Headline
CVE-2017-2863: TALOS-2017-0367 || Cisco Talos Intelligence Group
An out-of-bounds write vulnerability exists in the PDF parsing functionality of Infix 7.1.5. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.
Summary
An out-of-bounds write vulnerability exists in the PDF parsing functionality of Infix 7.1.5. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.
Tested Versions
- Infix 7.1.5.0
Product URLs
http://www.iceni.com
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-787 - Out-of-bounds Write
Details
An remote memory corruption vulnerability exists in the PDF parsing functionality of Infix. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption.
The vulnerable code is located in the Infix.exe file:
.text:0016B6E6 loc_16B6E6: ; CODE XREF: sub_16B550+16Cj
.text:0016B6E6 mov ecx, [eax+4]
.text:0016B6E9 mov eax, edi
.text:0016B6EB mov [edi+248h], ecx
.text:0016B6F1 call SetSize?
.text:0016B6F6 test eax, eax
.text:0016B6F8 jnz loc_16B5F8
.text:0016B6FE mov esi, [edi+23Ch]
.text:0016B704 mov ebx, [ebx+10h]
.text:0016B707 add esi, esi
.text:0016B709 add esi, esi
.text:0016B70B mov ecx, esi
.text:0016B70D call GetMem
.text:0016B712 push esi ; size_t
.text:0016B713 push 0 ; int
.text:0016B715 push eax ; void *
.text:0016B716 mov [edi+238h], eax
.text:0016B71C call _memset
The function SetSize? sets up the dword value located at EDI+23Ch. When a malformed file is being parsed this value is set to 0xFFFFFFFF which normally should indicate an error. However, due to further lack of error checking conditions this value (0xFFFFFFFF) is later used as an argument to memset function (size parameter) which causes the memory corruption to occur.
Crash Information
(1f6c.1210): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for Infix.exe
Infix+0x4386e4:
017286e4 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0 ds:002b:03adf000=????????????????????????????????
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
Infix+4386e4
017286e4 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 017286e4 (Infix+0x004386e4)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 03adf000
Attempt to write to address 03adf000
FAULTING_THREAD: 00001210
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: Infix.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 03adf000
FOLLOWUP_IP:
Infix+4386e4
017286e4 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0
WRITE_ADDRESS: 03adf000
WATSON_BKT_PROCSTAMP: 58f73f92
WATSON_BKT_PROCVER: 7.1.5.0
PROCESS_VER_PRODUCT: Infix
WATSON_BKT_MODULE: Infix.exe
WATSON_BKT_MODSTAMP: 58f73f92
WATSON_BKT_MODOFFSET: 4386e4
WATSON_BKT_MODVER: 7.1.5.0
MODULE_VER_PRODUCT: Infix
BUILD_VERSION_STRING: 10.0.14393.1198 (rs1_release_sec.170427-1353)
MODLIST_WITH_TSCHKSUM_HASH: 9a4fe3bd340efcdebb41942b61f6875a3e464100
MODLIST_SHA1_HASH: ce3c592f64e21469cc60bba09698aa4d4187b3dc
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 06-05-2017 13:14:49.0166
ANALYSIS_VERSION: 10.0.15063.400 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x1210]
Frame: [0] : Infix
ID: [0n265]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x1210]
Frame: [0] : Infix
ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x1f6c]
TID: [0x1210]
Frame: [0] : Infix
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 0144b536 to 017286e4
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
005ae738 0144b536 03a9c528 03a5d2f0 07424448 Infix+0x4386e4
005ae74c 0144787f 03a5d2f0 03a05ba8 01ca7450 Infix+0x15b536
005ae76c 01447b8f 03a9c528 00000000 00740001 Infix+0x15787f
005ae780 01368042 03a5d2f0 00000000 03ab7720 Infix+0x157b8f
005aea80 01367e6d 03a5d2f0 0c4377ca 03a05ae8 Infix+0x78042
005aecb0 01367b6a 03a5d2f0 0c43766e 03a05ba8 Infix+0x77e6d
005aed14 01364e81 0c43765a 03a05ba8 03a05cf8 Infix+0x77b6a
005aef68 0135b302 03a05ae8 0c437402 ffffffff Infix+0x74e81
005afd7c 0141dc40 0c4366ca 0170f0da 00000000 Infix+0x6b302
005afdb0 0170f087 012f0000 00000000 008b1d34 Infix+0x12dc40
005afe40 763262c4 00636000 763262a0 9d47c008 Infix+0x41f087
005afe54 77440fd9 00636000 97fb6ad6 00000000 KERNEL32!BaseThreadInitThunk+0x24
005afe9c 77440fa4 ffffffff 77462f0b 00000000 ntdll_773e0000!__RtlUserThreadStart+0x2f
005afeac 00000000 0170f0da 00636000 00000000 ntdll_773e0000!_RtlUserThreadStart+0x1b
THREAD_SHA1_HASH_MOD_FUNC: a2b85724ec601ad99726087665d3f39d790ae40e
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4d1ba384990a1d47ae5be0d07d972784b6ce13c9
THREAD_SHA1_HASH_MOD: 86c7b2bc65373cd9f3c87bb69974533237b82a3c
FAULT_INSTR_CODE: 417f0f66
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Infix+4386e4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Infix
IMAGE_NAME: Infix.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 58f73f92
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_Infix.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_Infix+4386e4
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: Infix.exe
BUCKET_ID_IMAGE_STR: Infix.exe
FAILURE_MODULE_NAME: Infix
BUCKET_ID_MODULE_STR: Infix
FAILURE_FUNCTION_NAME: Unknown
BUCKET_ID_FUNCTION_STR: Unknown
BUCKET_ID_OFFSET: 4386e4
BUCKET_ID_MODTIMEDATESTAMP: 58f73f92
BUCKET_ID_MODCHECKSUM: d926ba
BUCKET_ID_MODVER_STR: 7.1.5.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: Infix.exe!Unknown
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/Infix.exe/7.1.5.0/58f73f92/Infix.exe/7.1.5.0/58f73f92/c0000005/004386e4.htm?Retriage=1
TARGET_TIME: 2017-06-05T11:14:58.000Z
OSBUILD: 14393
OSSERVICEPACK: 1198
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-04-28 01:59:37
BUILDDATESTAMP_STR: 170427-1353
BUILDLAB_STR: rs1_release_sec
BUILDOSVER_STR: 10.0.14393.1198
ANALYSIS_SESSION_ELAPSED_TIME: 276e
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_infix.exe!unknown
FAILURE_ID_HASH: {5c2b2b2e-b2b0-92d7-bf23-0693a8f99652}
Followup: MachineOwner
---------
Timeline
2017-06-20 - Vendor Disclosure
2017-07-11 - Public Release
Discovered by Piotr Bania of Cisco Talos.