Artifex MuPDF mujstest 1.10a – Null Pointer Dereference

• Exploit Database
• 13 阅读

• 作者： Agostino Sarubbo
  日期： 2017-02-17
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42139/

• Source: http://seclists.org/oss-sec/2017/q1/458
  
  Description:
  Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.
  
  A crafted image posted early for another issue, causes a stack overflow.
  
  The complete ASan output:
  
  # mujstest $FILE
  ==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 
  0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
  WRITE of size 1453 at 0x7fff29560b00 thread T0
  #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
  r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
  #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
  source/platform/x11/jstest_main.c:358:7
  #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
  r3/work/glibc-2.23/csu/../csu/libc-start.c:289
  #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)
  
  Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in 
  frame
  #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
  source/platform/x11/jstest_main.c:293
  
  This frame has 7 object(s):
  [32, 1056) 'path'
  [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows 
  this variable
  [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows 
  this variable
  [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows 
  this variable
  [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows 
  this variable
  [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows 
  this variable
  [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 
  f2 f2
  0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone: fa
  Heap right redzone:fb
  Freed heap region: fd
  Stack left redzone:f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return:f5
  Stack use after scope: f8
  Global redzone:f9
  Global init order: f6
  Poisoned by user:f7
  Container overflow:fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone:cb
  ==32127==ABORTING
  
  Affected version:
  1.10a
  
  Fixed version:
  N/A
  
  Commit fix:
  N/A
  
  Credit:
  This bug was discovered by Agostino Sarubbo of Gentoo.
  
  CVE:
  CVE-2017-6060
  
  Reproducer:
  https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main
  
  Timeline:
  2017-02-05: bug discovered and reported to upstream
  2017-02-17: blog post about the issue
  2017-02-17: CVE assigned via cveform.mitre.org
  
  Note:
  This bug was found with Address Sanitizer.
  
  Permalink:
  mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)
  
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42139.zip