VSR Advisory: PDF Tools AG - PDF Form Filling and Flattening Tool Buffer Overflow

Hash: SHA1

Virtual Security Research, LLC.
Security Advisory

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: PDF Form Filling and Flattening Tool Buffer Overflow
Release Date: 2006-05-23
Application: PDF Tools AG - PDF Form Filling and Flattening Tool
Version: 3.0 (Windows)
(other versions and platforms untested)
Severity: High
Author: George D. Gal <ggal_at_vsecurity.com>
Vendor Status: Vendor Notified, Fix Available
CVE Candidate: CVE-2006-2549
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Product Description:

From the pdf-tools.com website[1]:

"PDF Tools AG is a world leader in PDF (The Adobe Portable Document Format)
programming technology, delivering reliable PDF products to international
customers in virtually all market segments."

"PDF Form Filling and Flattening Tool is a command line tool that can
create, edit, fill in and delete form fields in a PDF document."

Vulnerability Overview:

On April 18th, 2006 VSR has identified a stack overflow in the PDF Tools AG
PDF Form Filling and Flattening tool. Although this is a traditional
command line utility there may be a risk to those users of the application
who use it within web application or a network service, particularly when
relying on user supplied input to generate the PDF form field name or value

In situations where user supplied input is used to populate a control file
of name value pairs without sufficient input validation the form field
names are susceptible to overflow. The buffer overflow occurs as a
direct result of unsafe string copy operations to a 256 byte fixed length
buffer. The binary is also susceptible to overflows of the PDF form field
names when specified on the command line instead of within a control file.

The following command may be used to check for the existence of the
vulnerability in the PDF form filling and flattening tool:

./pdformp.exe input.pdf output.pdf `perl -e 'print "A"x260;'`=foo

Vendor Response:

PDF Tools AG was first notified on 2006-04-19. The following time line
outlines the responses from the vendor regarding this issue:

2006-04-20 - Acknowledgment of security notification received from VSR.
Vendor stated that they only support registered customers
of the product.
2006-05-02 - Vendor response acknowledging overflow which will be
resolved in the next pre-release version.
2006-05-10 - Vendor response providing estimated release schedule.
2006-05-15 - Vendor response notifying VSR of publicly released fix.


PDF Tools AG customers should upgrade to the latest build of the PDF
Form Filling and Flattening tool (build released on
May 10th 2006.

The upgrade is available via:


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


1. PDF Tools AG Form Filling and Flattening Tool

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Vulnerability Disclosure Policy:


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Copyright 2006 Virtual Security Research, LLC. All rights reserved.
Version: GnuPG v1.4.2 (FreeBSD)