Talos Vulnerability Report

TALOS-2017-0322

Lexmark Perceptive Document Filters PDF GfxFont Code Execution Vulnerability

August 28, 2017
CVE Number

CVE-2017-2821

Lexmark Perceptive Document Filters PDF GfxFont Code Execution Vulnerability

Summary

An exploitable use-after-free exists in the PDF parsing functionality of the Lexmark Perspective Document Filters 11.3.0.2400 and 11.4.0.2452. A crafted PDF document can lead to a use-after-free resulting in direct code execution.

Tested Versions

Lexmark Perceptive Document Filters 11.3.0.2400 - x86 Lexmark Perceptive Document Filters 11.4.0.2452 - x86

Product URLs

http://www.lexmark.com/en_us/partners/enterprise-software/technology-partners/oem-technologies/document-filters.html

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

This vulnerability is present in the Lexmark Document filter parsing which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. This product is mainly used by MarkLogic for document conversions as part of their web-based document search and rendering. It can convert common formats such as Microsoft’s document formats into more useable and easily viewed formats. There is a vulnerability in the parsing and conversion of a PDF document. A specially crafted PDF file can lead to a use-after-free and ultimately code execution. Let’s investigate this vulnerability. After attempt of convert a malicious PDF by the Lexmark library we see the following state:

LD_LIBRARY_PATH=. gdb --args ./isys_doc2text --html -o /tmp/output poc.pdf

[1] File type: Adobe Acrobat (PDF) (51); Capabilities: 15 - poc.pdf
Program received signal SIGSEGV, Segmentation fault.
0x084512c8 in ?? ()
(gdb) peda_active 
gdb-peda$ context
[----------------------------------registers-----------------------------------]
EAX: 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 --> 0xf5ddb4d0 (0xf5ddb4c8)
EBX: 0xf4e592a0 --> 0x1c9ad8 
ECX: 0x84077f0 --> 0x0 
EDX: 0xbfd00000 
ESI: 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 (0xf5ddb4d0)
EDI: 0x8452398 --> 0x84532d8 --> 0x84532e0 --> 0x0 
EBP: 0xffffa858 --> 0xffffa8c8 --> 0xffffa8e8 --> 0xffffa908 --> 0xffffa928 (0xffffa958)
ESP: 0xffffa82c --> 0xf4dadf6b (add    esp,0x10)
EIP: 0x84512c8 --> 0x0
EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x84512c2:	add    BYTE PTR [eax],al
   0x84512c4:	add    BYTE PTR [eax],al
   0x84512c6:	add    BYTE PTR [eax],al
=> 0x84512c8:	add    BYTE PTR [eax],al
   0x84512ca:	add    BYTE PTR [eax],al
   0x84512cc:	test   eax,0xf0000000
   0x84512d1:	mov    ah,0xdd
   0x84512d3:	cmc
[------------------------------------stack-------------------------------------]
0000| 0xffffa82c --> 0xf4dadf6b (add    esp,0x10)
0004| 0xffffa830 --> 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 (0xf5ddb4d8)
0008| 0xffffa834 --> 0xf5f23000 --> 0xdfa7c 
0012| 0xffffa838 --> 0x28 ('(')
0016| 0xffffa83c --> 0xf4dadeae (pop    ebx)
0020| 0xffffa840 --> 0x28 ('(')
0024| 0xffffa844 --> 0x0 
0028| 0xffffa848 --> 0xffffa888 --> 0xffffa8b8 --> 0xf4e592a0 --> 0x1c9ad8 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
gdb-peda$ xinfo $pc
0x84512c8 --> 0x0 
Virtual memory mapping:
Start : 0x0806e000
End   : 0x08497000
Offset: 0x3e32c8
Perm  : rw-p
Name  : [heap]
gdb-peda$ bt
#0  0x084512c8 in ?? ()
#1  0xf4dae36a in ?? () from ./libISYSpdf6.so
#2  0xf4dae4b3 in ?? () from ./libISYSpdf6.so
#3  0xf4d316cf in ?? () from ./libISYSpdf6.so
#4  0xf4d316fc in ?? () from ./libISYSpdf6.so
#5  0xf4d32eea in ?? () from ./libISYSpdf6.so
#6  0xf4d33081 in ?? () from ./libISYSpdf6.so
#7  0xf4d3520f in ?? () from ./libISYSpdf6.so
#8  0xf4d8cd79 in ?? () from ./libISYSpdf6.so
#9  0xf4d8d050 in ?? () from ./libISYSpdf6.so
#10 0xf4d8a02c in ?? () from ./libISYSpdf6.so
#11 0xf4cb1d99 in ?? () from ./libISYSpdf6.so
#12 0xf4cbc532 in ?? () from ./libISYSpdf6.so
#13 0xf4cbd4e8 in ?? () from ./libISYSpdf6.so
#14 0xf4caf328 in Ext_Read_Character () from ./libISYSpdf6.so
#15 0xf366b0bb in ?? () from ./libISYSreadershd.so
#16 0xf3669eaa in ?? () from ./libISYSreadershd.so
#17 0xf375648a in ?? () from ./libISYSreadershd.so
#18 0xf37652c6 in ?? () from ./libISYSreadershd.so
#19 0xf3856d14 in ?? () from ./libISYSreadershd.so
#20 0xf385b021 in ?? () from ./libISYSreadershd.so
#21 0xf3853d40 in ?? () from ./libISYSreadershd.so
#22 0xf5accf64 in ?? () from ./libISYSreaders.so
#23 0xf5ad1abd in ?? () from ./libISYSreaders.so
#24 0xf7fcd5e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so
#25 0x08054a4d in ?? ()
#26 0x0805c160 in ?? ()
#27 0x0805de17 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#28 0xf620f14d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#29 0xf621a739 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#30 0xf6216894 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#31 0x08053d7b in ?? ()
#32 0xf5c49af3 in __libc_start_main (main=0x8053350, argc=0x5, argv=0xffffcff4, init=0x80642f0, fini=0x80642e0, rtld_fini=0xf7feb160 <_dl_fini>,    
stack_end=0xffffcfec) at libc-start.c:287
#33 0x0804f5e1 in ?? ()

As we can see code flow has been redirected to the heap somehow. Using rr and re-running application we gonna try to stop at moment when code execution is redirected to the above heap address.

gdb-peda$ 
[----------------------------------registers-----------------------------------]
EAX: 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 --> 0xf55584d0 (0xf55584c8)
EBX: 0xf44d62a0 --> 0x1c9ad8 
ECX: 0x8a9d790 --> 0x0 
EDX: 0xbfd00000 
ESI: 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 (0xf55584d0)
EDI: 0x8ae8338 --> 0x8ae9278 --> 0x8ae9280 --> 0x0 
EBP: 0xfffaf9d8 --> 0xfffafa48 --> 0xfffafa68 --> 0xfffafa88 --> 0xfffafaa8 (0xfffafad8)
ESP: 0xfffaf9b0 --> 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 (0xf55584d8)
EIP: 0xf442af68 --> 0x830850ff
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xf442af62:	sub    esp,0xc
   0xf442af65:	mov    eax,DWORD PTR [esi]
   0xf442af67:	push   esi
=> 0xf442af68:	call   DWORD PTR [eax+0x8]
   0xf442af6b:	add    esp,0x10
   0xf442af6e:	test   eax,eax
   0xf442af70:	je     0xf442af88
   0xf442af72:	lea    esp,[ebp-0xc]
Guessed arguments:
arg[0]: 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 (0xf55584d0)
[------------------------------------stack-------------------------------------]
0000| 0xfffaf9b0 --> 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 (0xf55584d8)
0004| 0xfffaf9b4 --> 0xf56a0000 --> 0xdfa7c 
0008| 0xfffaf9b8 --> 0x28 ('(')
0012| 0xfffaf9bc --> 0xf442aeae --> 0xf2c3815b --> 0x26748d20 
0016| 0xfffaf9c0 --> 0x28 ('(')
0020| 0xfffaf9c4 --> 0x0 
0024| 0xfffaf9c8 --> 0xfffafa08 --> 0xfffafa38 --> 0xf44d62a0 --> 0x1c9ad8 
0028| 0xfffaf9cc --> 0xf44d62a0 --> 0x1c9ad8 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
gdb-peda$ telescope $eax+0x8 1
$280 = 0x45bd
0000| 0xf55584f8 --> 0x8ae7268 --> 0x0 
gdb-peda$ pdisass 0x8ae7268
Dump of assembler code from 0x8ae7268 to 0x8ae7288::	Dump of assembler code from 0x8ae7268 to     
       0x8ae7288:
   0x08ae7268:	add    BYTE PTR [eax],al
   0x08ae726a:	add    BYTE PTR [eax],al
   0x08ae726c:	test   eax,0xf0000000
   0x08ae7271:	test   BYTE PTR [ebp-0xb],dl
   0x08ae7274:	lock test BYTE PTR [ebp-0xb],dl
   0x08ae7278:	js     0x8ae720c
   0x08ae727a:	scas   al,BYTE PTR es:[edi]
   0x08ae727b:	or     BYTE PTR [eax+eax*1],ah
   0x08ae727e:	add    BYTE PTR [eax],al
   0x08ae7280:	add    BYTE PTR [eax],al
   0x08ae7282:	add    BYTE PTR [eax],al
   0x08ae7284:	js     0x8ae72f9
   0x08ae7286:	scas   al,BYTE PTR es:[edi]
   0x08ae7287:	or     BYTE PTR ds:0x68000000,cl
End of assembler dump.

Seeing the above assembly listing, we can notice a virtual function call based on corrupted vftable. To understand better what exactly happened we can look at some source code. Lexmark developers use a modified version of the Xpdf / Poppler library in libISYSpdf6.so. Further analysis reveals that a call to malformed vftable appears in TextFontInfo constructor and is directly related with GfxFont object:

xpdf-3.04\xpdf\TextOutputDev.cc

Line 427		TextFontInfo::TextFontInfo(GfxState *state) {
Line 428		  GfxFont *gfxFont;
Line 429		
Line 430		  gfxFont = state->getFont();
Line 			(...)
Line 456		  if (gfxFont && !gfxFont->isCIDFont()) {

gfxFont object is read from state and later in line 456 call to virtual function isCIDFont is made. After a bit of analysis of the Xpdf code in context of places where state object can change, depending on how particular PostScript tags are executed, this part of the code was monitored. Beside that, the life cycle of the object that is most interesting is gfxFont 0x8ae7270 (see the second listing above: ESI == this ). All these observation should reveal places where gfxFont object was corrupted or eventually released which later leads to the call of the malformed vtftable.

libISYSpdf6 image base:	0xF430C000

Line 1 	[Gfx::execOp] opName : BT func addr : 0xf43ae550
Line 2 	[Gfx::execOp] opName : Td func addr : 0xf43b0e90
Line 3 	[Gfx::execOp] opName : Tf func addr : 0xf43b2280
Line 4 	[Gfx::opSetFont] lookup -> Font name : F1
Line 5 	[Gfx::opSetFont] GfxFontDict::GfxFontDict : 0xf44d3fb0
Line 6 	[0xf43bf213] WRITE *0x8ae7270 <-  0xf44d3fd0
Line 7 		#0  0xf43bf213 in ?? () from ./libISYSpdf6.so
Line 8 		#1  0xf43bface in ?? () from ./libISYSpdf6.so
Line 9 	free(0x8ae7270)
Line 10	[0xf5420d61] WRITE *0x8ae7270 <-  0x8ae5eb0
Line 11		#0  _int_free (av=0xf5558420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
Line 12		#1  0xf560882f in operator delete(void*) () from /usr/lib/i386-linux-gnu/libstdc++.so.6
Line 13	[Gfx::opSetFont] Font NOT found
Line 14	[Gfx::opSetFont] GfxFontDict::GfxFontDict : this = 0xfffafa78   arg0 = 0x8a94388
Line 15	[0xf5421a21] WRITE *0x8ae7270 <-  0xf5558450
Line 16		#0  _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=160) at 
         malloc.c:3493
Line 17		#1  0xf5423888 in __GI___libc_malloc (bytes=160) at malloc.c:2891
Line 18	[0xf54219c5] WRITE *0x8ae7270 <-  0xf5558750
Line 19		#0  _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=160) at 
       malloc.c:3561
Line 20		#1  0xf5423888 in __GI___libc_malloc (bytes=160) at malloc.c:2891
Line 21	post malloc(0x8ae7270)
Line 22	[Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : BaseFont
Line 23	[0xf43a828c] WRITE *0x8ae7270 <-  0x8ae7358
Line 24		#0  0xf43a828c in ?? () from ./libISYSpdf6.so
Line 25		#1  0xf43b23c6 in ?? () from ./libISYSpdf6.so
Line 26	[Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : Type
Line 27	[Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : Subtype
Line 28	[Gfx::opSetFont] GfxFont::makeFont
Line 29	[Gfx::opSetFont] GfxFontDict::_desctrGfxFontDict : 0xfffafa78
Line 30	free(0x8ae7270)
Line 31	[0xf5420d61] WRITE *0x8ae7270 <-  0xf5558450
Line 32		#0  _int_free (av=0xf5558420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
Line 33		#1  0xf435e883 in ?? () from ./libISYSpdf6.so
Line 34	[Gfx::doSetFont]             Font : 0x8ae9928 - vftable : 0xf44d3fb0
Line 35	[Gfx::execOp] opName : Tj func addr : 0xf43bc9f0
Line 36	[0xf54219c5] WRITE *0x8ae7270 <-  0xf55584f0
Line 37		#0  _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=40) at 
      malloc.c:3561
Line 38		#1  0xf5423888 in __GI___libc_malloc (bytes=40) at malloc.c:2891
Line 39	[TextFontInfo::TextFontInfo] Font : 0x8ae9928 - vftable : 0xf44d3fb0
Line 40	[Gfx::execOp] opName : ET func addr : 0xf43ae5e0
Line 41	[Gfx::execOp] opName : Q func addr : 0xf43ae6e0
Line 42	[0xf43ae6c3][CHANGE] state *0x8a99424 <-  0x8a9d790
Line 43	->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[Font] 0x8ae7270
Line 44	[TextFontInfo::TextFontInfo] Font : 0x8ae7270 - vftable : 0xf55584f0
Line 45
Line 46	Program received signal SIGSEGV, Segmentation fault.
Line 47	0x08ae7268 in ?? ()

Having all these printed out information during code execution, we can clearly see now that at line 30 gfxFont object is released. In two places we can observe that address under its’ vftable. *0x8ae7270 is overwritten first by the free in the code executed at lines 31-33 and later by the malloc in the code at lines 36-38. This all happens inside the opSetFont handler. Next when executing the Q tag handler, we can see that current font object assigned to state has been change to this released one lines 41-43. At line 44 the released gfxFont object calls its virtual function. An attacker having control of the heap layout using proper PostScript tag combinations can leverage this use-after-free vulnerability to achieve arbitrary code execution.

Crash Information

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 --> 0xf5ddb4d0 (0xf5ddb4c8)
EBX: 0xf4e592a0 --> 0x1c9ad8 
ECX: 0x84077f0 --> 0x0 
EDX: 0xbfd00000 
ESI: 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 (0xf5ddb4d0)
EDI: 0x8452398 --> 0x84532d8 --> 0x84532e0 --> 0x0 
EBP: 0xffffa858 --> 0xffffa8c8 --> 0xffffa8e8 --> 0xffffa908 --> 0xffffa928 (0xffffa958)
ESP: 0xffffa82c --> 0xf4dadf6b (add    esp,0x10)
EIP: 0x84512c8 --> 0x0
EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x84512c2:	add    BYTE PTR [eax],al
   0x84512c4:	add    BYTE PTR [eax],al
   0x84512c6:	add    BYTE PTR [eax],al
=> 0x84512c8:	add    BYTE PTR [eax],al
   0x84512ca:	add    BYTE PTR [eax],al
   0x84512cc:	test   eax,0xf0000000
   0x84512d1:	mov    ah,0xdd
   0x84512d3:	cmc
[------------------------------------stack-------------------------------------]
0000| 0xffffa82c --> 0xf4dadf6b (add    esp,0x10)
0004| 0xffffa830 --> 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 (0xf5ddb4d8)
0008| 0xffffa834 --> 0xf5f23000 --> 0xdfa7c 
0012| 0xffffa838 --> 0x28 ('(')
0016| 0xffffa83c --> 0xf4dadeae (pop    ebx)
0020| 0xffffa840 --> 0x28 ('(')
0024| 0xffffa844 --> 0x0 
0028| 0xffffa848 --> 0xffffa888 --> 0xffffa8b8 --> 0xf4e592a0 --> 0x1c9ad8 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x084512c8 in ?? ()
gdb-peda$ exploitable
Description: Segmentation fault on program counter
Short description: SegFaultOnPc (4/29)
Hash: ae6e0c4798a72212d8ed8d1244fde9d3.4bca40fcccba05375e1144a7be3e77a5
Exploitability Classification: EXPLOITABLE Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker.
Other tags: AccessViolation (28/29)
gdb-peda$ exploitable -m
Warning: machine string printing is deprecated and may be removed in a future release.
EXCEPTION_FAULTING_ADDRESS:0x000000084512c8
EXCEPTION_CODE:0xb
FAULTING_INSTRUCTION:add    BYTE PTR [eax],al
MAJOR_HASH:ae6e0c4798a72212d8ed8d1244fde9d3
MINOR_HASH:4bca40fcccba05375e1144a7be3e77a5
STACK_DEPTH:32
STACK_FRAME:[heap]+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-   
     32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
     32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
     32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
     32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
     32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
     32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
     32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSpdf6.so!Ext_Read_Character+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
    32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/libISYSreaders.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/libISYSreaders.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/libISYS11df.so!IGR_Open_Stream_Ex+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/isys_doc2text+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/isys_doc2text+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/isys_doc2text!main_doc2text(ISYS_NS::CISYScommander::CResult*, void*)+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
   32/libISYSshared.so!ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*)     
        const+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
  32/libISYSshared.so!bool ISYS_NS::CISYScommander::execute<char>(int, char**)+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
  32/libISYSshared.so!ISYS_NS::CISYScommander::execute(int, char**)+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
  32/isys_doc2text+0x0
INSTRUCTION_ADDRESS:0x000000084512c8
INVOKING_STACK_FRAME:0
DESCRIPTION:Segmentation fault on program counter
SHORT_DESCRIPTION:SegFaultOnPc (4/29)
OTHER_RULES:AccessViolation (28/29)
CLASSIFICATION:EXPLOITABLE

Explanation:The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: ‘call’) with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker. Description: Segmentation fault on program counter Short description: SegFaultOnPc (4/29) Hash: ae6e0c4798a72212d8ed8d1244fde9d3.4bca40fcccba05375e1144a7be3e77a5 Exploitability Classification: EXPLOITABLE

Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: ‘call’) with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker. Other tags: AccessViolation (28/29)

Timeline

2017-04-24 - Vendor Disclosure
2017-08-28 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.