Tuesday, May 14, 2019

Vulnerability Spotlight: Remote code execution bug in Antenna House Rainbow PDF Office document converter



Emmanuel Tacheau of Cisco Talos discovered this vulnerability.

Executive summary

A buffer overflow vulnerability exists in Antenna House’s Rainbow PDF when the software attempts to convert a PowerPoint document. Rainbow PDF has the ability to convert Microsoft Office 97-2016 documents into a PDF. This particular bug arises when the converter incorrectly checks the bounds of a particular function, causing a vtable pointer to be overwritten. This could allow an attacker to overflow the buffer and gain the ability to execute code remotely on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Antenna House to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Antenna House Rainbow PDF Office server document converter TxMasterStyleAtom parsing code execution vulnerability (TALOS-2019-0792/CVE-2019-5030)

A buffer overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter, version 7.0 Pro MR1 (7,0,2019,0220). While parsing a document text info container, the TxMasterStyleAtom::parse function is incorrectly checking the bounds corresponding to the number of style levels, causing a vtable pointer to be overwritten, which leads to code execution.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Rainbow PDF Office Server Document Converter, V7 Pro MR1 for Linux64 (7.0.2019.0220) is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 42076, 42077

No comments:

Post a Comment