信息来源:
www.securiteam.com
Summary
Xpdf is "an open-source viewer for Portable Document Format (PDF) files". Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer, as included in multiple Linux distributions, could allow attackers to execute arbitrary code as the user viewing a PDF file.
Details
Vulnerable Systems:
* xpdf version 3.00
Immune Systems:
* xpdf version 3.00pl2
The offending code can be found in the Gfx::doImage() function in the source file xpdf/Gfx.cc.
void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) {
Dict *dict;
int width, height;
int bits;
GBool mask;
GBool invert;
GfxColorSpace *colorSpace;
GfxImageColorMap *colorMap;
Object maskObj;
GBool haveMask;
int maskColors[2*gfxColorMaxComps];
Object obj1, obj2;
int i;
...
// get the mask
haveMask = gFalse;
dict->lookup("Mask", &maskObj);
if (maskObj.isArray()) {
for (i = 0; i < maskObj.arrayGetLength(); ++i) {
maskObj.arrayGet(i, &obj1);
[!] maskColors
= obj1.getInt();
obj1.free();
}
haveMask = gTrue;
}
...
}
Due to the fact that the loop boundaries are not less than the storage area, the maskColors array is eventually filled up. After that, local variables and other stack memory is overwritten. This ultimately leads to control of program flow and arbitrary code execution.
Analysis:
The severity of this issue is mitigated by the fact that several of the local overwritten variables in doImage() are referenced prior to EIP being restored; therefore, before the attack gains control of the target process. However, an attacker with knowledge of the remote operating system can construct and validate a malicious payload before attempting exploitation, thus increasing the chances of success. An attacker must convince a target user to open the malicious file to exploit this vulnerability.
Vendor response:
A patch to address this vulnerability is available from: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch
Updated binaries (version 3.00pl2) are available from: http://www.foolabs.com/xpdf/download.html
CVE Information:
CAN-2004-1125
Disclosure timeline:
11/23/2004 - Initial vendor notification
11/29/2004 - Initial vendor response
12/21/2004 - Coordinated public disclosure
Additional information
The information has been provided by iDEFENSE. The original article can be found at: http://www.idefense.com/applicat ... ype=vulnerabilities
