/
/
/
CVE-2019-9587: Stack consumption issue in function md5Round1( ) - xpdf-4.01

CVE-2019-9587: Stack consumption issue in function md5Round1( ) - xpdf-4.01

Vulnerability Reports
March 1, 2019
Profile Icon

Jason Franscisco

Stack consumption issue in function md5Round1( ) - xpdf-4.01

Loginsoft-2019-1104

1 March, 2019

CVE Number

CVE-2019-9587

CWE

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Product Details

Xpdf is a free PDF viewer and toolkit, including a text extractor, image converter, HTML converter, and more. Most of the tools are available as open source.URL:https://www.xpdfreader.com/download.html

Vulnerable Versions

4.01

Vulnerability Details

There is a stack consumption issue in md5Round1() located in Decrypt.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to Catalog::countPageTree.

SYNOPSIS

In Progress

Vulnerable Source Code
Analysis

DEBUG:

ASAN Report:


ASAN:SIGSEGV
=================================================================
==15699==ERROR: AddressSanitizer: stack-overflow on address 0x7fff60d72ff8 (pc 0x7f8813d6c222 bp 0x000000000150 sp 0x7fff60d73000 T0)
    #0 0x7f8813d6c221  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xb0221)
    #1 0x7f8813d6bd67  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xafd67)
    #2 0x7f8813cdef4f  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22f4f)
    #3 0x7f8813d554fe in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x994fe)
    #4 0x4d8b68 in FileStream::copy() /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Stream.cc:783
    #5 0x457d85 in DecryptStream::copy() /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Decrypt.cc:388
    #6 0x4c9235 in Object::copy(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Object.cc:95
    #7 0x4fa558 in XRef::fetch(int, int, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/XRef.cc:1061
    #8 0x4c92b4 in Object::fetch(XRef*, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Object.cc:115
    #9 0x44e04d in Array::get(int, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Array.cc:62
    #10 0x4c9d13 in Object::arrayGet(int, Object*, int) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Object.h:243
    #11 0x450006 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:500
    #12 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #13 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #14 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #15 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #16 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #17 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #18 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #19 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #20 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #21 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #22 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #23 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #24 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #25 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #26 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #27 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #28 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #29 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #30 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #31 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #32 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #33 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #34 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #35 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #36 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #37 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #38 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #39 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #40 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #41 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #42 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #43 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #44 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #45 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501
    #46 0x450019 in Catalog::countPageTree(Object*) /home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Catalog.cc:501

SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
==15699==ABORTING

  

GDB :

[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x67452301        
$rbx   : 0x0000000000801030  →  0x0000000000526f40  →  0x0000000000457c68  →   push rbp
$rcx   : 0x10325476        
$rdx   : 0x98badcfe        
$rsp   : 0x7fffff7fefe8    
$rbp   : 0x00007fffff7ff018  →  0x00007fffff7ff100  →  0x00007fffff7ff120  →  0x00007fffff7ff1e0  →  0x00007fffff7ff230  →  0x00007fffff7ff270  →  0x00007fffff7ff290  →  0x00007fffff7ff340
$rsi   : 0xefcdab89        
$rdi   : 0x67452301        
$rip   : 0x0000000000459e73  →   mov QWORD PTR [rbp-0x20], rcx
$r8    : 0xffffffffe3761699
$r9    : 0x7               
$r10   : 0x2052203020355b20 (" [5 0 R "?)
$r11   : 0x246             
$r12   : 0x00000000007f7d50  →  0x000000000053f8f8  →  0x00000000004d8a6e  →   push rbp
$r13   : 0x00007fffffffdea0  →  0x000000000000000c
$r14   : 0x0               
$r15   : 0x0               
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
[!] Unmapped address
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x459e67  mov    QWORD PTR [rbp-0x8], rdi
     0x459e6b  mov    QWORD PTR [rbp-0x10], rsi
     0x459e6f  mov    QWORD PTR [rbp-0x18], rdx
→   0x459e73  mov    QWORD PTR [rbp-0x20], rcx
     0x459e77  mov    QWORD PTR [rbp-0x28], r8
     0x459e7b  mov    DWORD PTR [rbp-0x2c], r9d
     0x459e7f  mov    rax, QWORD PTR [rbp-0x10]
     0x459e83  and    rax, QWORD PTR [rbp-0x18]
     0x459e87  mov    rdx, rax
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:/home/aceteam/Downloads/sources/xpdf-4.01/xpdf/Decrypt.cc+996 ────
    991       x &= 0xffffffff;
    992       return ((x <> (32 - r))) & 0xffffffff;
    993     }
    994     
    995     static inline Gulong md5Round1(Gulong a, Gulong b, Gulong c, Gulong d,
→  996                        Gulong Xk, int s, Gulong Ti) {
    997       return b + rotateLeft((a + ((b & c) | (~b & d)) + Xk + Ti), s);
    998     }
    999     
   1000     static inline Gulong md5Round2(Gulong a, Gulong b, Gulong c, Gulong d,
   1001                        Gulong Xk, int s, Gulong Ti) {
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "pdfimages", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[!] Cannot access memory at address 0x7fffff7feff8

Proof of Concept
./pdfimages -f 2 -l 4 -j -raw -list -upw rome $POC out POC FILE: REPRODUCER
Timeline

Vendor Disclosure: 2019-3-1

Public Disclosure: 2019-3-6

Credit

Discovered by ACE Team - Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter