Xpdf 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1765220 漏洞类型 代码问题
发布时间 2019-10-03 更新时间 2019-12-12
CVE编号 CVE-2019-17064 CNNVD-ID CNNVD-201910-030
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019100013
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201910-030
|漏洞详情
Xpdf是Foo实验室的一款开源的PDF阅读器。该产品支持解码LZW压缩格式的文件以及阅读加密的PDF文件。 Xpdf 4.02版本中的Catalog.cc存在代码问题漏洞。攻击者可利用该漏洞造成应用程序崩溃。
|漏洞EXP
Exploit Title: NULL pointer dereference
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://www.xpdfreader.com/
# Software Link: https://www.xpdfreader.com/download.html
# CVE: CVE-2019-17064
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-17064
# https://forum.xpdfreader.com/viewtopic.php?f=3&t=41890

*Summary:*
Catalog.cc in Xpdf 4.02 has a NULL pointer dereference because
Catalog.pageLabels is initialized too late in the Catalog constructor.

*BT:*
#0  0x00005555556d1dce in Catalog::~Catalog (this=<optimized out>,
__in_chrg=<optimized out>)
    at /home/input0/Desktop/xpdf-4.02/xpdf/Catalog.cc:295
#1  0x0000555555a1b1d1 in PDFDoc::setup2 (repairXRef=0, userPassword=0x0,
ownerPassword=0x0, this=0x607000000090)
    at /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:312
#2  PDFDoc::setup (this=0x607000000090, ownerPassword=0x0,
userPassword=0x0) at /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:261
#3  0x0000555555a1bb84 in PDFDoc::PDFDoc (this=0x607000000090,
fileNameA=<optimized out>, ownerPassword=<optimized out>,
    userPassword=<optimized out>, coreA=<optimized out>) at
/home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:208
#4  0x0000555555674ffb in main (argc=<optimized out>, argv=<optimized out>)
at /home/input0/Desktop/xpdf-4.02/xpdf/pdfdetach.cc:119

*ASAN:*
==28603==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x55d7a4eaadce bp 0x6070000000dc sp 0x7ffc6078b640 T0)
==28603==The signal is caused by a READ memory access.
==28603==Hint: address points to the zero page.
    #0 0x55d7a4eaadcd in Catalog::~Catalog()
/home/input0/Desktop/xpdf-4.02/xpdf/Catalog.cc:295
    #1 0x55d7a51f41d0 in PDFDoc::setup2(GString*, GString*, int)
/home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:312
    #2 0x55d7a51f41d0 in PDFDoc::setup(GString*, GString*)
/home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:261
    #3 0x55d7a51f4b83 in PDFDoc::PDFDoc(char*, GString*, GString*,
PDFCore*) /home/input0/Desktop/xpdf-4.02/xpdf/PDFDoc.cc:208
    #4 0x55d7a4e4dffa in main
/home/input0/Desktop/xpdf-4.02/xpdf/pdfdetach.cc:119
    #5 0x7fd635ac1b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x55d7a4e50579 in _start
(/home/input0/Desktop/xpdf-4.02/build/xpdf/pdfdetach+0x123579)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/input0/Desktop/xpdf-4.02/xpdf/Catalog.cc:295 in Catalog::~Catalog()
==28603==ABORTING

* To reproduce: *
 pdfdetach -list $POC
|参考资料

来源:forum.xpdfreader.com

链接:https://forum.xpdfreader.com/viewtopic.php?f=3&t=41890


来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/154713/Xpdf-4.02-NULL-Pointer-Dereference.html


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-17064