 0x3a(%rdx,%rcx,1),%ecx
|
|
0x8ee984 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+174>: mov (%rbx),%edx
|
|
(gdb) info reg $rdx
|
|
rdx 0x90ff9fc23e15101d -7998498756572671971
|
|
(gdb) x/10wx $dx
|
|
0x101d: Cannot access memory at address 0x101d
|
|
(gdb) x/10wx $rdx
|
|
0x90ff9fc23e15101d: Cannot access memory at address 0x90ff9fc23e15101d
|
|
--- cut ---
|
|
|
|
Attached is a proof of concept PDF file.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39943.zip |