Headline

CVE-2023-33802: GitHub - CDACesec/CVE-2023-33802

A buffer overflow in SumatraPDF Reader v3.4.6 allows attackers to cause a Denial of Service (DoS) via a crafted text file.

1 year ago

CVE

Open in Source

#vulnerability #mac #windows #microsoft #dos #git #pdf #buffer_overflow

**CVE-2023-33802****SumatraPDF 3.4.6 -32-bit Denial Of Services (DoS)******Description****

In this bug, a crash is addressed which is manifested when we open two large size text files (first.txt & second.txt) as input to SumatraPDF 32 bit.
Run the following command, or you can manually open the both files in SumatraPDF 32 bit(3.4.6).

SumatraPDF.exe first.txt second.txt

****Crash Report for 32-bit version 3.4.6 application with WinDBG****

The following crash has been encountered.

Loading Dump File [C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\out\dbg32\crashinfo\sumatrapdfcrash.dmp] User Mini Dump File: Only registers, stack and portions of memory are available

Symbol search path is: srv* Executable search path is: Windows 10 Version 19044 MP (12 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS Edition build lab: 19041.1.amd64fre.vb_release.191206-1406 Machine Name: Debug session time: Tue Sep 27 14:18:04.000 2022 (UTC + 5:30) System Uptime: not available Process Uptime: 0 days 0:04:07.000 … This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (22a4.a40): Access violation - code c0000005 (first/second chance not available) For analysis of this file, run !analyze -v eax=c0000034 ebx=020fe29c ecx=00000000 edx=00000000 esi=00000000 edi=0000029c eip=772629fc esp=020fe0f0 ebp=020fe160 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216 ntdll!NtWaitForSingleObject+0xc: 772629fc c20c00 ret 0Ch 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * *******************************************************************************

*** WARNING: Unable to verify checksum for SumatraPDF.exe

KEY_VALUES_STRING: 1

Key  : AV.Dereference
Value: NullPtr

Key  : AV.Fault
Value: Write

Key  : Analysis.CPU.mSec
Value: 2827

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 3238

Key  : Analysis.Init.CPU.mSec
Value: 640

Key  : Analysis.Init.Elapsed.mSec
Value: 12340

Key  : Analysis.Memory.CommitPeak.Mb
Value: 118

Key  : Timeline.Process.Start.DeltaSec
Value: 247

Key  : WER.OS.Branch
Value: vb\_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

Key  : WER.Process.Version
Value: 3.4.6.0

CONTEXT: (.ecxr) eax=00000000 ebx=01e76000 ecx=00000000 edx=00000000 esi=007914b5 edi=007914b5 eip=77257a6e esp=020ffbc8 ebp=020ffbd0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 ntdll!_RtlUserThreadStart+0x1b: 77257a6e cc int 3 Resetting default scope

EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 0089b083 (SumatraPDF!CrashMe+0x00000013) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00000000 Attempt to write to address 00000000

PROCESS_NAME: SumatraPDF.exe

WRITE_ADDRESS: 00000000

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 00000000

FAULTING_THREAD: ffffffff

STACK_TEXT:
0089b083 0089b083 SumatraPDF!CrashMe+0x13

FAULTING_SOURCE_LINE: C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\src\utils\BaseUtil.h

FAULTING_SOURCE_FILE: C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\src\utils\BaseUtil.h

FAULTING_SOURCE_LINE_NUMBER: 200

FAULTING_SOURCE_CODE:
196: // but it seemed to confuse callstack walking 197: inline void CrashMe() { 198: char* p = nullptr; 199: // cppcheck-suppress nullPointer

200: *p = 0; // NOLINT 201: } 202: #if COMPILER_MSVC 203: #pragma warning(pop) 204: #endif 205:

SYMBOL_NAME: SumatraPDF!CrashMe+13

MODULE_NAME: SumatraPDF

IMAGE_NAME: SumatraPDF.exe

STACK_COMMAND: .ecxr ; kb ; ** Pseudo Context ** Pseudo ** Value: d ** ; kb

FAILURE_BUCKET_ID: NULL_POINTER_WRITE_CONTEXT_MISMATCH_c0000005_SumatraPDF.exe!CrashMe

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x86

OSNAME: Windows 10

IMAGE_VERSION: 3.4.6.0

FAILURE_ID_HASH: {1595dcef-2e27-85d9-39da-85ddbd1355a2}

Followup: MachineOwner

0:000> !msec.exploitable

!exploitable 1.6.0.0 Warning: Unable to read from the TEB in the current thread. Warning: Unable to read from the TEB in the current thread. Exploitability Classification: UNKNOWN Recommended Bug Title: User Mode Write AV near NULL starting at ntdll!_RtlUserThreadStart+0x000000000000001b (Hash=0xcc3d4e45.0x55921273)

User mode write access violations that are near NULL are unknown.

The issue can be reproduced with and without PageHeap enabled on Windows 11 - 22563.1000 64-bit machine having version SumatraPDF 3.4.6 32-bit.

Root_Cause_Analysis

Below is the function, where it is crashing.

if (s->buf == s->els) { newEls = (char*)Allocator::Alloc(s->allocator, allocSize); if (newEls) { memcpy(newEls, s->buf, s->len + 1); } } else { newEls = (char*)Allocator::Realloc(s->allocator, s->els, allocSize); } if (!newEls) { CrashAlwaysIf(gAllowAllocFailure.load() == 0); return nullptr; }
The CrashAlwaysIf macro is being called in the EnsureCap function as a way to handle a failure to allocate memory. When the Alloc or Realloc function returns a null pointer, indicating that memory allocation has failed, the CrashAlwaysIf macro is called to cause the program to crash intentionally because it internally calls CrashMe function that sets a null pointer to a non-null value, which will cause an access violation when the program tries to dereference the null pointer. This will trigger an exception and cause the program to crash.

****Result****