Headline
CVE-2020-22336: pdfcrack / Bugs
An issue was discovered in pdfcrack 0.17 thru 0.18, allows attackers to execute arbitrary code via a stack overflow in the MD5 function.
- Summary
- Files
- Reviews
- Support
- Tickets ▾
- Bugs
- Support Requests
- Patches
- Feature Requests
- News
- Discussion
Menu ▾ ▴
#12 stack-buffer-overflow
Status: closed
Priority: 9
Updated: 2020-04-24
Created: 2020-02-29
Private: No
hi, i find a stack over-flow when to calculate md5 value.
crashed datas can find in https://github.com/p1ay8y3ar/crashdatas/tree/master/padcrack/29022020
here is ASAN says
freedom@ubuntu:~/Downloads/pdfcrack-0.18$ ./pdfcrack -l /home/freedom/Desktop/pdfcrack/pdfcrack-0.17/o/crashes/id\:000000\,sig\:06\,src\:000072\,op\:ext_AO\,pos\:28 ================================================================= ==5441==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe99b24673 at pc 0x55929a48d42c bp 0x7ffe99b24430 sp 0x7ffe99b24420 READ of size 1 at 0x7ffe99b24673 thread T0 #0 0x55929a48d42b in md5 /home/freedom/Downloads/pdfcrack-0.18/md5.c:79 #1 0x55929a48da1c in md5_50s /home/freedom/Downloads/pdfcrack-0.18/md5.c:202 #2 0x55929a48e445 in isUserPasswordRev3 /home/freedom/Downloads/pdfcrack-0.18/pdfcrack.c:261 #3 0x55929a494d3a in initPDFCrack /home/freedom/Downloads/pdfcrack-0.18/pdfcrack.c:678 #4 0x55929a477b4d in main /home/freedom/Downloads/pdfcrack-0.18/main.c:304 #5 0x7f5726b4d1e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2) #6 0x55929a47909d in _start (/home/freedom/Downloads/pdfcrack-0.18/pdfcrack+0x809d)
Address 0x7ffe99b24673 is located in stack of thread T0 at offset 83 in frame #0 0x55929a48e26f in isUserPasswordRev3 /home/freedom/Downloads/pdfcrack-0.18/pdfcrack.c:253
This frame has 3 object(s): [32, 48) ‘test’ (line 254) [64, 80) ‘enckey’ (line 254) <== Memory access at offset 83 overflows this variable [96, 112) ‘tmpkey’ (line 254) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/freedom/Downloads/pdfcrack-0.18/md5.c:79 in md5 Shadow bytes around the buggy address: 0x10005335c870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005335c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005335c890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x10005335c8a0: f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 0x10005335c8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10005335c8c0: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00[f2]f2 0x10005335c8d0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10005335c8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x10005335c8f0: f1 f1 00 00 f2 f2 00 00 f3 f3 00 00 00 00 00 00 0x10005335c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005335c910: 00 00 00 00 00 00 f1 f1 f1 f1 01 f2 f8 f2 00 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==5441==ABORTING
1 Attachments
Discussion
Log in to post a comment.