Vulnerabilities discovered by Marcin 'Icewall' Noga from Talos

Overview Talos has discovered multiple vulnerabilities in Hyland Perceptive Document Filters software. This software is a toolkit that allows developers to read and extract metadata from a file. It supports a large set of common file formats. In addition to this the software is also capable of converting file formats.

We identified 4 vulnerabilities that allows an attacker to execute arbitrary code on the vulnerable systems. These vulnerabilities concerns the file conversion features.

The vulnerabilities can be exploited to locally execute code as well as remotely if the framework is used in batch mode by the owners. In this context, the malicious crafted document could be automatically handled by the toolkit and a successful exploitation could result full control of the vulnerable system. The vulnerable features can be used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft's document formats into other format (for example easier to be parsed).

Details

Code Execution

TALOS-2018-0538 (CVE-2018-3855) - Hyland Perceptive Document Filters DOC to HTML updateNumbering Code Execution Vulnerability
This vulnerability impacts the conversion of DOC document to HTML file. A specially crafted DOC file can lead to a stack based buffer overflow and remote code execution.

More details can be found in the vulnerability report:

TALOS-2018-0538

TALOS-2018-0527 (CVE-2018-3844) - Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability
This vulnerability impacts the conversion of DOCX document to HTML file. A specially crafted DOCX file can lead to a use-after-free and remote code execution.

More details can be found in the vulnerability report:

TALOS-2018-0527

TALOS-2018-0528 (CVE-2018-3845) - Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability
This vulnerability impacts the conversion of OpenDocument to JPEG file. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.

More details can be found in the vulnerability report:

TALOS-2018-0528

TALOS-2018-0534 (CVE-2018-3851) - Hyland Perceptive Document Filters Microsoft Word CDATA Code Execution Vulnerability
There is a vulnerability in the conversion process of a Microsoft Word (xml) to JPG, HTML5 and couple more formats. A specially crafted Microsoft Word (xml) file can lead to heap corruption and remote code execution.

More details can be found in the vulnerability report:

TALOS-2018-0534

Tested Versions:
Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux
Perceptive Document Filters 11.2.0.1732 - x86/x64 Windows/Linux

Coverage
The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 45689, 45690, 45717, 45718, 45750, 45751