Foxit PDF Reader 1.0.1.0925 – CFX_BaseSegmentedArray::IterateIndex Memory Corruption

• Exploit Database
• 127 阅读

• 作者： Google Security Research
  日期： 2016-06-13
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39944/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158

  Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=742   We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:   $ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf   The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.   An example excerpt from the crash log is as follows:   --- cut --- Program received signal SIGSEGV, Segmentation fault. 0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const () (gdb) where #00x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const () #10x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const () #20x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const () #30x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const () #40x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () #50x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () #60x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) () #70x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 #80x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #90x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 #10 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #11 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #12 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #13 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () #14 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () #15 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () #16 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () #17 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) () #18 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x1a1c3b0) at ../../Readerlite/ReaderLite/src/childframe.cpp:91 #19 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x194ce60) at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61 #20 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x14c5470, pdoc=0x193a720, filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99 #21 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x14c5470, csFilterName=..., wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216 #22 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x14a47e0, csFDFFile=...) at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941 #23 0x000000000043caac in CMainWindow::OpenFile (this=0x14c4240, fileName=...) at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434 #24 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:301 (gdb) x/10i $rip => 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>: mov0x0(%r13,%rbp,8),%rcx 0xaab971 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+99>:test %rcx,%rcx 0xaab974 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+102>: jne0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117> 0xaab976 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+104>: inc%rbp 0xaab979 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+107>: movzbl 0xe(%rbx),%eax 0xaab97d <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+111>: cmp%ebp,%eax 0xaab97f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+113>: jg 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94> 0xaab981 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+115>: jmp0xaab99f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+145> 0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>: mov0xc(%rsp),%esi 0xaab987 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+121>: mov%r15,%r9 (gdb) info reg rax0x7c 124 rbx0x1a6613027681072 rcx0xe1a704fcae02ca58 -2186773610767398312 rdx0x7fffffffceec 140737488342764 rsi0x2f 47 rdi0x1a6613027681072 rbp0x00x0 rsp0x7fffffffce90 0x7fffffffce90 r8 0xab0f92 11210642 r9 0x6a83f4ca 1787032778 r100xfd 253 r110x00 r120x7fffffffceec 140737488342764 r130xe1a704fcae02ca58 -2186773610767398312 r140xab0f92 11210642 r150x6a83f4ca 1787032778 rip0xaab96c 0xaab96c <CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const+94> eflags 0x10202[ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x00 es 0x00 fs 0x00 gs 0x00 --- cut ---   Attached are three proof of concept PDF files.   There is another crash likely related to this issue:   --- cut --- Program received signal SIGSEGV, Segmentation fault. 0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) () (gdb) where #00x0000000000ab0f94 in _CMapLookupCallback(void*, void*) () #10x0000000000aab8e4 in CFX_BaseSegmentedArray::IterateSegment(unsigned char const*, int, int (*)(void*, void*), void*) const () #20x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const () #30x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const () #40x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const () #50x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () #60x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) () #70x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) () #80x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 #90x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #10 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 #11 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #12 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #13 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5 #14 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () #15 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) () #16 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) () #17 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x196cf90) at ../../Readerlite/ReaderLite/src/childframe.cpp:91 x#18 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x191dce0) at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61 #19 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x1468c50, pdoc=0x19194b0, filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99 /#20 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x1468c50, csFilterName=..., wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216 #21 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x144a920, csFDFFile=...) at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941 1#22 0x000000000043caac in CMainWindow::OpenFile (this=0x1468760, fileName=...) at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434 #23 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:301 (gdb) x/10i $rip => 0xab0f94 <_Z19_CMapLookupCallbackPvS_+2>:cmp%edi,(%rsi) 0xab0f96 <_Z19_CMapLookupCallbackPvS_+4>:jne0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15> 0xab0f98 <_Z19_CMapLookupCallbackPvS_+6>:xor%eax,%eax 0xab0f9a <_Z19_CMapLookupCallbackPvS_+8>:cmpb $0xfe,0x4(%rsi) 0xab0f9e <_Z19_CMapLookupCallbackPvS_+12>: setne%al 0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>: xor$0x1,%eax 0xab0fa4 <_Z19_CMapLookupCallbackPvS_+18>: retq 0xab0fa5 <_CompareDWord>:mov(%rdi),%eax 0xab0fa7 <_CompareDWord+2>:sub(%rsi),%eax 0xab0fa9 <_CompareDWord+4>:retq (gdb) info reg $rsi rsi0x71 113 --- cut ---   Attached are three further files which reproduce the crash (note that MALLOC_CHECK_=3 might be necessary).     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39944.zip