Poppler v0.62.0 Memory Corruption Vulnerability
CVE
Category
Price
Severity
CVE-2018-13988
CWE-119
$5,000 - $25,000
High
Author
Risk
Exploitation Type
Date
Matthias Gerstner
High
Local
2018-07-21
CPE
cpe:cpe:/a:poppler_pdf_project:poppler:0.62.0
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. Scope S An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018070202 Poppler v0.62.0 Memory Corruption Vulnerability ################
#Title: Poppler v0.62.0 Memory Corruption Vulnerability
#CVE: CVE-2018-13988
#CWE: CWE-119
#Exploit Author: Hosein Askari
#Vendor HomePage: https://poppler.freedesktop.org/
#Version : version 0.62.0 and earlier versions
#Tested on: Ubuntu 18.04 (4.15.0-23-generic)
#Date: July 21 2018
#Category: Application
#Author Mail : [email protected]
#Description: Poppler through 0.62 contains a memory corruption vulnerability due to an incorrect memory access that is not mapped in its memory space(improper handling of objects in memory), as #demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.
#Fixed: https://poppler.freedesktop.org/poppler-0.66.0.tar.xz
###############
constantine@constantine:~$ pdfunite crafted.pdf aa.pdf
Segmentation fault (core dumped)
###############
[14925.737845] pdfunite[5097]: segfault at 564d6cf85714 ip 00007f42ac6fd064 sp 00007ffee66adf28 error 4 in libpoppler.so.73.0.0[7f42ac588000+251000]
###############
constantine@constantine:~$ sudo cat /proc/14698/maps
[sudo] password for constantine:
555555554000-55555555a000 r-xp 00000000 08:01 1444544 /usr/bin/pdfunite
555555759000-55555575a000 r--p 00005000 08:01 1444544 /usr/bin/pdfunite
55555575a000-55555575b000 rw-p 00006000 08:01 1444544 /usr/bin/pdfunite
55555575b000-5555557bf000 rw-p 00000000 00:00 0 [heap]
7ffff4117000-7ffff4122000 r-xp 00000000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4122000-7ffff4321000 ---p 0000b000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4321000-7ffff4322000 r--p 0000a000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4322000-7ffff4325000 rw-p 0000b000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4325000-7ffff4349000 r-xp 00000000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff4349000-7ffff4549000 ---p 00024000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff4549000-7ffff454a000 r--p 00024000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff454a000-7ffff454b000 rw-p 00025000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff454b000-7ffff4552000 r-xp 00000000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4552000-7ffff4751000 ---p 00007000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4751000-7ffff4752000 r--p 00006000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4752000-7ffff4753000 rw-p 00007000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4753000-7ffff4756000 r-xp 00000000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4756000-7ffff4955000 ---p 00003000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4955000-7ffff4956000 r--p 00002000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4956000-7ffff4957000 rw-p 00003000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4957000-7ffff495a000 r-xp 00000000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff495a000-7ffff4b59000 ---p 00003000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff4b59000-7ffff4b5a000 r--p 00002000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff4b5a000-7ffff4b5b000 rw-p 00003000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff4b5b000-7ffff4b5f000 r-xp 00000000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4b5f000-7ffff4d5e000 ---p 00004000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4d5e000-7ffff4d5f000 r--p 00003000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4d5f000-7ffff4d60000 rw-p 00004000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4d60000-7ffff4d88000 r-xp 00000000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4d88000-7ffff4f87000 ---p 00028000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4f87000-7ffff4f8e000 r--p 00027000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4f8e000-7ffff4f8f000 rw-p 0002e000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4f8f000-7ffff4fbe000 r-xp 00000000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff4fbe000-7ffff51be000 ---p 0002f000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff51be000-7ffff51c0000 r--p 0002f000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff51c0000-7ffff51c1000 rw-p 00031000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff51c1000-7ffff51d8000 r-xp 00000000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff51d8000-7ffff53d7000 ---p 00017000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff53d7000-7ffff53d8000 r--p 00016000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff53d8000-7ffff53d9000 rw-p 00017000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff53d9000-7ffff53f3000 r-xp 00000000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff53f3000-7ffff55f2000 ---p 0001a000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff55f2000-7ffff55f3000 r--p 00019000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff55f3000-7ffff55f4000 rw-p 0001a000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff55f4000-7ffff55f8000 rw-p 00000000 00:00 0
7ffff55f8000-7ffff5795000 r-xp 00000000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5795000-7ffff5994000 ---p 0019d000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5994000-7ffff5995000 r--p 0019c000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5995000-7ffff5996000 rw-p 0019d000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5996000-7ffff5a09000 r-xp 00000000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5a09000-7ffff5c08000 ---p 00073000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5c08000-7ffff5c0c000 r--p 00072000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5c0c000-7ffff5c0d000 rw-p 00076000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5c0d000-7ffff5c3e000 r-xp 00000000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5c3e000-7ffff5e3d000 ---p 00031000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5e3d000-7ffff5e3e000 r--p 00030000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5e3e000-7ffff5e3f000 rw-p 00031000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5e3f000-7ffff5e91000 r-xp 00000000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff5e91000-7ffff6091000 ---p 00052000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6091000-7ffff6093000 r--p 00052000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6093000-7ffff6096000 rw-p 00054000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6096000-7ffff6097000 rw-p 00000000 00:00 0
7ffff6097000-7ffff60d0000 r-xp 00000000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff60d0000-7ffff62cf000 ---p 00039000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff62cf000-7ffff62d0000 r--p 00038000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff62d0000-7ffff62d1000 rw-p 00039000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff62d1000-7ffff62d4000 rw-p 00000000 00:00 0
7ffff62d4000-7ffff62fc000 r-xp 00000000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff62fc000-7ffff64fc000 ---p 00028000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff64fc000-7ffff64ff000 r--p 00028000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff64ff000-7ffff6500000 rw-p 0002b000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff6500000-7ffff663c000 r-xp 00000000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff663c000-7ffff683c000 ---p 0013c000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff683c000-7ffff6841000 r--p 0013c000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff6841000-7ffff6843000 rw-p 00141000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff6843000-7ffff6844000 rw-p 00000000 00:00 0
7ffff6844000-7ffff6860000 r-xp 00000000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6860000-7ffff6a5f000 ---p 0001c000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6a5f000-7ffff6a60000 r--p 0001b000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6a60000-7ffff6a61000 rw-p 0001c000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6a61000-7ffff6ac8000 r-xp 00000000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6ac8000-7ffff6cc7000 ---p 00067000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6cc7000-7ffff6cc8000 r--p 00066000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6cc8000-7ffff6cc9000 rw-p 00067000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6cc9000-7ffff6d07000 r-xp 00000000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6d07000-7ffff6f07000 ---p 0003e000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6f07000-7ffff6f09000 r--p 0003e000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6f09000-7ffff6f0e000 rw-p 00040000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6f0e000-7ffff6fbb000 r-xp 00000000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff6fbb000-7ffff71ba000 ---p 000ad000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff71ba000-7ffff71c1000 r--p 000ac000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff71c1000-7ffff71c2000 rw-p 000b3000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff71c2000-7ffff73a9000 r-xp 00000000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff73a9000-7ffff75a9000 ---p 001e7000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff75a9000-7ffff75ad000 r--p 001e7000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff75ad000-7ffff75af000 rw-p 001eb000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff75af000-7ffff75b3000 rw-p 00000000 00:00 0
7ffff75b3000-7ffff7731000 r-xp 00000000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff7731000-7ffff7931000 ---p 0017e000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff7931000-7ffff793b000 r--p 0017e000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff793b000-7ffff793d000 rw-p 00188000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff793d000-7ffff7941000 rw-p 00000000 00:00 0
7ffff7941000-7ffff7b92000 r-xp 00000000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7b92000-7ffff7d91000 ---p 00251000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7d91000-7ffff7daf000 r--p 00250000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7daf000-7ffff7dd5000 rw-p 0026e000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7dd5000-7ffff7dfc000 r-xp 00000000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7f6e000-7ffff7faf000 rw-p 00000000 00:00 0
7ffff7fd0000-7ffff7fdf000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00027000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffd000-7ffff7ffe000 rw-p 00028000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
##################
==14154== Process terminating with default action of signal 11 (SIGSEGV)
==14154== Bad permissions for mapped region at address 0x8A8F4F4
==14154== at 0x4FB1064: XRef::getEntry(int, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AA7D: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9ACAE: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9ACAE: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AEDC: PDFDoc::markPageObjects(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x10A85B: main (in /usr/bin/pdfunite)
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum