Talos Vulnerability Report

TALOS-2016-0099

Oracle OIT IX SDK libvs_pdf Root xref Denial of Service Vulnerabiity

July 19, 2016

Report ID

CVE-2016-3577

Description

A stack overflow leading to a crash due to unbounded recursive function call is present in the PDF file format parsing code of the IX SDK.

Tested Versions

Oracle Outside In IX sdk 8.5.1

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

While parsing a malformed PDF file which contains a reference to the Root element with malformed or missing an xref table a recursive call to a function is made each time with the same parameters eventually leading to a crash due to process stack exhaustion.

Technical information below:

During a call to VwStreamOpen function in libvs_pdf.so library, code dealing with Root element is reached (image base is at 0xB74BF000):

`
.text:B74ED100 loc_B74ED100:
.text:B74ED100 lea     ebp, [esp+6BCh+var_BC]
.text:B74ED107 cld
.text:B74ED108 mov     ecx, 8
.text:B74ED10D xor     eax, eax
.text:B74ED10F mov     edi, ebp
.text:B74ED111 rep stosd
.text:B74ED113 lea     ecx, [esp+6BCh+var_34]
.text:B74ED11A mov     eax, [esp+6BCh+arg_10]
.text:B74ED121 mov     [esp+6BCh+s], eax
.text:B74ED124 lea     edx, (aRoot - 0B74F6998h)[ebx] ; "Root"
.text:B74ED12A mov     eax, esi
.text:B74ED12C call    sub_B74D653E
.text:B74ED131 mov     edx, eax
.text:B74ED133 test    ax, ax
.text:B74ED136 jnz     loc_B74E
`

Function sub_B74D653E in turn calls a function sub_B74D5EEC in which the unbounded recursive call can happen:

`
.text:B74D6095 lea     edx, [esp+5ACh+var_14]
.text:B74D609C lea     eax, [esp+5ACh+var_C0]
.text:B74D60A3 mov     ecx, ebp
.text:B74D60A5 call    sub_B74D5EEC
.text:B74D60AA test    ax, ax
.text:B74D60AD jnz     short loc_B74
`

The supplied minimized testcase triggers the recursive call and leads to a crash due to stack exhaustion. The sample program ixsample supplied with the SDK can be used to reproduce the crash.

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.

Timeline

2016-04-12 - Vendor Notification
2016-07-19 – Public Disclosure