AOH :: HP Unsorted P :: B06-2444.HTM

PDF tools ag - PDF form filling and flattening tool buffer overflow
VSR Advisory: PDF Tools AG - PDF Form Filling and Flattening Tool Buffer Overflow
VSR Advisory: PDF Tools AG - PDF Form Filling and Flattening Tool Buffer Overflow

Hash: SHA1

               Virtual Security Research, LLC. 
                      Security Advisory

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: PDF Form Filling and Flattening Tool Buffer Overflow
 Release Date: 2006-05-23
  Application: PDF Tools AG - PDF Form Filling and Flattening Tool
      Version: 3.0 (Windows)
               (other versions and platforms untested)
     Severity: High
       Author: George D. Gal 
Vendor Status: Vendor Notified, Fix Available
CVE Candidate: CVE-2006-2549
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Product Description:

> From the website[1]:

 "PDF Tools AG is a world leader in PDF (The Adobe Portable Document Format) 
  programming technology, delivering reliable PDF products to international 
  customers in virtually all market segments."

 "PDF Form Filling and Flattening Tool is a command line tool that can
  create, edit, fill in and delete form fields in a PDF document."

Vulnerability Overview:

On April 18th, 2006 VSR has identified a stack overflow in the PDF Tools AG
PDF Form Filling and Flattening tool.  Although this is a traditional 
command line utility there may be a risk to those users of the application 
who use it within web application or a network service, particularly when 
relying on user supplied input to generate the PDF form field name or value 

In situations where user supplied input is used to populate a control file 
of name value pairs without sufficient input validation the form field 
names are susceptible to overflow.  The buffer overflow occurs as a 
direct result of unsafe string copy operations to a 256 byte fixed length 
buffer. The binary is also susceptible to overflows of the PDF form field 
names when specified on the command line instead of within a control file.

The following command may be used to check for the existence of the 
vulnerability in the PDF form filling and flattening tool:

./pdformp.exe input.pdf output.pdf `perl -e 'print "A"x260;'`=foo

Vendor Response:

PDF Tools AG was first notified on 2006-04-19. The following time line 
outlines the responses from the vendor regarding this issue:

 2006-04-20 - Acknowledgment of security notification received from VSR.
              Vendor stated that they only support registered customers
              of the product.
 2006-05-02 - Vendor response acknowledging overflow which will be 
              resolved in the next pre-release version.
 2006-05-10 - Vendor response providing estimated release schedule.
 2006-05-15 - Vendor response notifying VSR of publicly released fix.

PDF Tools AG customers should upgrade to the latest build of the PDF
Form Filling and Flattening tool (build released on
May 10th 2006.

The upgrade is available via: 

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (, which standardizes 
names for security problems.


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


1. PDF Tools AG Form Filling and Flattening Tool 

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Vulnerability Disclosure Policy: 

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2006 Virtual Security Research, LLC. All rights reserved.
Version: GnuPG v1.4.2 (FreeBSD)


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to