The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] Multiple UNIX/Linux Vendor Xpdf makeFileKey2 Stack Overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 23 Jan 2005 14:38:37 +0200
Subject: [UNIX] Multiple UNIX/Linux Vendor Xpdf makeFileKey2 Stack Overflow
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050123135350.22E9858D8@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Multiple UNIX/Linux Vendor Xpdf makeFileKey2 Stack Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.foolabs.com/xpdf/>; Xpdf is an open-source viewer for PDF 
files.

Remote exploitation of a buffer overflow vulnerability in the xpdf PDF 
viewer included in multiple UNIX and Linux distributions could allow for 
arbitrary code execution as the user viewing a PDF file.

DETAILS

Vulnerable Systems:
 * Xpdf Version 3.00 and prior

Immune Systems:
 * Xpdf Version 3.00pl3 or newer

The vulnerability specifically exists due to insufficient bounds checking 
while processing a PDF file that provides malicious values in the /Encrypt 
/Length tag.

Vulnerable Code:
The offending code can be found in the Decrypt::makeFileKey2 function in 
the source file xpdf/Decrypt.cc.
GBool Decrypt::makeFileKey2(int encVersion, int encRevision,
                            int keyLength, GString *ownerKey,
                            GString *userKey, int permissions,
                            GString *fileID, String *userPassword,
                            Guchar *fileKey) {
      Guchar *buf;
      Guchar test[32];
      Guchar fState[256];
      Guchar tmpKey[16];
      Guchar fx, fy;
      int len, i, j;
      GBool ok;
      ...

            memcpy(test, userKey->getCString(), 32);
            for (i = 19; i >= 0; --i) {
                  for (j = 0; j < keyLength; ++j) {
[overflow]               tmpKey[j] = fileKey[j] ^ i;
                  }
            ...
      }
      ...
}


In this piece of code, the keyLength value is ultimately supplied by the 
PDF file. This allows an attacker to specify an arbitrarily large value 
and overwrite portions of stack memory. As a consequence, arbitrary code 
execution is possible.

Successful exploitation of this vulnerability leads to arbitrary code 
execution as the user who opened the malicious file. An attacker would 
have to convince a target to open the provided file in order to exploit 
this vulnerability, thus lessening the impact. Exploitation can be 
performed reliably, especially with knowledge of the target system.

Vendor Status:
A patch to address this issue is available at:  
<ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch>; 
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch
Updated binaries (ver. 3.00pl3) to address this issue are available at:  
<http://www.foolabs.com/xpdf/download.html>; 
http://www.foolabs.com/xpdf/download.html

Disclosure Timeline:
01/06/2005 - Initial vendor notification
01/12/2005 - Initial vendor response
01/18/2005 - Coordinated public disclosure

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064>; 
CAN-2005-0064


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:  
<www.idefense.com/application/poi/display?id=186&type=vulnerabilities> 
www.idefense.com/application/poi/display?id=186&type=vulnerabilities




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру