Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow

iDEFENSE Security Advisory 01.18.05

Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer included in multiple Unix and Linux distributions could allow for arbitrary code execution as the user viewing a PDF file.

The vulnerability specifically exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. The offending code can be found in the Decrypt::makeFileKey2 function in the source file xpdf/Decrypt.cc….

In this piece of code, the keyLength value is ultimately supplied by the PDF file. This allows an attacker to specify an arbitrarily large value and overwrite portions of stack memory. As a consequence, arbitrary code execution is possible.

III. ANALYSIS

Successful exploitation of this vulnerability leads to arbitrary code execution as the user who opened the malicious file. An attacker would have to convince a target to open the provided file in order to exploit this vulnerability, thus lessening the impact.

Exploitation can be performed reliably, especially with knowledge of the target system.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in version
3.00 of xpdf. It is suspected previous versions are vulnerable.

The following Linux vendors may be affected by this vulnerability:

Novell Inc. (SUSE)
Red Hat Inc.
The Fedora Project
Debian Project
Gentoo Foundation Inc.
The FreeBSD Project
OpenBSD

V. WORKAROUND

Only open PDF files from trusted individuals.

VI. VENDOR RESPONSE

A patch to address this issue is available at:

ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch

Updated binaries (ver. 3.00pl3) to address this issue are available at:

http://www.foolabs.com/xpdf/download.html