iDEFENSE Security Advisory 12.23.02: Integer Overflow in pdftops From: "iDEFENSE Labs" <labs@idefense.com> To: bugtraq@securityfocus.com Date: Monday 22.32.47 Message was signed with unknown key 0xE4A96E4F. The validity of the signature cannot be verified. iDEFENSE Security Advisory 12.23.02: http://www.idefense.com/advisory/12.23.02.txt Integer Overflow in pdftops December 23, 2002 Reference Advisory: http://www.idefense.com/advisory/12.19.02.txt [Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)] I. BACKGROUND Easy Software Products' Common Unix Printing System (CUPS) is a cross-platform printing solution for Unix environments. It is based on the "Internet Printing Protocol," and provides complete printing services to most PostScript and raster printers. CUPS has a web-based graphical interface for printer management and is available on most Linux systems. More information is available at http://www.cups.org . Xpdf is an open source viewer for Portable Document Format (PDF) files. The Xpdf project also includes a PDF text extractor, PDF-to-PostScript converter, and various other utilities. It also comes with two other programs: pdftops and pdftotext which convert PDF files to postscript and plain text respectively. More information is available at http://www.foolabs.com/xpdf/ . II. DESCRIPTION The pdftops filter in the Xpdf and CUPS packages contains an integer overflow that can be exploited to gain the privileges of the target user or in some cases the increased privileges of the 'lp' user if installed setuid. There are multiple ways of exploiting this vulnerability. The following is just one example: A ColorSpace with 1,431,655,768 elements is created, each element having three components. 1,431,655,768 is too large to store within a 32-bit integer so the high bit is cut off leaving only 8 which is how much that is actually allocated. ... /CS [ /Indexed /RGB 1431655768 7 0 R ] ... The '7 0 R' from above refers to a stream that is read into an array that is allocated as above. The stream is read until it has reached the highest index number, or the stream ends. If the filter supplies enough data the application will crash when trying to access bad memory. It is possible to exploit this condition by supplying the right length of bad memory, and stop the stream breaking the reading. A function pointer can then be overwritten to execute arbitrary code. Example: ... 7 0 obj << /Length 229 >> stream content to write into memory....endstream endobject ... The following is a sample run of the cups-pdf exploit running with the user's privileges: $ ./cups-pdf | lp request id is lp-108 (1 file(s)) $ ls -l /tmp/pdfexploit-worked - -rw-rw-r-- 1 farmer farmer 0 Dec 4 13:41 /tmp/pdfexploit-worked III. ANALYSIS This vulnerability is locally exploitable. In order to perform "remote" exploitation, an attacker must trick a user into printing a malformed PDF file from the command line. In the implementation cases where "lp" user privileges are attainable, more advanced attacks can be performed to gain local root access (see iDEFENSE Advisory 12.19.02). IV. DETECTION The vulnerability exists in the latest stable version of Xpdf (Xpdf 2.01) and all prior versions. The vulnerability was verified on Red Hat Linux 7.0 running CUPS-1.1.14-5 (RPM). V. VENDOR RESPONSES/FIXES A patch supplied by the author of Xpdf is available from ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1 which fixes this issue in pdftops when applied to the latest source code version, 2.01. Additionally, the latest version of CUPS, 1.1.18, should also fix this issue within the included pdftops utility. It is available from http://www.cups.org . VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1384 to this issue. VII. DISCLOSURE TIMELINE 10/27/2002 Initial discussion with contributor 11/14/2002 Final contributor submission 12/12/2002 CUPS author and Xdf author notified via e-mail to cups-support@cups.org and Derek B. Noonburg (derekn@glyphandcog.com) 12/12/2002 iDEFENSE clients notified 12/12/2002 Response and preliminary patch received from CUPS author Michael Sweet (mike@easysw.com) 12/12/2002 Apple, Linux Security List (vendor-sec@lst.de) 12/13/2002 Updated patch received from Michael Sweet 12/17/2002 Patch received from Derek B. Noonburg 12/23/2002 Coordinated Public Disclosure IX. CREDIT zen-parse (zen-parse@gmx.net) discovered this issue. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world - from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . End of signed message
unmasked and glsa sent.
