Wednesday, October 26, 2016

Vulnerability Spotlight: Iceni Argus Buffer Overflows

Vulnerabilities discovered by Marcin 'Icewall' Noga of Cisco Talos.

Talos has identified two stack-based buffer overflows (TALOS-2016-0200 & TALOS-2016-0202) in the Iceni Argus pdf content extraction software. This software is used to convert a pdf document into various tagged and xml-based formats (such as XHTML). Software, such as MarkLogic, uses Iceni Argus for pdf document conversions as part of their web based document search and rendering. Both vulnerabilities occur in the PDF to html converter functionality. An attacker can send or provide a specially crafted pdf file that can cause a buffer overflow to trigger either of these vulnerabilities resulting in arbitrary code execution.

CVE-2016-8333 (TALOS-2016-0200) Iceni Argus ipfSetColourStroke Code Execution

CVE-2016-8335 (TALOS-2016-0202) Iceni Argus ipNameAdd Code Execution

Details


CVE-2016-8333 occurs when the `ipfSetColourStroke` function is executed. This function calls `getRealArgArray` which attempts to copy the elements of the `opStack` container without verifying if the source array is larger than the destination array. The maximum destination array is fixed at nine 4-byte array values. Since the data in the pdf header defines the elements of the `opStack`, a malformed pdf can create a situation in which the source contains larger than nine elements causing a buffer overflow which can lead to arbitrary code execution.

CVE-2016-8335 occurs in the ipNameAdd functionality of Iceni Argus. Examining this function, you can easily see the guilty line. The function includes the following line

strcpy(dest, src);

This occurs without any checking previous checking on the arguments. Everyone knows that this is a classic example of a buffer overflow. Surprisingly, the length check occurs after the strcpy call which makes it totally ineffective. But to take advantage of the overflow, the malformed pdf must define a `token` that is not a "regular" named object (objects that start with a `/`), since "regular" named objects never reach the strcpy line during execution.

Tested Versions


CVE-2016-8333

Iceni Argus Version 6.6.04 (Sep 7 2012) NK

CVE-2016-8335

Iceni Argus Version 6.6.04 (Sep 7 2012) NK - Linux x64
Iceni Argus Version 6.6.04 (Nov 14 2014) NK - Windows x64

Coverage


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 40336-40337, 40484-40487

Full Vulnerability Reports


http://www.talosintelligence.com/reports/TALOS-2016-0200/
http://www.talosintelligence.com/reports/TALOS-2016-0202/

No comments:

Post a Comment