####################################################################### Luigi Auriemma Application: SumatraPDF http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html Versions: <= 1.9 Platforms: Windows Bug: arbitrary NULL byte writing Exploitation: via file Date: 09 Jan 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "Sumatra PDF is a free PDF, XPS, DjVu, CHM, CBZ and CBR reader for Windows." ####################################################################### ====== 2) Bug ====== In the compiled executable the allocation functions of mupdf\fitz\base_memory.c have a particular type of debug-like "throw" code where it's placed a 0x00 byte in the memory location equal to the size of the buffer which wasn't possible to allocate. Example: 00420CD1 0FAFF7 IMUL ESI,EDI ; multiplication 00420CD4 56 PUSH ESI 00420CD5 53 PUSH EBX 00420CD6 E8 90111800 CALL SumatraP.005A1E6B 00420CDB 8BF8 MOV EDI,EAX 00420CDD 83C4 08 ADD ESP,8 00420CE0 85FF TEST EDI,EDI 00420CE2 75 20 JNZ SHORT SumatraP.00420D04 00420CE4 68 782A7600 PUSH SumatraP.00762A78 ; ASCII "fatal error: out of memory" 00420CE9 E8 171F1800 CALL SumatraP.005A2C05 00420CEE 83C0 40 ADD EAX,40 00420CF1 50 PUSH EAX 00420CF2 E8 C3201800 CALL SumatraP.005A2DBA 00420CF7 C606 00 MOV BYTE PTR DS:[ESI],0 ; bug 00420CFA 83C4 08 ADD ESP,8 00420CFD C605 00000000 00 MOV BYTE PTR DS:[0],0 00420D04 8BC7 MOV EAX,EDI 00420D06 5F POP EDI 00420D07 5E POP ESI 00420D08 C3 RETN Obviously it's possible to write the byte almost in any location due to the 32bit rounding caused by the multiplication in the above code. The program uses an exception handler and automatically sends the crash informations to the author before user's acknowledge (unknown why), so probably there are possible chances of exploiting the vulnerability for executing code. Note that no additional research has been performed, this is just a quick finding released only for keeping track of this weird problem since I didn't found other public references. UPDATE 10 Jan 2012: the bug is located in a modification of the mupdf library added by SumatraPDF (I didn't notice it yesterday because I was checking the original mupdf library): /* SumatraPDF: force crash so that we get crash report */ static void fz_crash_abort(int total_size) { char *p = (char *)total_size; // first try to crash on an address that is equal to total_size. // this is a way to easily know the amount memory that was requested // from crash report *p = 0; // if that address was writeable, crash for sure writing to address 0 p = NULL; *p = 0; } ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/sumatrapdf_1.pdf ####################################################################### ====== 4) Fix ====== No fix. UPDATE: Fixed in version 2.0 #######################################################################