Stack consumption issue in function md5Round1( ) – xpdf-4.01
Loginsoft-2019-1104
1 March, 2019
CVE Number
CVE-2019-9587
CWE
CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’)
Product Details
Xpdf is a free PDF viewer and toolkit, including a text extractor, image converter, HTML converter, and more. Most of the tools are available as open source.
URL: https://www.xpdfreader.com/download.html
Vulnerable Versions
4.01
Vulnerability Details
There is a stack consumption issue in md5Round1() located in Decrypt.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to Catalog::countPageTree.
SYNOPSIS
In Progress
Vulnerable Source Code
Analysis
DEBUG:
ASAN Report:
ASAN:SIGSEGV
=================================================================
==15699==ERROR: AddressSanitizer: stack-overflow on address 0x7fff60d72ff8 (pc 0x7f8813d6c222 bp 0x000000000150 sp 0x7fff60d73000 T0)
#0 0x7f8813d6c221 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xb0221)
#1 0x7f8813d6bd67 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xafd67)
#2 0x7f8813cdef4f (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22f4f)
#3 0x7f8813d554fe in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x994fe)
#4 0x4d8b68 in FileStream::copy() /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Stream.cc:783
#5 0x457d85 in DecryptStream::copy() /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Decrypt.cc:388
#6 0x4c9235 in Object::copy(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Object.cc:95
#7 0x4fa558 in XRef::fetch(int, int, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/XRef.cc:1061
#8 0x4c92b4 in Object::fetch(XRef*, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Object.cc:115
#9 0x44e04d in Array::get(int, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Array.cc:62
#10 0x4c9d13 in Object::arrayGet(int, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Object.h:243
#11 0x450006 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:500
#12 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#13 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#14 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#15 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#16 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#17 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#18 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#19 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#20 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#21 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#22 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#23 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#24 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#25 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#26 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#27 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#28 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#29 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#30 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#31 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#32 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#33 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#34 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#35 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#36 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#37 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#38 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#39 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#40 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#41 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#42 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#43 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#44 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#45 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
#46 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
==15699==ABORTING
GDB
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x67452301
$rbx : 0x0000000000801030 → 0x0000000000526f40 → 0x0000000000457c68 → push rbp
$rcx : 0x10325476
$rdx : 0x98badcfe
$rsp : 0x7fffff7fefe8
$rbp : 0x00007fffff7ff018 → 0x00007fffff7ff100 → 0x00007fffff7ff120 → 0x00007fffff7ff1e0 → 0x00007fffff7ff230 → 0x00007fffff7ff270 → 0x00007fffff7ff290 → 0x00007fffff7ff340
$rsi : 0xefcdab89
$rdi : 0x67452301
$rip : 0x0000000000459e73 → mov QWORD PTR [rbp-0x20], rcx
$r8 : 0xffffffffe3761699
$r9 : 0x7
$r10 : 0x2052203020355b20 (" [5 0 R "?)
$r11 : 0x246
$r12 : 0x00000000007f7d50 → 0x000000000053f8f8 → 0x00000000004d8a6e → push rbp
$r13 : 0x00007fffffffdea0 → 0x000000000000000c
$r14 : 0x0
$r15 : 0x0
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
[!] Unmapped address
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x459e67 mov QWORD PTR [rbp-0x8], rdi
0x459e6b mov QWORD PTR [rbp-0x10], rsi
0x459e6f mov QWORD PTR [rbp-0x18], rdx
→ 0x459e73 mov QWORD PTR [rbp-0x20], rcx
0x459e77 mov QWORD PTR [rbp-0x28], r8
0x459e7b mov DWORD PTR [rbp-0x2c], r9d
0x459e7f mov rax, QWORD PTR [rbp-0x10]
0x459e83 and rax, QWORD PTR [rbp-0x18]
0x459e87 mov rdx, rax
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:/home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Decrypt.cc+996 ────
991 x &= 0xffffffff;
992 return ((x <> (32 - r))) & 0xffffffff;
993 }
994
995 static inline Gulong md5Round1(Gulong a, Gulong b, Gulong c, Gulong d,
→ 996 Gulong Xk, int s, Gulong Ti) {
997 return b + rotateLeft((a + ((b & c) | (~b & d)) + Xk + Ti), s);
998 }
999
1000 static inline Gulong md5Round2(Gulong a, Gulong b, Gulong c, Gulong d,
1001 Gulong Xk, int s, Gulong Ti) {
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "pdfimages", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[!] Cannot access memory at address 0x7fffff7feff8
Proof of Concept
./pdfimages -f 2 -l 4 -j -raw -list -upw rome $POC out
POC FILE: REPRODUCER
Vendor Disclosure: 2019-3-1
Public Disclosure: 2019-3-6
Credit
Discovered by ACE Team – Loginsoft