Vulnerability discovered by Marcin ’Icewall’ Noga and a member of the Talos VulnDev team.
Overview Talos has discovered multiple vulnerabilities in Iceni Argus PDF content extraction product. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim's machine. Although the main product is deprecated by Iceni, the library is still supported. Iceni has released a patched version that addresses these vulnerabilities. Nevertheless, the library is widely used; MarkLogic is an example of a product that uses Iceni Argus for PDF document conversion as part of their web based document search and rendering.
Details MarkLogic’s conversion tool uses the Argus PDF library from Iceni, in which we have identified the vulnerabilities described below:
TALOS-2016-0210 / CVE-2016-8385, occurs when a user tries to convert a malicious PDF to XML that uses malformed colors. A returned pointer is left uninitialized which leads to a stack based buffer overflow later on. This can lead to code execution under the context of the local user.
TALOS-2016-0211 / CVE-2016-8386 is a heap-based buffer overflow that happens if there is a specially crafted truetype font file embedded inside the PDF and the user tries to convert this PDF to XML. The malicious font can lead to a condition where a buffer is initialized with insufficient size. This can lead to an overflow condition later on which can be used to execute code under the context of the local user.
TALOS-2016-0212 / CVE-2016-8387 is a heap-based buffer overflow in the LZW decoder. Due to a lack of bounds checkings, it is triggered if a user tries to convert a malformed PDF which includes an object encoded with multiple encoding types terminated with an LZW type. This can lead to code execution under the context of the local user.
TALOS-2016-0213 / CVE-2016-8388 describes an arbitrary heap-overwrite vulnerability in Iceni Argus. The unchecked trust in an index within a malicious font enables an attacker to write outside the bounds of a specified array. This can lead to code execution under the context of the local user.
TALOS-2016-0214 / CVE-2016-8389 describes an integer overflow that occurs when the tool tries to convert text from a PDF into a polygon. When the application attempts to initialize the polygon shape, it writes outside of the bounds of a buffer which was initialized with a too small size due to the integer overflow. This can lead to a heap-based buffer overflow when the tool tries to fill the polygon. An attacker can use this to execute code under the context of the local user.
Talos-2016-0228 / CVE-2016-8715 concerns a heap corruption vulnerability which can be used for arbitary code execution. A specially created PDF file that includes a /Size key either set to be negative or larger than a certain value will allow the attacker to write to already initialised portions of the heap. An attacker can use this to cause malicious code to be executed in the context of the local user.
TALOS-2017-0271 / CVE-2017-2777 describes a heap overflow vulnerability in Iceni Argus Version 6.6.05. A specially crafted pdf file can cause an integer overflow which results in a heap overflow if it is converted to XHTML. An attacker can use this to execute code under the context of the local user.
Coverage The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org
Snort rules: 40917-40926 & 40872-40875 & 41327,41328