[UNIX] Integer Overflow in pdftops

From: support@securiteam.com
Date: 12/25/02

  • Next message: support@securiteam.com: "[NT] Polycom Video Conference System Management Server Authentication Bypass Vulnerability" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 25 Dec 2002 10:57:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Integer Overflow in pdftops
    ------------------------------------------------------------------------

    SUMMARY

    Easy Software Products' Common UNIX Printing System (CUPS) is a
    cross-platform printing solution for Unix environments. It is based on the
    "Internet Printing Protocol," and provides complete printing services to
    most PostScript and raster printers. CUPS has a web-based graphical
    interface for printer management and is available on most Linux systems.

    Xpdf is an open source viewer for Portable Document Format (PDF) files.
    The Xpdf project also includes a PDF text extractor, PDF-to-PostScript
    converter, and various other utilities. It also comes with two other
    programs: pdftops and pdftotext which convert PDF files to postscript and
    plain text respectively.

    The pdftops filter in the Xpdf and CUPS packages contains an integer
    overflow that can be exploited to gain the increased privileges of the
    'lp' user.

    DETAILS

    There are multiple ways of exploiting this vulnerability. The following is
    just one example:

    A ColorSpace with 1,431,655,768 elements is created, each element having
    three components. 1,431,655,768 is too large to store within a 32-bit
    integer so the high bit is cut off leaving only 8 which is how much that
    is actually allocated.

    ..
     /CS
     [
      /Indexed
      /RGB
      1431655768
      7 0 R
     ]
    ..

    The '7 0 R' from above refers to a stream that is read into an array that
    is allocated as above. The stream is read until it has reached the highest
    index number, or the stream ends. If the filter supplies enough data the
    application will crash when trying to access bad memory. It is possible to
    exploit this condition by supplying the right length of bad memory, and
    stop the stream breaking the reading. A function pointer can then be
    overwritten to execute arbitrary code.

    Example:
    ..
    7 0 obj <<
    /Length 229
    >>
    stream
    content to write into memory....endstream
    endobject
    ..

    The following is a sample run of the cups-pdf exploit:
    $ ./cups-pdf | lp
    request id is lp-108 (1 file(s))
    $ ls -l /tmp/pdfexploit-worked
    - -rw-rw-r-- 1 farmer farmer 0 Dec 4 13:41 /tmp/pdfexploit-worked

    Analysis:
    This vulnerability is locally exploitable. In order to perform "remote"
    exploitation, an attacker must trick a user into printing a malformed PDF
    file from the command line. With "lp" user privileges, more advanced
    attacks can be performed to gain local root access (see iDEFENSE Advisory
    <http://www.securiteam.com/unixfocus/6V00E2K6AM.html> 12.19.02).

    Detection:
    The vulnerability exists in the latest stable version of Xpdf (Xpdf 2.01)
    and all prior versions. The vulnerability was verified on Red Hat Linux
    7.0 running CUPS-1.1.14-5 (RPM).

    Vendor resopnse and fixes:
    A patch supplied by the author of Xpdf is available from
    <ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1>
    ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1 which fixes this issue in
    pdftops when applied to the latest source code version, 2.01.
    Additionally, the latest version of CUPS, 1.1.18, should also fix this
    issue within the included pdftops utility. It is available from
    <http://www.cups.org> http://www.cups.org .

    Disclosure timeline:
    10/27/2002 Initial discussion with contributor
    11/14/2002 Final contributor submission
    12/12/2002 CUPS author and Xdf author notified via e-mail to
    cups-support@cups.org and Derek B. Noonburg (derekn@glyphandcog.com)
    12/12/2002 iDEFENSE clients notified
    12/12/2002 Response and preliminary patch received from CUPS author
    Michael Sweet (mike@easysw.com)
    12/12/2002 Apple, Linux Security List (vendor-sec@lst.de)
    12/13/2002 Updated patch received from Michael Sweet
    12/17/2002 Patch received from Derek B. Noonburg
    12/23/2002 Coordinated Public Disclosure

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.idefense.com/advisory/12.23.02.txt>
    http://www.idefense.com/advisory/12.23.02.txt

    The information has been provided by <mailto:listserv@idefense.com>
    iDEFENSE Labs, the vulnerability was discovered by
    <mailto:zen-parse@gmx.net> zen-parse.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages