Talos Vulnerability Report

TALOS-2017-0367

Iceni Infix PDF parsing SetSize Code Execution Vulnerability

July 11, 2017
CVE Number

CVE-2017-2863

Summary

An out-of-bounds write vulnerability exists in the PDF parsing functionality of Infix 7.1.5. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Tested Versions

  • Infix 7.1.5.0

Product URLs

http://www.iceni.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

An remote memory corruption vulnerability exists in the PDF parsing functionality of Infix. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption.

The vulnerable code is located in the Infix.exe file:

    .text:0016B6E6 loc_16B6E6:                             ; CODE XREF: sub_16B550+16Cj
    .text:0016B6E6                 mov     ecx, [eax+4]
    .text:0016B6E9                 mov     eax, edi
    .text:0016B6EB                 mov     [edi+248h], ecx
    .text:0016B6F1                 call    SetSize?        
    .text:0016B6F6                 test    eax, eax
    .text:0016B6F8                 jnz     loc_16B5F8
    .text:0016B6FE                 mov     esi, [edi+23Ch]
    .text:0016B704                 mov     ebx, [ebx+10h]
    .text:0016B707                 add     esi, esi
    .text:0016B709                 add     esi, esi
    .text:0016B70B                 mov     ecx, esi
    .text:0016B70D                 call    GetMem
    .text:0016B712                 push    esi             ; size_t
    .text:0016B713                 push    0               ; int
    .text:0016B715                 push    eax             ; void *
    .text:0016B716                 mov     [edi+238h], eax
    .text:0016B71C                 call    _memset       

The function SetSize? sets up the dword value located at EDI+23Ch. When a malformed file is being parsed this value is set to 0xFFFFFFFF which normally should indicate an error. However, due to further lack of error checking conditions this value (0xFFFFFFFF) is later used as an argument to memset function (size parameter) which causes the memory corruption to occur.

Crash Information

    (1f6c.1210): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    *** ERROR: Module load completed but symbols could not be loaded for Infix.exe
    Infix+0x4386e4:
    017286e4 660f7f4150      movdqa  xmmword ptr [ecx+50h],xmm0 ds:002b:03adf000=????????????????????????????????
    0:000:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************


    DUMP_CLASS: 2

    DUMP_QUALIFIER: 0

    FAULTING_IP: 
    Infix+4386e4
    017286e4 660f7f4150      movdqa  xmmword ptr [ecx+50h],xmm0

    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 017286e4 (Infix+0x004386e4)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 03adf000
    Attempt to write to address 03adf000

    FAULTING_THREAD:  00001210

    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

    PROCESS_NAME:  Infix.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

    EXCEPTION_CODE_STR:  c0000005

    EXCEPTION_PARAMETER1:  00000001

    EXCEPTION_PARAMETER2:  03adf000

    FOLLOWUP_IP: 
    Infix+4386e4
    017286e4 660f7f4150      movdqa  xmmword ptr [ecx+50h],xmm0

    WRITE_ADDRESS:  03adf000 

    WATSON_BKT_PROCSTAMP:  58f73f92

    WATSON_BKT_PROCVER:  7.1.5.0

    PROCESS_VER_PRODUCT:  Infix

    WATSON_BKT_MODULE:  Infix.exe

    WATSON_BKT_MODSTAMP:  58f73f92

    WATSON_BKT_MODOFFSET:  4386e4

    WATSON_BKT_MODVER:  7.1.5.0

    MODULE_VER_PRODUCT:  Infix

    BUILD_VERSION_STRING:  10.0.14393.1198 (rs1_release_sec.170427-1353)

    MODLIST_WITH_TSCHKSUM_HASH:  9a4fe3bd340efcdebb41942b61f6875a3e464100

    MODLIST_SHA1_HASH:  ce3c592f64e21469cc60bba09698aa4d4187b3dc

    NTGLOBALFLAG:  70

    APPLICATION_VERIFIER_FLAGS:  0

    PRODUCT_TYPE:  1

    SUITE_MASK:  272

    DUMP_TYPE:  fe

    ANALYSIS_SESSION_HOST:  CLAB

    ANALYSIS_SESSION_TIME:  06-05-2017 13:14:49.0166

    ANALYSIS_VERSION: 10.0.15063.400 amd64fre

    THREAD_ATTRIBUTES: 
    OS_LOCALE:  PLK

    PROBLEM_CLASSES: 

        ID:     [0n292]
        Type:   [@ACCESS_VIOLATION]
        Class:  Addendum
        Scope:  BUCKET_ID
        Name:   Omit
        Data:   Omit
        PID:    [Unspecified]
        TID:    [0x1210]
        Frame:  [0] : Infix

        ID:     [0n265]
        Type:   [INVALID_POINTER_WRITE]
        Class:  Primary
        Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
                BUCKET_ID
        Name:   Add
        Data:   Omit
        PID:    [Unspecified]
        TID:    [0x1210]
        Frame:  [0] : Infix

        ID:     [0n152]
        Type:   [ZEROED_STACK]
        Class:  Addendum
        Scope:  BUCKET_ID
        Name:   Add
        Data:   Omit
        PID:    [0x1f6c]
        TID:    [0x1210]
        Frame:  [0] : Infix

    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

    PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

    LAST_CONTROL_TRANSFER:  from 0144b536 to 017286e4

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    005ae738 0144b536 03a9c528 03a5d2f0 07424448 Infix+0x4386e4
    005ae74c 0144787f 03a5d2f0 03a05ba8 01ca7450 Infix+0x15b536
    005ae76c 01447b8f 03a9c528 00000000 00740001 Infix+0x15787f
    005ae780 01368042 03a5d2f0 00000000 03ab7720 Infix+0x157b8f
    005aea80 01367e6d 03a5d2f0 0c4377ca 03a05ae8 Infix+0x78042
    005aecb0 01367b6a 03a5d2f0 0c43766e 03a05ba8 Infix+0x77e6d
    005aed14 01364e81 0c43765a 03a05ba8 03a05cf8 Infix+0x77b6a
    005aef68 0135b302 03a05ae8 0c437402 ffffffff Infix+0x74e81
    005afd7c 0141dc40 0c4366ca 0170f0da 00000000 Infix+0x6b302
    005afdb0 0170f087 012f0000 00000000 008b1d34 Infix+0x12dc40
    005afe40 763262c4 00636000 763262a0 9d47c008 Infix+0x41f087
    005afe54 77440fd9 00636000 97fb6ad6 00000000 KERNEL32!BaseThreadInitThunk+0x24
    005afe9c 77440fa4 ffffffff 77462f0b 00000000 ntdll_773e0000!__RtlUserThreadStart+0x2f
    005afeac 00000000 0170f0da 00636000 00000000 ntdll_773e0000!_RtlUserThreadStart+0x1b


    THREAD_SHA1_HASH_MOD_FUNC:  a2b85724ec601ad99726087665d3f39d790ae40e

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  4d1ba384990a1d47ae5be0d07d972784b6ce13c9

    THREAD_SHA1_HASH_MOD:  86c7b2bc65373cd9f3c87bb69974533237b82a3c

    FAULT_INSTR_CODE:  417f0f66

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  Infix+4386e4

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Infix

    IMAGE_NAME:  Infix.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  58f73f92

    STACK_COMMAND:  ~0s ; kb

    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_Infix.exe!Unknown

    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_Infix+4386e4

    FAILURE_EXCEPTION_CODE:  c0000005

    FAILURE_IMAGE_NAME:  Infix.exe

    BUCKET_ID_IMAGE_STR:  Infix.exe

    FAILURE_MODULE_NAME:  Infix

    BUCKET_ID_MODULE_STR:  Infix

    FAILURE_FUNCTION_NAME:  Unknown

    BUCKET_ID_FUNCTION_STR:  Unknown

    BUCKET_ID_OFFSET:  4386e4

    BUCKET_ID_MODTIMEDATESTAMP:  58f73f92

    BUCKET_ID_MODCHECKSUM:  d926ba

    BUCKET_ID_MODVER_STR:  7.1.5.0

    BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_

    FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

    FAILURE_SYMBOL_NAME:  Infix.exe!Unknown

    WATSON_STAGEONE_URL:     
    http://watson.microsoft.com/StageOne/Infix.exe/7.1.5.0/58f73f92/Infix.exe/7.1.5.0/58f73f92/c0000005/004386e4.htm?Retriage=1

    TARGET_TIME:  2017-06-05T11:14:58.000Z

    OSBUILD:  14393

    OSSERVICEPACK:  1198

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 WinNt SingleUserTS

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2017-04-28 01:59:37

    BUILDDATESTAMP_STR:  170427-1353

    BUILDLAB_STR:  rs1_release_sec

    BUILDOSVER_STR:  10.0.14393.1198

    ANALYSIS_SESSION_ELAPSED_TIME:  276e

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_infix.exe!unknown

    FAILURE_ID_HASH:  {5c2b2b2e-b2b0-92d7-bf23-0693a8f99652}

    Followup:     MachineOwner
    ---------

Timeline

2017-06-20 - Vendor Disclosure
2017-07-11 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.