heap-buffer-overflow reading in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3
A PDF parsing, modification and creation library.
Brought to you by:
domseichter
Menu
▾
▴
2 Attachments
#50 heap-buffer-overflow reading in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3
Fuzzing target
rev 1981 under Ubuntu 16.04.3 LTS
fuzzing target: podofopdfinfo
Conclusion of this analysis
read___heap-buffer-overflow in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3
It allows an attacker to use a crafted pdf file to cause arbitrary code execution.
To reproduce the crash, build with Asan.
Without Asan, we also can see that the memcpy try to copy 48 bytes from the 36 bytes sized heap buffer, but it just not trigger a crash.
crash log
=================================================================
==85573==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000028b4 at pc 0x000107a336df bp 0x7ffee90dec20 sp 0x7ffee90de3d0
READ of size 48 at 0x6040000028b4 thread T0
#0 0x107a336de in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x596de)
#1 0x106bcde31 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, int, PoDoFo::PdfString) PdfEncrypt.cpp:1923
#2 0x106bb50b4 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, int, PoDoFo::PdfString) PdfEncrypt.cpp:1914
#3 0x106bb4092 in PoDoFo::PdfEncrypt::CreatePdfEncrypt(PoDoFo::PdfObject const*) PdfEncrypt.cpp:635
#4 0x106c575b8 in PoDoFo::PdfParser::ReadObjects() PdfParser.cpp:1087
#5 0x106c54a72 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) PdfParser.cpp:260
#6 0x106c5380f in PoDoFo::PdfParser::ParseFile(char const*, bool) PdfParser.cpp:206
#7 0x106edda8e in PoDoFo::PdfMemDocument::Load(char const*, bool) PdfMemDocument.cpp:256
#8 0x106edd509 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:102
#9 0x106eddc0b in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:101
#10 0x106b21fac in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:25
#11 0x106b2205c in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:24
#12 0x106b3c3ed in main podofopdfinfo.cpp:110
#13 0x7fff76a713d4 in start (libdyld.dylib:x86_64+0x163d4)
0x6040000028b4 is located 0 bytes to the right of 36-byte region [0x604000002890,0x6040000028b4)
allocated by thread T0 here:
#0 0x107a36597 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c597)
#1 0x106c31f77 in PoDoFo::podofo_calloc(unsigned long, unsigned long) PdfMemoryManagement.cpp:136
#2 0x106c9cd1a in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) PdfRefCountedBuffer.cpp:166
#3 0x106cb18bd in PoDoFo::PdfRefCountedBuffer::Resize(unsigned long) PdfRefCountedBuffer.h:307
#4 0x106cb61d6 in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) PdfRefCountedBuffer.h:227
#5 0x106caf66c in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) PdfRefCountedBuffer.h:226
#6 0x106cad261 in PoDoFo::PdfString::Init(char const*, long) PdfString.cpp:574
#7 0x106cae928 in PoDoFo::PdfString::PdfString(char const*, long, bool, PoDoFo::PdfEncoding const*) PdfString.cpp:183
#8 0x106caea0b in PoDoFo::PdfString::PdfString(char const*, long, bool, PoDoFo::PdfEncoding const*) PdfString.cpp:181
#9 0x106cc2da2 in PoDoFo::PdfTokenizer::ReadString(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:813
#10 0x106cbf7bc in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:567
#11 0x106cc0859 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:651
#12 0x106cbf784 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:561
#13 0x106cc0859 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:651
#14 0x106cbf784 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:561
#15 0x106cbd8a5 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:407
#16 0x106c8ad16 in PoDoFo::PdfParserObject::ParseFileComplete(bool) PdfParserObject.cpp:204
#17 0x106c8cd3a in PoDoFo::PdfParserObject::DelayedLoadImpl() PdfParserObject.cpp:371
#18 0x106cd9be1 in PoDoFo::PdfVariant::DelayedLoad() const PdfVariant.h:560
#19 0x106c8a596 in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) PdfParserObject.cpp:154
#20 0x106c59489 in PoDoFo::PdfParser::ReadTrailer() PdfParser.cpp:641
#21 0x106c55ba0 in PoDoFo::PdfParser::ReadDocumentStructure() PdfParser.cpp:322
#22 0x106c54a64 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) PdfParser.cpp:259
#23 0x106c5380f in PoDoFo::PdfParser::ParseFile(char const*, bool) PdfParser.cpp:206
#24 0x106edda8e in PoDoFo::PdfMemDocument::Load(char const*, bool) PdfMemDocument.cpp:256
#25 0x106edd509 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:102
#26 0x106eddc0b in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:101
#27 0x106b21fac in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:25
#28 0x106b2205c in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:24
#29 0x106b3c3ed in main podofopdfinfo.cpp:110
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x596de) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c08000004c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000500: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x1c0800000510: fa fa 00 00 00 00[04]fa fa fa fd fd fd fd fd fa
0x1c0800000520: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000530: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000540: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000550: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000560: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==85573==ABORTING
Abort trap: 6
void PdfParser::ParseFile( const PdfRefCountedInputDevice & rDevice, bool bLoadOnDemand )
{
Clear();
m_device = rDevice;
m_bLoadOnDemand = bLoadOnDemand;
try {
if( !IsPdfFile() )
{
PODOFO_RAISE_ERROR( ePdfError_NoPdfFile );
}
ReadDocumentStructure(); // <<<<<<<<< create 36 bytes buffer for a PdfString
ReadObjects(); // <<<<<<<<<<< try to copy 48 bytes from the above heap buffer
//...
PdfEncrypt* PdfEncrypt::CreatePdfEncrypt( const PdfObject* pObject )
{
PdfEncrypt* PdfEncrypt::CreatePdfEncrypt( const PdfObject* pObject )
{
//...
try {
//...
uValue = pObject->GetDictionary().MustGetKey( PdfName("U") ).GetString();
//...
#ifdef PODOFO_HAVE_LIBIDN
else if( (lV == 5L) && (rValue == 5L)
&& PdfEncrypt::IsEncryptionEnabled( ePdfEncryptAlgorithm_AESV3 ) )
{
//...
pdfEncrypt = new PdfEncryptAESV3(oValue, oeValue, uValue, ueValue, pValue, permsValue); // <<<<<<< call memcpy read 48 bytes from a 36 bytes sized heap buffer
}
#endif // PODOFO_HAVE_LIBIDN
//...
//=========
Mike Zhang of Pangu lab
Discussion
Diff: