AOH :: HP Unsorted P :: B06-2444.HTM

PDF tools ag - PDF form filling and flattening tool buffer overflow



VSR Advisory: PDF Tools AG - PDF Form Filling and Flattening Tool Buffer Overflow
VSR Advisory: PDF Tools AG - PDF Form Filling and Flattening Tool Buffer Overflow



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

               Virtual Security Research, LLC.
http://www.vsecurity.com/ 
                      Security Advisory

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: PDF Form Filling and Flattening Tool Buffer Overflow
 Release Date: 2006-05-23
  Application: PDF Tools AG - PDF Form Filling and Flattening Tool
      Version: 3.0 (Windows)
               (other versions and platforms untested)
     Severity: High
       Author: George D. Gal 
Vendor Status: Vendor Notified, Fix Available
CVE Candidate: CVE-2006-2549
    Reference: 
http://www.vsecurity.com/bulletins/advisories/2006/pdf-form-filling.txt 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description:

> From the pdf-tools.com website[1]:

 "PDF Tools AG is a world leader in PDF (The Adobe Portable Document Format) 
  programming technology, delivering reliable PDF products to international 
  customers in virtually all market segments."

 "PDF Form Filling and Flattening Tool is a command line tool that can
  create, edit, fill in and delete form fields in a PDF document."


Vulnerability Overview:

On April 18th, 2006 VSR has identified a stack overflow in the PDF Tools AG
PDF Form Filling and Flattening tool.  Although this is a traditional 
command line utility there may be a risk to those users of the application 
who use it within web application or a network service, particularly when 
relying on user supplied input to generate the PDF form field name or value 
pairs.

In situations where user supplied input is used to populate a control file 
of name value pairs without sufficient input validation the form field 
names are susceptible to overflow.  The buffer overflow occurs as a 
direct result of unsafe string copy operations to a 256 byte fixed length 
buffer. The binary is also susceptible to overflows of the PDF form field 
names when specified on the command line instead of within a control file.

The following command may be used to check for the existence of the 
vulnerability in the PDF form filling and flattening tool:

./pdformp.exe input.pdf output.pdf `perl -e 'print "A"x260;'`=foo

Vendor Response:

PDF Tools AG was first notified on 2006-04-19. The following time line 
outlines the responses from the vendor regarding this issue:

 2006-04-20 - Acknowledgment of security notification received from VSR.
              Vendor stated that they only support registered customers
              of the product.
 2006-05-02 - Vendor response acknowledging overflow which will be 
              resolved in the next pre-release version.
 2006-05-10 - Vendor response providing estimated release schedule.
 2006-05-15 - Vendor response notifying VSR of publicly released fix.
 
Recommendation:

PDF Tools AG customers should upgrade to the latest build of the PDF
Form Filling and Flattening tool (build 3.1.0.12) released on
May 10th 2006.

The upgrade is available via:

http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell 

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CVE-2006-2549

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. PDF Tools AG Form Filling and Flattening Tool
http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell 

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Vulnerability Disclosure Policy:

http://www.vsecurity.com/disclosurepolicy.html 

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2006 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFEdM8vTY6Rj3GeBOoRAkWkAJ4xArAz6lAV5VAAdhlUonIuXlTKcwCfTvQF
Wom0EDhnbI/8dkcr9F3ePfE=RPRL
-----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.