PDF Form Filling and Flattening Tool Buffer Overflow
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: PDF Form Filling and Flattening Tool Buffer Overflow Release Date: 2006-05-23 Application: PDF Tools AG - PDF Form Filling and Flattening Tool Version: 3.0 (Windows) (other versions and platforms untested) Severity: High Author: George D. Gal <ggal_at_vsecurity.com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-2549 Reference: http://www.vsecurity.com/bulletins/advisories/2006/pdf-form-filling.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: > From the pdf-tools.com website: "PDF Tools AG is a world leader in PDF (The Adobe Portable Document Format) programming technology, delivering reliable PDF products to international customers in virtually all market segments." "PDF Form Filling and Flattening Tool is a command line tool that can create, edit, fill in and delete form fields in a PDF document." Vulnerability Overview: On April 18th, 2006 VSR has identified a stack overflow in the PDF Tools AG PDF Form Filling and Flattening tool. Although this is a traditional command line utility there may be a risk to those users of the application who use it within web application or a network service, particularly when relying on user supplied input to generate the PDF form field name or value pairs. In situations where user supplied input is used to populate a control file of name value pairs without sufficient input validation the form field names are susceptible to overflow. The buffer overflow occurs as a direct result of unsafe string copy operations to a 256 byte fixed length buffer. The binary is also susceptible to overflows of the PDF form field names when specified on the command line instead of within a control file. The following command may be used to check for the existence of the vulnerability in the PDF form filling and flattening tool: ./pdformp.exe input.pdf output.pdf `perl -e 'print "A"x260;'`=foo Vendor Response: PDF Tools AG was first notified on 2006-04-19. The following time line outlines the responses from the vendor regarding this issue: 2006-04-20 - Acknowledgment of security notification received from VSR. Vendor stated that they only support registered customers of the product. 2006-05-02 - Vendor response acknowledging overflow which will be resolved in the next pre-release version. 2006-05-10 - Vendor response providing estimated release schedule. 2006-05-15 - Vendor response notifying VSR of publicly released fix. Recommendation: PDF Tools AG customers should upgrade to the latest build of the PDF Form Filling and Flattening tool (build 188.8.131.52) released on May 10th 2006. The upgrade is available via: http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-2549 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. PDF Tools AG Form Filling and Flattening Tool http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vulnerability Disclosure Policy: http://www.vsecurity.com/disclosurepolicy.html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2006 Virtual Security Research, LLC. All rights reserved.
To view the advisory as a txt. click here.
Editor’s note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.