Talos Vulnerability Report

TALOS-2016-0101

Oracle OIT IX SDK libvs_pdf arbitrary pointer access

July 19, 2016

Report ID

CVE-2016-3579

Description

When parsing a specially crafted PDF document, a value derived from a file is used as a memory pointer leading to a process crash.

Tested Versions

  • Outside In IX SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

When parsing a PDF file with an object containing a stream, missing object type specification can lead to arbitrary pointer access. In the supplied testcase, a /Type value is missing (originaly /XRef) and trailing bytes are interpreted as type. An ASCII integer value is converted into 32bit integer which is subsequently used as a pointer in a comparison operation. In case the pointer is invalid, process crash occurs.

Technical information below:

An ASCII integer value appearing after /Type element in the supplied PDF file is converted into 32 bit integer (in this case 0x41414141) which ends up being used as a source operand, in esi, in the comparison instruction against ‘XRef’ value pointed at by edi :

`
.text:B74E9B72 mov     esi, [eax]
.text:B74E9B74 mov     ecx, 5
.text:B74E9B79 cld
.text:B74E9B7A lea     edi, (aXref - 0B74F6998h)[ebx] ; "XRef"
.text:B74E9B80 repe cmpsb
`

Although the value in esi is fully controlled, it is promptly discarded after the comparison making this issue unexploitable by itself.

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.

Timeline

2016-04-12 - Vendor Notification
2016-07-19 – Public Disclosure