|
|
|
|
| |
Xpdf is an open-source viewer for PDF files.
Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer included in multiple UNIX and Linux distributions could allow for arbitrary code execution as the user viewing a PDF file. |
| |
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: www.idefense.com/application/poi/display?id=186&type=vulnerabilities
|
| |
Vulnerable Systems:
* Xpdf Version 3.00 and prior
Immune Systems:
* Xpdf Version 3.00pl3 or newer
The vulnerability specifically exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag.
Vulnerable Code:
The offending code can be found in the Decrypt::makeFileKey2 function in the source file xpdf/Decrypt.cc.
GBool Decrypt::makeFileKey2(int encVersion, int encRevision,
int keyLength, GString *ownerKey,
GString *userKey, int permissions,
GString *fileID, String *userPassword,
Guchar *fileKey) {
Guchar *buf;
Guchar test[32];
Guchar fState[256];
Guchar tmpKey[16];
Guchar fx, fy;
int len, i, j;
GBool ok;
...
memcpy(test, userKey->getCString(), 32);
for (i = 19; i >= 0; --i) {
for (j = 0; j < keyLength; ++j) {
[overflow] tmpKey[j] = fileKey[j] ^ i;
}
...
}
...
}
In this piece of code, the keyLength value is ultimately supplied by the PDF file. This allows an attacker to specify an arbitrarily large value and overwrite portions of stack memory. As a consequence, arbitrary code execution is possible.
Successful exploitation of this vulnerability leads to arbitrary code execution as the user who opened the malicious file. An attacker would have to convince a target to open the provided file in order to exploit this vulnerability, thus lessening the impact. Exploitation can be performed reliably, especially with knowledge of the target system.
Vendor Status:
A patch to address this issue is available at: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch
Updated binaries (ver. 3.00pl3) to address this issue are available at: http://www.foolabs.com/xpdf/download.html
Disclosure Timeline:
01/06/2005 - Initial vendor notification
01/12/2005 - Initial vendor response
01/18/2005 - Coordinated public disclosure
CVE Information:
CAN-2005-0064
|
|
|
|
|
|
|
