Poppler v0.62.0 Memory Corruption Vulnerability

2018.07.21
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

################ #Title: Poppler v0.62.0 Memory Corruption Vulnerability #CVE: CVE-2018-13988 #CWE: CWE-119 #Exploit Author: Hosein Askari #Vendor HomePage: https://poppler.freedesktop.org/ #Version : version 0.62.0 and earlier versions #Tested on: Ubuntu 18.04 (4.15.0-23-generic) #Date: July 21 2018 #Category: Application #Author Mail : hosein.askari@aol.com #Description: Poppler through 0.62 contains a memory corruption vulnerability due to an incorrect memory access that is not mapped in its memory space(improper handling of objects in memory), as #demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file. #Fixed: https://poppler.freedesktop.org/poppler-0.66.0.tar.xz ############### constantine@constantine:~$ pdfunite crafted.pdf aa.pdf Segmentation fault (core dumped) ############### [14925.737845] pdfunite[5097]: segfault at 564d6cf85714 ip 00007f42ac6fd064 sp 00007ffee66adf28 error 4 in libpoppler.so.73.0.0[7f42ac588000+251000] ############### constantine@constantine:~$ sudo cat /proc/14698/maps [sudo] password for constantine: 555555554000-55555555a000 r-xp 00000000 08:01 1444544 /usr/bin/pdfunite 555555759000-55555575a000 r--p 00005000 08:01 1444544 /usr/bin/pdfunite 55555575a000-55555575b000 rw-p 00006000 08:01 1444544 /usr/bin/pdfunite 55555575b000-5555557bf000 rw-p 00000000 00:00 0 [heap] 7ffff4117000-7ffff4122000 r-xp 00000000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0 7ffff4122000-7ffff4321000 ---p 0000b000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0 7ffff4321000-7ffff4322000 r--p 0000a000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0 7ffff4322000-7ffff4325000 rw-p 0000b000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0 7ffff4325000-7ffff4349000 r-xp 00000000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2 7ffff4349000-7ffff4549000 ---p 00024000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2 7ffff4549000-7ffff454a000 r--p 00024000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2 7ffff454a000-7ffff454b000 rw-p 00025000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2 7ffff454b000-7ffff4552000 r-xp 00000000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so 7ffff4552000-7ffff4751000 ---p 00007000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so 7ffff4751000-7ffff4752000 r--p 00006000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so 7ffff4752000-7ffff4753000 rw-p 00007000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so 7ffff4753000-7ffff4756000 r-xp 00000000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so 7ffff4756000-7ffff4955000 ---p 00003000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so 7ffff4955000-7ffff4956000 r--p 00002000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so 7ffff4956000-7ffff4957000 rw-p 00003000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so 7ffff4957000-7ffff495a000 r-xp 00000000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so 7ffff495a000-7ffff4b59000 ---p 00003000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so 7ffff4b59000-7ffff4b5a000 r--p 00002000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so 7ffff4b5a000-7ffff4b5b000 rw-p 00003000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so 7ffff4b5b000-7ffff4b5f000 r-xp 00000000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so 7ffff4b5f000-7ffff4d5e000 ---p 00004000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so 7ffff4d5e000-7ffff4d5f000 r--p 00003000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so 7ffff4d5f000-7ffff4d60000 rw-p 00004000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so 7ffff4d60000-7ffff4d88000 r-xp 00000000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so 7ffff4d88000-7ffff4f87000 ---p 00028000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so 7ffff4f87000-7ffff4f8e000 r--p 00027000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so 7ffff4f8e000-7ffff4f8f000 rw-p 0002e000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so 7ffff4f8f000-7ffff4fbe000 r-xp 00000000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7 7ffff4fbe000-7ffff51be000 ---p 0002f000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7 7ffff51be000-7ffff51c0000 r--p 0002f000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7 7ffff51c0000-7ffff51c1000 rw-p 00031000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7 7ffff51c1000-7ffff51d8000 r-xp 00000000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff51d8000-7ffff53d7000 ---p 00017000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff53d7000-7ffff53d8000 r--p 00016000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff53d8000-7ffff53d9000 rw-p 00017000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff53d9000-7ffff53f3000 r-xp 00000000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so 7ffff53f3000-7ffff55f2000 ---p 0001a000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so 7ffff55f2000-7ffff55f3000 r--p 00019000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so 7ffff55f3000-7ffff55f4000 rw-p 0001a000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so 7ffff55f4000-7ffff55f8000 rw-p 00000000 00:00 0 7ffff55f8000-7ffff5795000 r-xp 00000000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so 7ffff5795000-7ffff5994000 ---p 0019d000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so 7ffff5994000-7ffff5995000 r--p 0019c000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so 7ffff5995000-7ffff5996000 rw-p 0019d000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so 7ffff5996000-7ffff5a09000 r-xp 00000000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0 7ffff5a09000-7ffff5c08000 ---p 00073000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0 7ffff5c08000-7ffff5c0c000 r--p 00072000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0 7ffff5c0c000-7ffff5c0d000 rw-p 00076000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0 7ffff5c0d000-7ffff5c3e000 r-xp 00000000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0 7ffff5c3e000-7ffff5e3d000 ---p 00031000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0 7ffff5e3d000-7ffff5e3e000 r--p 00030000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0 7ffff5e3e000-7ffff5e3f000 rw-p 00031000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0 7ffff5e3f000-7ffff5e91000 r-xp 00000000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8 7ffff5e91000-7ffff6091000 ---p 00052000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8 7ffff6091000-7ffff6093000 r--p 00052000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8 7ffff6093000-7ffff6096000 rw-p 00054000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8 7ffff6096000-7ffff6097000 rw-p 00000000 00:00 0 7ffff6097000-7ffff60d0000 r-xp 00000000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so 7ffff60d0000-7ffff62cf000 ---p 00039000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so 7ffff62cf000-7ffff62d0000 r--p 00038000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so 7ffff62d0000-7ffff62d1000 rw-p 00039000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so 7ffff62d1000-7ffff62d4000 rw-p 00000000 00:00 0 7ffff62d4000-7ffff62fc000 r-xp 00000000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so 7ffff62fc000-7ffff64fc000 ---p 00028000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so 7ffff64fc000-7ffff64ff000 r--p 00028000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so 7ffff64ff000-7ffff6500000 rw-p 0002b000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so 7ffff6500000-7ffff663c000 r-xp 00000000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so 7ffff663c000-7ffff683c000 ---p 0013c000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so 7ffff683c000-7ffff6841000 r--p 0013c000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so 7ffff6841000-7ffff6843000 rw-p 00141000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so 7ffff6843000-7ffff6844000 rw-p 00000000 00:00 0 7ffff6844000-7ffff6860000 r-xp 00000000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11 7ffff6860000-7ffff6a5f000 ---p 0001c000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11 7ffff6a5f000-7ffff6a60000 r--p 0001b000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11 7ffff6a60000-7ffff6a61000 rw-p 0001c000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11 7ffff6a61000-7ffff6ac8000 r-xp 00000000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2 7ffff6ac8000-7ffff6cc7000 ---p 00067000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2 7ffff6cc7000-7ffff6cc8000 r--p 00066000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2 7ffff6cc8000-7ffff6cc9000 rw-p 00067000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2 7ffff6cc9000-7ffff6d07000 r-xp 00000000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1 7ffff6d07000-7ffff6f07000 ---p 0003e000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1 7ffff6f07000-7ffff6f09000 r--p 0003e000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1 7ffff6f09000-7ffff6f0e000 rw-p 00040000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1 7ffff6f0e000-7ffff6fbb000 r-xp 00000000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0 7ffff6fbb000-7ffff71ba000 ---p 000ad000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0 7ffff71ba000-7ffff71c1000 r--p 000ac000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0 7ffff71c1000-7ffff71c2000 rw-p 000b3000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0 7ffff71c2000-7ffff73a9000 r-xp 00000000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so 7ffff73a9000-7ffff75a9000 ---p 001e7000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so 7ffff75a9000-7ffff75ad000 r--p 001e7000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so 7ffff75ad000-7ffff75af000 rw-p 001eb000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so 7ffff75af000-7ffff75b3000 rw-p 00000000 00:00 0 7ffff75b3000-7ffff7731000 r-xp 00000000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25 7ffff7731000-7ffff7931000 ---p 0017e000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25 7ffff7931000-7ffff793b000 r--p 0017e000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25 7ffff793b000-7ffff793d000 rw-p 00188000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25 7ffff793d000-7ffff7941000 rw-p 00000000 00:00 0 7ffff7941000-7ffff7b92000 r-xp 00000000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0 7ffff7b92000-7ffff7d91000 ---p 00251000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0 7ffff7d91000-7ffff7daf000 r--p 00250000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0 7ffff7daf000-7ffff7dd5000 rw-p 0026e000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0 7ffff7dd5000-7ffff7dfc000 r-xp 00000000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so 7ffff7f6e000-7ffff7faf000 rw-p 00000000 00:00 0 7ffff7fd0000-7ffff7fdf000 rw-p 00000000 00:00 0 7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00027000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so 7ffff7ffd000-7ffff7ffe000 rw-p 00028000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] ################## ==14154== Process terminating with default action of signal 11 (SIGSEGV) ==14154== Bad permissions for mapped region at address 0x8A8F4F4 ==14154== at 0x4FB1064: XRef::getEntry(int, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9AA7D: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9ACAE: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9ACAE: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x4F9AEDC: PDFDoc::markPageObjects(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0) ==14154== by 0x10A85B: main (in /usr/bin/pdfunite)

References:

https://cgit.freedesktop.org/poppler/poppler/commit/?id=004e3c10df0abda214f0c293f9e269fdd979c5ee


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top