Home page logo

fulldisclosure logo Full Disclosure mailing list archives

iDEFENSE Security Advisory 12.23.02: Integer Overflow in pdftops
From: "iDEFENSE Labs" <labs () idefense com>
Date: Mon, 23 Dec 2002 16:32:47 -0500

Hash: SHA1

iDEFENSE Security Advisory 12.23.02:
Integer Overflow in pdftops
December 23, 2002

Reference Advisory: http://www.idefense.com/advisory/12.19.02.txt 
[Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)]


Easy Software Products' Common Unix Printing System (CUPS) is a
cross-platform printing solution for Unix environments. It is based on the
"Internet Printing Protocol," and provides complete printing services to
most PostScript and raster printers. CUPS has a web-based graphical
interface for printer management and is available on most Linux systems.
More information is available at http://www.cups.org .

Xpdf is an open source viewer for Portable Document Format (PDF) files. 
The Xpdf project also includes a PDF text extractor, PDF-to-PostScript
converter, and various other utilities.  It also comes with two other
programs: pdftops and pdftotext which convert PDF files to postscript and
plain text respectively.  More information is available at
http://www.foolabs.com/xpdf/ .


The pdftops filter in the Xpdf and CUPS packages contains an integer
overflow that can be exploited to gain the privileges of the target user
or in some cases the increased privileges of the 'lp' user if installed
setuid. There are multiple ways of exploiting this vulnerability. The
following is just one example: 

A ColorSpace with 1,431,655,768 elements is created, each element having
three components. 1,431,655,768 is too large to store within a 32-bit
integer so the high bit is cut off leaving only 8 which is how much that
is actually allocated. 

  7 0 R 

The '7 0 R' from above refers to a stream that is read into an array that
is allocated as above. The stream is read until it has reached the highest
index number, or the stream ends. If the filter supplies enough data the
application will crash when trying to access bad memory. It is possible to
exploit this condition by supplying the right length of bad memory, and
stop the stream breaking the reading. A function pointer can then be
overwritten to execute arbitrary code. Example: 

7 0 obj <<
/Length 229

content to write into memory....endstream

The following is a sample run of the cups-pdf exploit running with the
user's privileges: 

$ ./cups-pdf | lp
request id is lp-108 (1 file(s))
$ ls -l /tmp/pdfexploit-worked 
- - -rw-rw-r-- 1 farmer farmer 0 Dec 4 13:41 /tmp/pdfexploit-worked 


This vulnerability is locally exploitable.  In order to perform "remote"
exploitation, an attacker must trick a user into printing a malformed PDF
file from the command line.  In the implementation cases where "lp" user
privileges are attainable, more advanced attacks can be performed to gain
local root access (see iDEFENSE Advisory 12.19.02).


The vulnerability exists in the latest stable version of Xpdf (Xpdf 2.01)
and all prior versions.  The vulnerability was verified on Red Hat Linux
7.0 running CUPS-1.1.14-5 (RPM).    


A patch supplied by the author of Xpdf is available from
ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1 which fixes this issue in
pdftops when applied to the latest source code version, 2.01. 
Additionally, the latest version of CUPS, 1.1.18, should also fix this
issue within the included pdftops utility.  It is available from
http://www.cups.org .


The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1384 to this issue.


10/27/2002      Initial discussion with contributor
11/14/2002      Final contributor submission
12/12/2002      CUPS author and Xdf author notified via e-mail to 
                 cups-support () cups org and Derek B. Noonburg 
                 (derekn () glyphandcog com)
12/12/2002      iDEFENSE clients notified
12/12/2002      Response and preliminary patch received from
                 CUPS author Michael Sweet (mike () easysw com)
12/12/2002      Apple, Linux Security List (vendor-sec () lst de)
12/13/2002      Updated patch received from Michael Sweet
12/17/2002      Patch received from Derek B. Noonburg
12/23/2002      Coordinated Public Disclosure


zen-parse (zen-parse () gmx net) discovered this issue.

Get paid for security research

Subscribe to iDEFENSE Advisories:
send email to listserv () idefense com, subject line: "subscribe"


iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • iDEFENSE Security Advisory 12.23.02: Integer Overflow in pdftops iDEFENSE Labs (Dec 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]