Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

PDFParser vulnerability

From: "bear.xiong" <bear.xiong () dbappsecurity com cn>
Date: Wed, 16 May 2018 14:49:15 +0800
PDFParser vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
A tool to parse pdf file.

Affected version:
=====
lastest version

Vulnerability Description:
==========================
1. The  ObjReader::ReadObj() function in ObjReader.cpp in PDFParser allow remote attackers to cause a remote code 
execution (stack buffer overflow) via a crafted pdf file.

./PDFParser stack-buffer-overflow.pdf

==46431==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe6c7fb350 at pc 0x000000534f7c bp 
0x7ffe6c7f3310 sp 0x7ffe6c7f3308
WRITE of size 1 at 0x7ffe6c7fb350 thread T0
    #0 0x534f7b in ObjReader::ReadObj() /home/xxx/PDFParser/src/ObjReader.cpp:53:12
    #1 0x537d27 in PDF::PDF(InputStream*) /home/xxx/PDFParser/src/PDF.cpp:78:51
    #2 0x536073 in Run(char const*, RendererFactory::RendererType) /home/xxx/PDFParser/src/PDFParser.cpp:24:13
    #3 0x536073 in main /home/xxx/PDFParser/src/PDFParser.cpp:164
    #4 0x7f71d393582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x4211e8 in _start (/home/xxx/PDFParser/build/PDFParser+0x4211e8)

Address 0x7ffe6c7fb350 is located in stack of thread T0 at offset 32816 in frame
    #0 0x533a3f in ObjReader::ReadObj() /home/xxx/PDFParser/src/ObjReader.cpp:16

  This frame has 2 object(s):
    [32, 36) 'str.i' (line 175)
    [48, 32816) 'str' (line 22) <== Memory access at offset 32816 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
    
Reproducer:
stack-buffer-overflow.pdf
CVE:
CVE-2018-11128

===============================
Best,
Webin security lab - dbapp security Ltd



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: