pdflib long filename multiple bufferoverflows

2007.12.28

Credit: poplix

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2007-6561

CWE: CWE-119

CVSS Base Score: 5.7/10

Impact Subscore: 6.9/10

Exploitability Subscore: 5.5/10

Exploit range: Adjacent network

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Complete

hi,
pdflib, a library for generating PDF on the fly, avilable at http:// 
www.pdflib.com, is vulnerable to multiple bufferoverflows due to a  
misuse of strcpy().
An attacker can exploit this issue to execute arbitrary code or to  
crash the application that uses the library.
One of the vulnerable functions is pdc_fsearch_fopen() that is  
called, for example, by PDF_load_image() which overflows a stack  
buffer if a long filename is provided.
The php wrapper for pdflib (pecl extension) is also vulnerable so  
please take care of allowing users to generate custom pdfs from webapps.

this is a proof-of-concept that crashes php:
<?php
.....
PDF_load_image($p,"jpeg",str_repeat("A",1100), null);

?>

The developers have been warned and they plained to fix those bugs in  
the next release.

cheers,
-poplix
http://px.dynalias.org

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

pdflib long filename multiple bufferoverflows

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

pdflib long filename multiple bufferoverflows

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.