CVE-2019-9199: Null pointer Dereference vulnerability in setSource() – podofo 0.9.6-trunk r1967

Null pointer Dereference vulnerability in setSource() – podofo 0.9.6-trunk r1967

Loginsoft-2019-1097

26 February, 2019

CVE Number

CVE-2019-9199

CWE

CWE-476: NULL Pointer Dereference

Product Details

PoDoFo is a library to work with the PDF file format.
URL: https://sourceforge.net/projects/podofo/

Vulnerable Versions

0.9.6-trunk r1952

Vulnerability Details

During our research on the podofo, a NULL pointer dereference vulnerability is discovered in the pdofo (0.9.6 – Trunk r1967). The same be triggered by sending a crafted pdf file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

SYNOPSIS

In progress

vulnerable Source code

if ( pcount > 0 )  
  { 
                               PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); 
                                    sourceWidth =  rect.GetWidth() - rect.GetLeft(); 
                                   sourceHeight =  rect.GetHeight() - rect.GetBottom() ;                  } 

Analysis

 

DEBUG in linux: 
GDB : 
151                                 PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); 
    152                                 // keep in mind it’s just a hint since PDF can have different page sizes in a same doc 
    153                                 sourceWidth =  rect.GetWidth() - rect.GetLeft(); 
    154                                 sourceHeight =  rect.GetHeight() - rect.GetBottom() ; 
    155                         } 
    156                 } 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[#0] Id 1, Name: "podofoimpose", stopped, reason: SIGSEGV 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
[#0] 0x811c4e6 → PoDoFo::Impose::PdfTranslator::setSource(this=0x82a9f00, source="/home/loginsoft/ACE/sources/pruthvi/id_000000_00") 
[#1] 0x811aebe → main(argc=0x4, argv=0xbffff3b4) 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────gef➤  bt 
#0  0x0811c4e6 in PoDoFo::Impose::PdfTranslator::setSource (this=0x82a9f00, source="POC") at /podofo-code-r1966-podofo-trunk/tools/podofoimpose/pdftranslator.cpp:151 
#1  0x0811aebe in main (argc=0x4, argv=0xbffff3b4) at /podofo-code-r1966-podofo-trunk/tools/podofoimpose/podofoimpose.cpp:107 
gef➤  p/d pcount 
$1 = 11 
gef➤  p sourceDoc->GetPage ( 0 ) 
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary 
Reference to invalid object: 1 0 R 
$5 = (PoDoFo::PdfPage *) 0x0 
gef➤  p GetPage( nIndex ) 
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary 
Reference to invalid object: 1 0 R 
$2 = (PoDoFo::PdfPage *) 0x0 
gef➤  i r 
eax            0x0                 0x0 
ecx            0x0                 0x0 
edx            0x0                 0x0 
ebx            0x82aa100           0x82aa100 
esp            0xbffff130          0xbffff130 
ebp            0xbffff2c8          0xbffff2c8 
esi            0x82aa0a8           0x82aa0a8 
edi            0xb78a4000          0xb78a4000 
eip            0x811c4e6           0x811c4e6 <PoDoFo::Impose::PdfTranslator::setSource(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&)+1314> 
eflags         0x210286            [ PF SF IF RF ID ] 
cs             0x73                0x73 
ss             0x7b                0x7b 
ds             0x7b                0x7b 
es             0x7b                0x7b 
fs             0x0                 0x0 
gs             0x33                0x33 

Debug in Windows 

STACK_TEXT: 
 podofoimpose!PoDoFo::Impose::PdfTranslator::setSource+0x57e 
00cffad0 010e58ce 00000004 001e2c78 001e1738 podofoimpose!main+0x161 
00cffae4 010e5767 90d90588 00f3b398 00f3b398 podofoimpose!invoke_main+0x1e 
00cffb40 010e55fd 00cffb50 010e5948 00cffb64 podofoimpose!__scrt_common_main_seh+0x157 
00cffb48 010e5948 00cffb64 74c38484 00af3000 podofoimpose!__scrt_common_main+0xd 
00cffb50 74c38484 00af3000 74c38460 9e791c38 podofoimpose!mainCRTStartup+0x8 
00cffb64 77bd41c8 00af3000 d24f9363 00000000 KERNEL32!BaseThreadInitThunk+0x24 
00cffbac 77bd4198 ffffffff 77bef326 00000000 ntdll!__RtlUserThreadStart+0x2f 
00cffbbc 00000000 00f3b398 00af3000 00000000 ntdll!_RtlUserThreadStart+0x1b 
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_podofoimpose.exe!PoDoFo::Impose::PdfTranslator::setSource 
BUCKET_ID:  APPLICATION_FAULT_NULL_POINTER_READ_INVALID_POINTER_READ_podofoimpose!PoDoFo::Impose::PdfTranslator::setSource+57e 
 ExceptionCode: c0000005 (Access violation) 
FAULTING_SOURCE_FILE:  e:\podofo-code-r1966-podofo-trunk\tools\podofoimpose\pdftranslator.cpp 
FAILURE_FUNCTION_NAME:  PoDoFo::Impose::PdfTranslator::setSource 
Registers: 
eax=00000000 ebx=00af3000 ecx=90d909fc edx=00cff82c esi=00cff770 edi=00cff76c 
eip=00f5645e esp=00cff76c ebp=00cffa6c iopl=0         nv up ei pl zr na pe nc 
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246 

Proof of Concept

podofoimpose $POC output native

Mitigation

This issue can be prevented by doing a NULL check over the return value of ‘getpage’ in the function PoDoFo::PdfRect rect() of pdftranslator.cpp

Timeline

Vendor Disclosure: 2019-2-25
Public Disclosure:

Credit

Discovered by ACE Team – Loginsoft