CVE-2018-19532: Null pointer dereference vulnerability in PdfTranslator::setTarget() – podofo 0.9.6

Loginsoft-2018-1034

November 15, 2018

CVE Number

CVE-2018-19532

CWE

CWE-476: NULL Pointer Dereference

Product Details

PoDoFo is a library to work with the PDF file format.
URL: https://sourceforge.net/projects/podofo/

Vulnerable Versions

0.9.6-trunk r1949

Vulnerability Details

During our research on the podofo, A NULL pointer dereference vulnerability is discovered in the pdofo (0.9.6 – Trunk r1949 ) . The same be triggered by sending a crafted pdf file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

SYNOPSIS

As per our research, the vulnerability exits in function PdfTranslator::setTarget() in pdftranslator.cpp.
The pointer page, consists of pdf page details in it.

Gdb : 
gef➤  p page 
$53 = (PoDoFo::PdfPage *) 0x82a2d30 
gef➤  p *page 
$56 = { 
   = { 
    _vptr.PdfElement = 0x822b4c0 , 
    m_pObject = 0x82a5f78 
  }, 
   = { 
    _vptr.PdfCanvas = 0x822b504  
  }, 
  members of PoDoFo::PdfPage: 
  m_pContents = 0x82a7870, 
  m_pResources = 0x82a8870, 
  m_mapAnnotations = std::map with 0 elements, 
  m_mapAnnotationsDirect = std::map with 0 elements

In line PdfXObject *xobj = new PdfXObject ( page->GetMediaBox(), targetDoc ), While storing the pdf objects in xobj, if a crafted pdf file is supplied to the binary , a NULL dereference issue is identified as the page pointer points to an non-existing address 0x0 .

Analysis

 

Source code :
for (int i = 0; i GetPage ( i );  
PdfMemoryOutputStream outMemStream ( 1 );  
PdfXObject *xobj = new PdfXObject ( page->GetMediaBox(), targetDoc );  
if ( page->GetContents()->HasStream() )  
{  
page->GetContents()->GetStream()->GetFilteredCopy ( &outMemStream );  
}

GDB : 
 
259                                     PdfXObject *xobj = new PdfXObject ( page->GetMediaBox(), targetDoc ); 
1: page = (PoDoFo::PdfPage *) 0x0 
[ Legend: Modified register | Code | Heap | Stack | String ] 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── 
$eax   : 0x0 
$ebx   : 0x082a9de4  →  0x082aa7f0  →  0x08219b78  →  0x0813d594  →   push ebp 
$ecx   : 0x3 
$edx   : 0x082aaef0  →  0x00000000 
$esp   : 0xbffff470  →  0xb7bab000  →  0x00172664 
$ebp   : 0xbffff528  →  0xbffff568  →  0x00000000 
$esi   : 0xbffff4d8  →  0x00000000 
$edi   : 0xb7a16000  →  0x001b1db0 
$eip   : 0x0811bd62  →  <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string mov eax, DWORD PTR [ebp-0x90] 
$eflags: [carry parity adjust zero SIGN trap INTERRUPT direction overflow resume virtualx86 IDENTIFICATION] 
$cs: 0x0073 $ss: 0x007b $ds: 0x007b $es: 0x007b $fs: 0x0000 $gs: 0x0033 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── 
0xbffff470│+0x0000: 0xb7bab000  →  0x00172664    ← $esp 
0xbffff474│+0x0004: 0xb7b08756  →  <__gnu_cxx::stdio_sync_filebuf add ebx, 0xa28aa 
0xbffff478│+0x0008: 0x08293b30  →  0x08293b38  →  "test" 
0xbffff47c│+0x000c: 0x082a1c48  →  0x082a1e10  →  0x0822aa54  →  0x081727a6  →   push ebp 
0xbffff480│+0x0010: 0x08293a40  →  0xb7ba9c68  →  0xb7b2d9e0  →  <std::basic_ostream push ebx 
0xbffff484│+0x0014: 0x082a9348  →  0x00000020 
0xbffff488│+0x0018: 0x00000001 
0xbffff48c│+0x001c: 0x00000001 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ──── 
    0x811bd59 <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string push   eax 
    0x811bd5a <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string call   0x813fa66  
    0x811bd5f <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string add    esp, 0x10 
→  0x811bd62 <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string mov    eax, DWORD PTR [ebp-0x90] 
    0x811bd68 <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string mov    eax, DWORD PTR [eax] 
    0x811bd6a <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string add    eax, 0x18 
    0x811bd6d <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string mov    eax, DWORD PTR [eax] 
    0x811bd6f <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string lea    edx, [ebp-0x50] 
    0x811bd72 <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string sub    esp, 0x8 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:/home/loginsoft/podofo-code-r1949-podofo-trunk/tools/podofoimpose/pdftranslator.cpp+259 ──── 
    254                         for ( int i = 0; i GetPage ( i ); 
    257                                 PdfMemoryOutputStream outMemStream ( 1 ); 
    258 
                // page=0xbffff498  →  0x00000000, xobj=0xbffff49c  →  [...]  →   push ebp 
→  259                                 PdfXObject *xobj = new PdfXObject ( page->GetMediaBox(), targetDoc ); 
    260                                 if ( page->GetContents()->HasStream() ) 
    261                                 { 
    262                                         page->GetContents()->GetStream()->GetFilteredCopy ( &outMemStream ); 
    263                                 } 
    264                                 else if ( page->GetContents()->IsArray() ) 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── 
[#0] Id 1, Name: "podofoimpose", stopped, reason: BREAKPOINT 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── 
[#0] 0x811bd62 → PoDoFo::Impose::PdfTranslator::setTarget(this=0x82a1c48, target="test") 
[#1] 0x8119af1 → main(argc=0x4, argv=0xbffff614) 
 
gef➤  p page 
$58 = (PoDoFo::PdfPage *) 0x0 
gef➤  p *page 
Cannot access memory at address 0x0 
gef➤  i r 
eax            0x0      0x0 
ecx            0x3      0x3 
edx            0x82aaef0        0x82aaef0 
ebx            0x82a9de4        0x82a9de4 
esp            0xbffff470       0xbffff470 
ebp            0xbffff528       0xbffff528 
esi            0xbffff4d8       0xbffff4d8 
edi            0xb7a16000       0xb7a16000 
eip            0x811bd62        0x811bd62 <PoDoFo::Impose::PdfTranslator::setTarget(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&)+320> 
eflags         0x200282 [ SF IF ID ] 
cs             0x73     0x73 
ss             0x7b     0x7b 
ds             0x7b     0x7b 
es             0x7b     0x7b 
fs             0x0      0x0 
gs             0x33     0x33 

gef➤  bt
#0  0x0811bd68 in PoDoFo::Impose::PdfTranslator::setTarget (this=0x82a1c70, target="test.pdf") at /home/loginsoft/podofo-code-r1949-podofo-trunk/tools/podofoimpose/pdftranslator.cpp:259
#1  0x08119af1 in main (argc=0x4, argv=0xbffff604) at /home/loginsoft/podofo-code-r1949-podofo-trunk/tools/podofoimpose/podofoimpose.cpp:108
Proof of Concept

podofoimpose $POC outfile.pdf native

Timeline

Vendor Disclosure: 2018-11-15
Public Disclosure: 2018-11-20
Patch : https://sourceforge.net/p/podofo/code/1950

Credit

Discovered by ACE Team – Loginsoft