0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sumatra 2.1.1/MuPDF 1.0 Integer Overflow
Sumatra 2.1.1/MuPDF 1.0 Integer Overflow ======================================= There is an integer overflow on the MuPDF in the lex_number() function which can be triggered using a corrupt PDF file with ObjStm. I'm attaching a file that reproduces the problem with the original unmodified file. The ObjStm was modified to include big numbers. The easy way to fix is to update to the latest version of MuPDF library. Affected products ================= MuPDF 1.0 (previous release) MuPDF for iOS 1.1 (current release) Sumatra 2.1.1 (current stable release) Fixed ===== MuPDF 1.1 http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f919270b6a732ff45c3ba2d0c105e2b39e9c9bc9 Sumatra Pre-release version: http://blog.kowalczyk.info/software/sumatrapdf/prerelease.html CVE ==== CVE-2012-5340 Flaw details ============ On the FIXME line occurs an integer overflow, which can be later abused to write to memory: File: pdf_lex.c static int lex_number(fz_stream *f, pdf_lexbuf *buf, int c) { ..... while (1) { int c = fz_read_byte(f); switch (c) { case '.': goto loop_after_dot; case RANGE_0_9: i = 10*i + c - '0'; /* FIXME: Need overflow check here; do we care? */ break; default: fz_unread_byte(f); /* Fallthrough */ case EOF: if (neg) i = -i; buf->i = i; return PDF_TOK_INT; } } .... file: pdf_repair.c static void pdf_repair_obj_stm(pdf_document *xref, int num, int gen) { .... for (i = 0; i < count; i++) { tok = pdf_lex(stm, &buf); if (tok != PDF_TOK_INT) fz_throw(ctx, "corrupt object stream (%d %d R)", num, gen); n = buf.i; // n can take negative values when an integer overflow occurs if (n >= xref->len) pdf_resize_xref(xref, n + 1); xref->table[n].ofs = num; // Writes xref->table[n].gen = i; xref->table[n].stm_ofs = 0; POC ==== Attached proof of concept. http://www.exploit-db.com/sploits/23246.tar.gz !Exploitable output =================== MuPDF: Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at mupdf+0x000000000003e1a6 (Hash=0x0e1a1f61.0x5f702654) User mode write access violations that are not near NULL are exploitable. Sumatra: SumatraPDF!pdf_repair_obj_stms+0x94 SumatraPDF!pdf_open_document_with_stream+0x2c3 SumatraPDF!PdfEngineImpl::LoadFromStream+0xaa SumatraPDF!PdfEngineImpl::Load+0x179 SumatraPDF!PdfEngine::CreateFromFile+0x80 SumatraPDF!EngineManager::CreateEngine+0x82 SumatraPDF!LoadDocIntoWindow+0x266 SumatraPDF!LoadDocumentOld+0x41f SumatraPDF!LoadDocument+0xc SumatraPDF!LoadOnStartup+0x89 SumatraPDF!WinMain+0x57c SumatraPDF!__tmainCRTStartup+0x142 SumatraPDF!WinMainCRTStartup+0xf kernel32!BaseThreadInitThunk+0x12 ntdll32!RtlInitializeExceptionChain+0x63 ntdll32!RtlInitializeExceptionChain+0x36 Instruction Address: 0x00000000775315de Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll32!ZwRaiseException+0x0000000000000012 (Hash=0x16621b14.0x14396738) User mode write access violations that are not near NULL are exploitable. # 0day.today [2024-12-25] #