Headline
CVE-2018-3851: TALOS-2018-0534 || Cisco Talos Intelligence Group
In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, an exploitable stack-based buffer overflow exists in the DOC-to-HTML conversion functionality of the Hyland Perceptive Document Filters version 11.4.0.2647. A crafted .doc document can lead to a stack-based buffer, resulting in direct code execution.
Summary
An exploitable heap corruption exists in the Microsoft Word to many types conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted Microsoft Word (XML) document can lead to heap corruption resulting in remote code execution. An attacker can provide a specially crafted file to trigger this vulnerability.
Tested Versions
Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux
Product URLs
https://www.hyland.com/en/perceptive#docfilters
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-787: Out-of-bounds Write
Details
This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services.
It can convert common formats such as Microsoft’s document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a Microsoft Word (XML) to JPEG, HTML5 and several other formats. A specially crafted Microsoft Word (XML) file can lead to heap corruption and remote code execution. Let’s investigate this vulnerability:
After we attempt to convert a malicious Microsoft Word (xml) using the Hyland library we see the following state:
isys_doc2text --html5 -o /tmp malformed_doc.xml
[1] File type: Microsoft Word (25); Capabilities: 3 - malformed_doc.xml
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:628
628 ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(rr) bt
#0 __memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:628
#1 0xf6028fef in ISYS_NS::CMemoryStream::Write(void const*, unsigned int) () from ./libISYSshared.so
#2 0xf5fe3c75 in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so
#3 0xf5fe392f in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so
#4 0xf5fe392f in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so
#5 0xf5fdf815 in ISYS_NS::XML::XMLNode::xml(std::string&) () from ./libISYSshared.so
#6 0xf614ae9e in ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) () from ./libISYSshared.so
#7 0xf61414c0 in ISYS_NS::CMSWord2003XML::needFileList() () from ./libISYSshared.so
#8 0xf61416a9 in ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) () from ./libISYSshared.so
#9 0xf4aa8ecc in ?? () from ./libISYSreadershd.so
#10 0xf4aa9ef5 in ?? () from ./libISYSreadershd.so
#11 0xf4c3920f in ?? () from ./libISYSreadershd.so
#12 0xf4e7a5d5 in ?? () from ./libISYSreadershd.so
#13 0xf515b6e8 in ?? () from ./libISYSreadershd.so
#14 0xf5163492 in ?? () from ./libISYSreadershd.so
#15 0xf58eeeb3 in ?? () from ./libISYSreaders.so
#16 0xf58f455d in ?? () from ./libISYSreaders.so
#17 0xf7ebc5e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so
#18 0x080590eb in ?? ()
#19 0x08061690 in ?? ()
#20 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#21 0xf60f873d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#22 0xf6104ff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#23 0xf6101524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#24 0x08054e88 in ?? ()
#25 0xf5a72637 in __libc_start_main (main=0x8054d40, argc=5, argv=0xffb76ed4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f04880 <_dl_fini>, stack_end=0xffb76ecc) at ../csu/libc-start.c:291
#26 0x080531b1 in ?? ()
gdb-peda$ context
[----------------------------------registers-----------------------------------]
EAX: 0xfff9de36
EBX: 0x98b7000
ECX: 0x9877500 (".microsoft.com/aml/2001/core\" xml:space=\"preserve\">\n\t<w:body>\n\t\t<w:tc>\n\t\t\t<w:t><![CDATA[]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
EDX: 0x9877558 ("]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
ESI: 0xffb747e4 --> 0xf7e9bda8 (:CMemoryStream+8>: 0xf602a180)
EDI: 0xffffffff
EBP: 0xffb745d8 --> 0xffb74678 --> 0xffb74718 --> 0xffb747b8 --> 0xffb74818 --> 0xffb748a8 (--> ...)
ESP: 0xffb745a8 --> 0xf7ea834c --> 0x205a0e0
EIP: 0xf5b80fff --> 0x3e70f66
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xf5b80fed <__memcpy_sse2_unaligned+621>: movdqu xmm5,XMMWORD PTR [ebx+eax*1+0x50]
0xf5b80ff3 <__memcpy_sse2_unaligned+627>: movdqu xmm6,XMMWORD PTR [ebx+eax*1+0x60]
0xf5b80ff9 <__memcpy_sse2_unaligned+633>: movdqu xmm7,XMMWORD PTR [ebx+eax*1+0x70]
=> 0xf5b80fff <__memcpy_sse2_unaligned+639>: movntdq XMMWORD PTR [ebx],xmm0
0xf5b81003 <__memcpy_sse2_unaligned+643>: movntdq XMMWORD PTR [ebx+0x10],xmm1
0xf5b81008 <__memcpy_sse2_unaligned+648>: movntdq XMMWORD PTR [ebx+0x20],xmm2
0xf5b8100d <__memcpy_sse2_unaligned+653>: movntdq XMMWORD PTR [ebx+0x30],xmm3
0xf5b81012 <__memcpy_sse2_unaligned+658>: movntdq XMMWORD PTR [ebx+0x40],xmm4
[------------------------------------stack-------------------------------------]
0000| 0xffb745a8 --> 0xf7ea834c --> 0x205a0e0
0004| 0xffb745ac --> 0xf6028fef (:CMemoryStream::Write(void const*, unsigned int)+63>: 0x89f0458b)
0008| 0xffb745b0 --> 0x9877558 ("]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
0012| 0xffb745b4 --> 0x981538e ("]]></generic-file>]]></w:t>\n\t\t</w:tc>\n\t</w:body>\n</w:wordDocument>")
0016| 0xffb745b8 --> 0xffffffff
0020| 0xffb745bc --> 0xffb74620 --> 0xf5df806c (:string::_Rep::_S_empty_rep_storage+12>: 0x00000000)
0024| 0xffb745c0 --> 0xf63b9287 ("<![CDATA[")
0028| 0xffb745c4 --> 0xf63b9290 --> 0x3e5d5d00 ('')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
gdb-peda$
As we can see, an out of bounds write appeared during a memcpy operation causing access violation. Stepping back we see that the memcpy function was called with the following parameters:
[-------------------------------------code-------------------------------------]
0xf6028fe5 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+53>: mov edx,DWORD PTR [ebp+0xc]
0xf6028fe8 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+56>: push edx
0xf6028fe9 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+57>: push eax
=> 0xf6028fea <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+58>: call 0xf5fc77ec <memcpy@plt>
0xf6028fef <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+63>: mov eax,DWORD PTR [ebp-0x10]
0xf6028ff2 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+66>: mov DWORD PTR [esi+0xc],eax
0xf6028ff5 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+69>: add esp,0x10
0xf6028ff8 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+72>: mov eax,edi
Guessed arguments:
arg[0]: 0x9877558 (""...)
arg[1]: 0x981538e ("]]>...")
arg[2]: 0xffffffff
So the size parameter is set to 0xffffffff ( -1 ) which explains why the memcpy operation ended up with an access violation. Why does the size parameter have that value? Tracking code execution back, we end up in the place where it is calculated:
Line 1 ISYS_NS::XML::CXMLDocumentImpl *__cdecl ISYS_NS::XML::CXMLDocumentImpl::load(ISYS_NS::XML::CXMLDocumentImpl *this)
Line 2 {
Line 3 (...)
Line 4 if ( *CDATAElement != '!' )
Line 5 goto LABEL_17;
Line 6 v2 = CDATAElement + 1;
Line 7 v9 = CDATAElement[1];
Line 8 if ( v9 == '[' )
Line 9 {
Line 10 if ( CDATAElement[2] == 'C'
Line 11 && CDATAElement[3] == 'D'
Line 12 && CDATAElement[4] == 'A'
Line 13 && CDATAElement[5] == 'T'
Line 14 && CDATAElement[6] == 'A'
Line 15 && CDATAElement[7] == '[' )
Line 16 {
Line 17 CDATAElementTextBeg = CDATAElement + 8;
Line 18 v48 = (ISYS_NS::XML::XMLNode *)ISYS_NS::XML::CXMLDocumentImpl::addNode(this, &byte_F64729AE, 0, 3, v45);
Line 19 v26 = CDATAElement[8];
Line 20 if ( !v26 )
Line 21 {
Line 22 v28 = CDATAElement + 8;
Line 23 v39 = 0;
Line 24 LABEL_91:
Line 25 ISYS_NS::XML::CXMLDocumentImpl::setTextContent(this, v48, CDATAElementTextBeg, v39, 0);
Line 26 goto LABEL_87;
Line 27 }
Line 28 CDATAElementTextEnd = CDATAElement + 8;
Line 29 while ( 2 )
Line 30 {
Line 31 if ( v26 == ']' )
Line 32 {
Line 33 v28 = CDATAElementTextEnd + 1;
Line 34 if ( CDATAElementTextEnd[1] != ']' )
Line 35 goto LABEL_49;
Line 36 if ( CDATAElementTextEnd[2] == '>' )
Line 37 {
Line 38 ISYS_NS::XML::CXMLDocumentImpl::setTextContent(
Line 39 this,
Line 40 v48,
Line 41 CDATAElementTextBeg,
Line 42 CDATAElementTextEnd - 1 - CDATAElementTextBeg,
Line 43 0);
Line 44 v28 = CDATAElementTextEnd + 2;
Line 45 LABEL_87:
Line 46 v45 = (ISYS_NS::XML::XMLNode *)*((_DWORD *)v48 + 1);
Line 47 v2 = v28 + 1;
Line 48 goto LABEL_9;
Line 49 }
Line 50 }
Line 51 else
Line 52 {
Line 53 v28 = CDATAElementTextEnd + 1;
Line 54 LABEL_49:
Line 55 v26 = *v28;
Line 56 if ( !*v28 )
Line 57 {
Line 58 v39 = v28 - CDATAElementTextBeg;
Line 59 goto LABEL_91;
Line 60 }
Line 61 }
Line 62 CDATAElementTextEnd = v28;
Line 63 continue;
Line 64 }
Line 65 }
The memcpy size parameter value is calculated at line 43 which is an argument for the ISYS_NS::XML::CXMLDocumentImpl::setTextContent function call. Generally speaking, this fragment of code is responsible for finding the CDATA section in an XML document and measuring the text length that this section contains. In our example the CDATA section does not contain any text, so the calculations made at line 43 where:
CDATAElementTextBeg == CDATAElementTextEnd
will end up with a value equal -1. Later, as we saw above, so huge unsigned value is used in the memcpy operation leads to heap corruption and which an attacker could potentially leverage to gain remote code execution.
Crash Information
File type: Microsoft Word (25); Capabilities: 3 - malformed_doc.xml
==85982== Invalid read of size 2
==85982== at 0x4030F1C: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== Address 0x6b3e846 is 510 bytes inside a block of size 511 alloc'd
==85982== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982== by 0x61B9D45: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BAF18: std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BAFD9: std::string::reserve(unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BB48B: std::string::append(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BB569: std::string::resize(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x41DB027: ISYS_NS::XML::CXMLDocument::load(ISYS_NS::CStream*, ISYS_NS::XML::XML_ENCODING) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x43391B9: ISYS_NS::CMSOfficeXML::CMSOfficeXML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A661: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==
==85982== Invalid read of size 2
==85982== at 0x4030F10: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== Address 0x6b3e848 is 1 bytes after a block of size 511 alloc'd
==85982== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982== by 0x61B9D45: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BAF18: std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BAFD9: std::string::reserve(unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BB48B: std::string::append(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x61BB569: std::string::resize(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)
==85982== by 0x41DB027: ISYS_NS::XML::CXMLDocument::load(ISYS_NS::CStream*, ISYS_NS::XML::XML_ENCODING) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x43391B9: ISYS_NS::CMSOfficeXML::CMSOfficeXML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A661: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==
==85982== Invalid write of size 2
==85982== at 0x4030F13: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== Address 0x6b42980 is 0 bytes after a block of size 8,192 alloc'd
==85982== at 0x402C17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982== by 0x4221DAB: ISYS_NS::CMemoryStream::_malloc(unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4221E0F: ISYS_NS::CMemoryStream::Realloc(unsigned int*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4221ED6: ISYS_NS::CMemoryStream::SetCapacity(unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x422205C: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC7AC: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982==
==85982==
==85982== Process terminating with default action of signal 11 (SIGSEGV)
==85982== Bad permissions for mapped region at address 0x7140000
==85982== at 0x4030F13: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)
==85982== Invalid read of size 4
==85982== at 0x63D2015: tdestroy_recurse (tsearch.c:639)
==85982== by 0x63D202D: tdestroy_recurse (tsearch.c:640)
==85982== by 0x6431977: free_mem (in /lib/i386-linux-gnu/libc-2.23.so)
==85982== by 0x6431B09: __libc_freeres (in /lib/i386-linux-gnu/libc-2.23.so)
==85982== by 0x4026506: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)
==85982== by 0xFFFFFFFB: ???
==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== Address 0x1b54 is not stack'd, malloc'd or (recently) free'd
==85982==
==85982==
==85982== Process terminating with default action of signal 11 (SIGSEGV)
==85982== Access not within mapped region at address 0x1B54
==85982== at 0x63D2015: tdestroy_recurse (tsearch.c:639)
==85982== by 0x63D202D: tdestroy_recurse (tsearch.c:640)
==85982== by 0x6431977: free_mem (in /lib/i386-linux-gnu/libc-2.23.so)
==85982== by 0x6431B09: __libc_freeres (in /lib/i386-linux-gnu/libc-2.23.so)
==85982== by 0x4026506: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)
==85982== by 0xFFFFFFFB: ???
==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)
==85982== If you believe this happened as a result of a stack
==85982== overflow in your program's main thread (unlikely but
==85982== possible), you can try to increase the size of the
==85982== main thread stack using the --main-stacksize= flag.
==85982== The main thread stack size used in this run was 8388608.
==85982==
==85982== HEAP SUMMARY:
==85982== in use at exit: 788,001 bytes in 10,974 blocks
==85982== total heap usage: 57,614 allocs, 46,640 frees, 22,967,606 bytes allocated
==85982==
==85982== LEAK SUMMARY:
==85982== definitely lost: 195,319 bytes in 3,959 blocks
==85982== indirectly lost: 215,017 bytes in 5,663 blocks
==85982== possibly lost: 44,931 bytes in 657 blocks
==85982== still reachable: 332,734 bytes in 695 blocks
==85982== of which reachable via heuristic:
==85982== stdstring : 8,026 bytes in 399 blocks
==85982== suppressed: 0 bytes in 0 blocks
==85982== Rerun with --leak-check=full to see details of leaked memory
==85982==
==85982== For counts of detected and suppressed errors, rerun with: -v
==85982== ERROR SUMMARY: 9016847 errors from 4 contexts (suppressed: 0 from 0)
Timeline
2018-02-27 - Vendor Disclosure
2018-03-22 - Vendor patched
2018-04-26 - Public Release
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.