Talos Vulnerability Report

TALOS-2016-0101

Oracle OIT IX SDK libvs_pdf arbitrary pointer access

July 19, 2016
CVE Number

CVE-2016-3579

Description

When parsing a specially crafted PDF document, a value derived from a file is used as a memory pointer leading to a process crash.

Tested Versions

  • Outside In IX SDK 8.5.1.

Product URLs

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Details

When parsing a PDF file with an object containing a stream, missing object type specification can lead to arbitrary pointer access. In the supplied testcase, a /Type value is missing (originaly /XRef) and trailing bytes are interpreted as type. An ASCII integer value is converted into 32bit integer which is subsequently used as a pointer in a comparison operation. In case the pointer is invalid, process crash occurs.

Technical information below:

An ASCII integer value appearing after /Type element in the supplied PDF file is converted into 32 bit integer (in this case 0x41414141) which ends up being used as a source operand, in esi, in the comparison instruction against 'XRef' value pointed at by edi :

`
.text:B74E9B72 mov     esi, [eax]
.text:B74E9B74 mov     ecx, 5
.text:B74E9B79 cld
.text:B74E9B7A lea     edi, (aXref - 0B74F6998h)[ebx] ; "XRef"
.text:B74E9B80 repe cmpsb
`

Although the value in esi is fully controlled, it is promptly discarded after the comparison making this issue unexploitable by itself.

Timeline

2016-04-12 - Vendor Notification
2016-07-19 – Public Disclosure

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.