Null pointer Deference in function AnnotsXrce::AnnotsXrce( ) – pdfalto-0.2
13 March, 2019
CVE Number
CWE
CWE-476: NULL Pointer Dereference
Product Details
pdfalto is a command line executable for parsing PDF files and producing structured XML representations of the PDF content in ALTO format
URL: https://github.com/kermitt2/pdfalto
Vulnerable Versions
0.2
Vulnerability Details
During our research we discovered Null pointer Deference in function AnnotsXrce::AnnotsXrce( ) located in AnnotsXrce.cc in pdfalto-0.2. The same be triggered by sending a crafted pdf file to the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
SYNOPSIS
under progress
vulnerable Source code
if (ac->isOk()) {
xmlNodePtr nodeActionAction;
xmlNodePtr nodeActionDEST;
Analysis
DEBUG:
GDB :
gdb:
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0
$rbx : 0x00007fffffffda40 → 0x000061700000f580 → 0x000061300000de80 → 0x00000000009c1828 → 0x000000000062bd46 → push rbp
$rcx : 0x300
$rdx : 0x0
$rsp : 0x00007fffffffd440 → 0x0000000041b58ab3
$rbp : 0x00007fffffffda70 → 0x00007fffffffdbf0 → 0x00007fffffffdd10 → 0x000000000090c360 → push r15
$rsi : 0x1
$rdi : 0x000060400000c850 → 0xbebebebebebebebe
$rip : 0x0000000000406adc → mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x35ef
$r10 : 0x50
$r11 : 0x00007ffff7efb310 → 0x0000000000000000
$r12 : 0x00000ffffffffabc → 0x0000000000000000
$r13 : 0x00007fffffffd5e0 → 0x0000000041b58ab3
$r14 : 0x000060400000c850 → 0xbebebebebebebebe
$r15 : 0x00007fffffffd5e0 → 0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd440│+0x0000: 0x0000000041b58ab3 ← $rsp
0x00007fffffffd448│+0x0008: 0x0000602000010330 → 0xbebebebe0000003a (":"?)
0x00007fffffffd450│+0x0010: 0x000000010000000d → 0x0000000000000000
0x00007fffffffd458│+0x0018: 0x00007fffffffdb60 → 0x3ff0000000000000
0x00007fffffffd460│+0x0020: 0x0000611000009c80 → 0x000060800000bfa8 → 0x0000602000010ad0 → 0xbebebebe00000031 ("1"?)
0x00007fffffffd468│+0x0028: 0x000060c000007c00 → 0x0000000000000000
0x00007fffffffd470│+0x0030: 0x00007fffffffdb20 → 0xbebebebe00000006
0x00007fffffffd478│+0x0038: 0x0000602000106f50 → 0x0000000000000002
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x406acd mov rdi, rax
0x406ad0 call 0x404a40
0x406ad5 mov rax, QWORD PTR [rbp-0x548]
→ 0x406adc mov rax, QWORD PTR [rax]
0x406adf add rax, 0x10
0x406ae3 mov rdx, rax
0x406ae6 mov rcx, rdx
0x406ae9 shr rcx, 0x3
0x406aed add rcx, 0x7fff8000
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:/home/aceteam/Downloads/sources/pdfalto/src/AnnotsXrce.cc+85 ────
80 Link *link = new Link(dict, catalog->getBaseURI());
81 //printf("%d \n",link->isOk());
82 LinkAction *ac = link->getAction();
83 //printf("ac %d \n",ac->isOk());
84 // Get the Action information
// ac=0x00007fffffffd528 → 0x0000000000000000
→ 85 if (ac->isOk()) {
86 xmlNodePtr nodeActionAction;
87 xmlNodePtr nodeActionDEST;
88 if (nodeAnnot) {
89 nodeActionAction = xmlNewNode(NULL, (const xmlChar *) TAG_ACTION);
90 nodeActionAction->type = XML_ELEMENT_NODE;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "pdfalto", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x406adc → AnnotsXrce::AnnotsXrce(this=0x602000106f50, objA=@0x7fffffffdb20, docrootA=0x60c000007c00, catalog=0x611000009c80, ctmA=0x7fffffffdb60, pageNumA=0x1)
[#1] 0x40a94a → PDFDocXrce::displayPages(this=0x60800000bfa0, out=0x61500000c100, docrootA=0x60c000007c00, firstPage=0x1, lastPage=0x1, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x1, doLinks=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0)
[#2] 0x40bdf6 → main(argc=0x2, argv=0x7fffffffddf8)
gef➤ p ac
$9 = (LinkAction *) 0x0
gef➤ p ac->isOk()
Cannot access memory at address 0x0
Proof of Concept
./pdfalto -f 1 -l 2 -noText -noImage -outline -annotation -cutPages -blocks -readingOrder -ocr -fullFontName $POC
Vendor Disclosure: 2019-3-13
Public Disclosure:
Credit
Discovered by ACE Team – Loginsoft