Ubuntu Security Notice 6017-2 - USN-6017-1 fixed vulnerabilities in Ghostscript. This update provides the corresponding updates for Ubuntu 23.04. Hadrien Perrineau discovered that Ghostscript incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6017-2  
April 26, 2023

ghostscript vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04

Summary:

Ghostscript could be made to crash or run programs as your login if it  
received a specially crafted input.

Software Description:  
- ghostscript: PostScript and PDF interpreter

Details:

USN-6017-1 fixed vulnerabilities in Ghostscript. This update provides the  
corresponding updates for Ubuntu 23.04.

Original advisory details:

  Hadrien Perrineau discovered that Ghostscript incorrectly handled certain  
  inputs. An attacker could possibly use this issue to cause a denial of  
  service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   ghostscript                     10.0.0~dfsg1-0ubuntu1.1  
   libgs10                         10.0.0~dfsg1-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6017-2  
   https://ubuntu.com/security/notices/USN-6017-1  
   CVE-2023-28879

Package Information:  
   https://launchpad.net/ubuntu/+source/ghostscript/10.0.0~dfsg1-0ubuntu1.1

Ubuntu Security Notice USN-6017-2

AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.

Thursday, April 27, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

I’m writing this earlier in the week as I get ready for some personal travel (everyone is lucky I passed on writing another Cybersecurity Mock Draft), so apologies if I miss anything major that happens at RSA.

But Cisco beat everyone to the punch Monday morning anyway, making a slew of major announcements on RSA travel day. By the time you’re reading this, it’s still not too late to track down someone from our team if you want to learn more. (Read last week’s newsletter for more on that.)

Cisco Duo announced that all paid customers of its service can now use Trusted Endpoints to block access from unknown devices.

Duo is also re-introducing three editions of the product: Duo Essentials, Duo Advantage and Duo Premier. Even with the added security features announced Monday, the price-per-user is not rising, giving customers strong security at an unmatched value.

Cisco also announced its new extended detection and response (XDR) platform – Cisco XDR. This new offering combines users’ endpoint, network and application telemetry with customized detection based on their environment. This platform will detect threats in an environment that many other point products can’t see on their own.

Hazel Burton from Talos has a new episode of ThreatWise TV out this week discussing XDR, including an interview with a current enterprise XDR user. Nick Biasini, Talos’ head of outreach, is also on that episode to discuss how Cisco XDR is adapting to current attacker tactics, techniques and procedures.

**The one big thing**

More information and research is still coming out around the 3CX supply chain attack. A new report indicates that it was actually two supply chain attacks linked together. The adversaries involved in the 3CX compromise first backdoored another application, which it then used to infiltrate 3CX and send out a malicious, fake update there. Additional reporting indicates that these same state-sponsored actors also infiltrated several critical infrastructure networks with a backdoor during this same campaign.

**Why do I care?**

This news further highlights why it’s so important to plan for and defend against supply chain attacks. These are increasingly popular attacks that state-sponsored, well-funded adversaries are clearly using in the wild to target multiple sectors and industries.

**So now what?**

I already outlined several important steps to take that any organization can take to prepare for a supply chain attack. This recent Talos Takes episode with Craig Jackson of Cisco Talos Incident Response also provides valuable advice for organizations of all sizes.

**Top security headlines of the week**

**AI-generated spam is already hitting email inboxes, Amazon reviews and social media posts.** Security researchers and reporters have already spotted several instances where AI chat bots like ChatGPT are used to write fake reviews for popular Amazon products or even post tweets. Many of these reviews have a dead giveaway because they include the phrase “I cannot generate inappropriate content,” a message ChatGPT usually sends back when explicitly asked to generate spam or something with hateful content. Other AI models are learning to scan targets’ social media profiles to quickly learn and assume things such as political affiliation and employment status to create hyper-targeted spam and phishing. Experts warn this could lead to the further proliferation of fake news, misinformation and scams. (Vice, Gizmodo)

**Exploit code for a 9.8-severity vulnerability in the PaperCut printer management software went online this week,** potentially increasing the likelihood that attackers will try to exploit it in the wild. Although Cut disclosed this vulnerability and released a patch in March, many instances remain unpatched. CVE-2023-27350 is an improper access control issue in the SetupCompleted class of PaperCut MF/NG. An adversary could exploit this vulnerability to bypass authentication and execute arbitrary code with System-level privileges. Security researchers found attackers using this vulnerability to install two pieces of malicious remote management software. PaperCut users should ensure they are using PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9. (Ars Technica, SecurityWeek)

**U.S. law enforcement and intelligence agencies are increasingly prioritizing disrupting dark web networks** and forums versus arresting admins and users. U.S. Deputy Attorney General Lisa Monaco said during a talk at the RSA conference this week that prosecutors and investigators are being directed to have a “bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing” and to “take that action to prevent that next victim.” That being said, the recent seizure of Genesis Market, a popular dark web forum, highlights how law enforcement is becoming better at unmasking many of these sites’ creators and making users’ activities less anonymous. (CyberScoop, SC Media)

**Can’t get enough Talos?**

*   Beers with Talos Ep. #133: The one where they talk a lot about wireless routers
*   Talos Takes Ep. #135: What does the future of MFA look like?
*   Cisco urges users to keep its network hardware up-to-date
*   Threat Roundup for April 14 - 21
*   Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges

**Upcoming events where you can find Talos**

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53  
**MD5:** cdd331078279960a1073b03e0bb6fce4  
**Typical Filename:** mediaget.exe  
**Claimed Product:** MediaGet  
**Detection Name:** W32.DFC.MalParent

Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo

A vulnerability classified as problematic has been found in SourceCodester Service Provider Management System 1.0. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument page leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227592.

Permalink

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

138 KB

Download

*   Open with Desktop
*   Download
*   Delete file

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2023-2349: cve_hub/Service Provider Management System - vuln 4.pdf at main · E1CHO/cve_hub

A vulnerability classified as problematic was found in SourceCodester Service Provider Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Users.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227593 was assigned to this vulnerability.

Permalink

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

E1CHO Add files via upload

Latest commit abfa65f Apr 27, 2023

**History**

**1** contributor

**Users who have contributed to this file**

259 KB

Download

*   Open with Desktop
*   Download
*   Delete file

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2023-2350: cve_hub/Service Provider Management System - vuln 5.pdf at main · E1CHO/cve_hub

Categories: Business
Find threats camouflaging themselves in RAM.



(Read more...)




The post Fileless attacks: How attackers evade traditional AV and how to stop them appeared first on Malwarebytes Labs.

When you hear about malware, there’s a good chance you think of sketchy executables or files with extensions like .DOCX or .PDF that, once opened, execute malicious code. These are examples of **file-based** attacks—and while they can be bad, they’re nothing compared to their fileless cousins.

As the name suggests, fileless attacks don’t rely on traditional executable files to get the job done but rather **in-memory execution**, which helps them evade detection by conventional security solutions.

In this post, we’ll explore topics like how fileless attacks work, why they're effective, and what you can do to find and block fileless threats.

**Fileless attacks explained**

In contrast to file-based attacks that execute the payload in the hard drive, fileless attacks execute the payload in **Random Access Memory (RAM)**. Executing malicious code directly into memory instead of the hard drive has several benefits, such as:

*   **Evasion of traditional security measures**: Fileless attacks bypass antivirus software and file signature detection, making them difficult to identify using conventional security tools.   
*   **Increased potential for damage**: Since fileless attacks can operate more stealthily and with greater access to system resources, they may be able to cause more damage to a compromised system than file-based attacks.
*   **Memory-based attacks can be difficult to remediate**: Since fileless attacks don't create files, they can be more challenging to remove from a system once they have been detected. This can make it extra difficult for forensics to trace an attack back to the source and restore the system to a secure state.
    

**Fileless attacks vs Living-off-the-land (LOTL) attacks**

If you read our article on LOTL attacks, you may be confused: Aren’t fileless attacks and LOTL attacks the same thing? Well, yes and no.

LOTL attacks are anytime an attacker leverages legitimate tools to evade detection, steal data, and more, while fileless attacks refer purely to executing code directly into memory. **While both types of attacks often overlap, they are not synonymous.**

Think of fileless attacks as an occasional subset of LOTL attacks. Fileless attacks can and often do leverage LOTL techniques to execute payload into memory, but they can also do so without leveraging a legitimate system tool or process at all.

_PowerShell script extracted from a Microsoft Word document. If macros are enabled, it would execute the code in memory upon being opened. Source._

For example, an attacker can use PowerShell to download and execute a malicious payload directly in memory, without writing it to the disk. In this case, the attack is both LOTL (since PowerShell is a legitimate tool) and fileless (as the payload is executed in memory).

On the other hand, an attacker injecting malicious JavaScript into a website can exploit browser vulnerabilities and execute payloads in memory. This fileless attack executes code without writing to the hard drive, but doesn't qualify as LOTL as it doesn't use a legitimate system tool or process.

**5 different ways fileless attacks execute code in memory**

Once an attacker gains access through phishing or exploiting vulnerabilities, they can execute malicious code in memory using several methods, some of which may overlap with LOTL techniques.

Below are five common techniques used in fileless attacks:

*   **PowerShell**: A legitimate scripting that can execute malicious code directly in memory. As mentioned earlier, this technique overlaps with LOTL attacks as it leverages a built-in system tool.
*   **Process hollowing**: Process hollowing is a fileless technique where attackers create a new process in a suspended state, replace its memory content with malicious code, and then resume the process. The malicious code executes in memory without writing to the disk.
*   **Reflective DLL injection**: In this fileless attack, attackers load a malicious Dynamic Link Library (DLL) into a legitimate process's memory without writing it to the disk. The DLL is executed directly in memory, evading detection by traditional security software.
*   **JavaScript and VBScript**: Fileless attackers can use JavaScript or VBScript to run malicious code directly in memory within a web browser or other applications that support these scripting languages.
*   **Microsoft Office macros**: Fileless attackers can use malicious macros embedded in Microsoft Office documents to execute code in memory when the document is opened. This method takes advantage of the legitimate macro functionality, making it an example of an LOTL technique as well.

Note that fileless attacks often rely on exploiting vulnerabilities in system components in each of these instances (such as Office or web-browsers) to execute their code. 

**Preventing and spotting fileless attacks: Quick tips**

Prevention Method

Description

**Keep software and systems updated**

Regularly update your operating systems, applications, and security software to patch vulnerabilities that could be exploited by fileless attackers.

**Regularly review security logs**

Examine security logs for unusual activity or patterns that could indicate a fileless attack, such as unexpected PowerShell usage or excessive network connections.

**Employ behavioral analytics**

Use advanced threat detection tools that employ behavioral analytics to identify and block fileless attacks based on their unique behavior patterns.

**Restrict macro usage**

Limit the use of Microsoft Office macros by disabling them or allowing only digitally signed and trusted macros.

**Malwarebytes EDR and Exploit Protection: Safeguarding against fileless attacks**

Malwarebytes Exploit Protection can effectively block many fileless attacks by monitoring and reinforcing application behavior, hardening applications, and ensuring advanced memory protection.

To configure Exploit Protection Advanced settings, follow these steps:

*   Go to **Configure > Policies in Nebula.**
    
*   Select a policy and navigate to **Protection settings > Advanced settings > Anti-exploit settings.**
    

_Exploit Protection settings in a policy in Malwarebytes EDR._

Here's an overview of the protection layers offered by Malwarebytes EDR Exploit Protection:

*   **Application Hardening**: By enforcing security measures like DEP and ASLR, and disabling potentially vulnerable components like Internet Explorer VB Scripting, Application Hardening reduces the attack surface and makes it more difficult for fileless malware to exploit weaknesses in applications.
*   **Advanced Memory Protection**: This layer prevents fileless malware from executing payload code in memory by detecting and blocking techniques such as DEP bypass, memory patch hijacking, and stack pivoting, thereby stopping the attack before it can cause harm.
*   **Application Behavior Protection**: This layer also detects and blocks exploits that do not rely on memory corruption, such as Java sandbox escapes or application design abuse exploits. Options include Malicious LoadLibrary Protection, Protection for Internet Explorer VB Scripting, Protection for MessageBox Payload, and protection against various Microsoft Office macro exploits. 
*   **Java Protection**: These settings protect against exploits commonly used in Java programs. By guarding against Java-specific exploits, such as web-based Java command execution and Java Meterpreter payloads, Java Protection can effectively prevent fileless attacks that leverage Java vulnerabilities to infiltrate systems and execute malicious code.

**Fighting fileless threats with Malwarebytes EDR: Configuring Suspicious Activity Monitoring in Nebula**

Malwarebytes Endpoint Detection and Response (EDR) offers an effective solution to detect and mitigate fileless malware threats by monitoring potentially malicious behavior on endpoints. The Suspicious Activity Monitoring feature in Nebula uses machine learning models and cloud-based analysis to detect questionable activities. In this section, we will outline how to configure **Suspicious Activity Monitoring** in Nebula.

To enable Suspicious Activity Monitoring in your policy:

*   Log in to your Nebula console.
*   Navigate to **Configure > Policies**.
*   Click "**New**" or select an existing policy.
*   Choose the "**Endpoint Detection and Response**" tab.
*   Locate "**Suspicious Activity Monitoring**" and enable it for the desired operating systems.

_Suspicious Activity monitoring detections in Nebula showing a possible fileless attack. On the right, we see the command line context for this process in our organization._

Advanced Settings offer additional options for activity monitoring. To configure these settings:

*   In the same "Endpoint Detection and Response" tab, find the "**Advanced Settings**" section.
*   Enable "**Server operating system monitoring for suspicious activity**" to extend monitoring to server operating systems. 
*   Enable "**Very aggressive detection mode**" to apply a tighter threshold for flagging processes as suspicious. 
*   Toggle "**Collect networking events to include in searchin**g" to ON (default) or OFF, depending on your preference. Turning it OFF decreases traffic sent to the cloud.

**Flight Recorder Search**

Flight Recorder Search collects all endpoint events within its search functionality. By configuring Suspicious Activity Monitoring in Malwarebytes EDR through the Nebula platform, you can effectively counter fileless malware threats by monitoring processes, registry, file system, and network activity on the endpoint. 

**Respond to fileless attacks quickly and effectively**

Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to fileless attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection. 

**Stop fileless attacks today**

Fileless attacks: How attackers evade traditional AV and how to stop them

Moxa MiiNePort E1 has a vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to perform arbitrary system operation or disrupt service.

%PDF-1.4 %���� 3 0 obj <>\]/Intent/Perceptual/Subtype/Image/Height 259/Filter/FlateDecode/Type/XObject/DecodeParms<>/Width 1681/Length 17540/BitsPerComponent 8>>stream x^�=nI֥g Z��%��.A�8�� 4�- tD���!@��9�P���o�Tf�dGf䛿��>���E�?7N܈�\_�9�g�xvy�g�xvy�g�xvy�g�xvy�g�xvy�g�xv����\_�~|o����������%��O/��\_����(�����&����r�^�~��������������j����U�%��絛�����I�B��ZE�U�ۨ t�Z<;��hG�7W���b����\[=�ɇ� �y(F��ȃh�W q�\_?>������/�\`���ʛ;��^�@&�r����/��<H��׷��7W��I��l���jC�ɇ�����:���Ye�U�lW\\�hP�9�U���O�@#������\_S��W��\`e���Y��pp G�TEK�o?Vwb��0����ӛ� �v�sŜ�?�o�+4�����;�g��O��r�Z\]���V䑈�P$�� \[NW��h���ٻ�V�?1<;��h0���EC/\]���ř¬j/m������u��}I��|���\\��\\4Y��4q��p�gp �~|���v��P�6�^?>,�������W5������5�����gЏF��d ��,�J������-\_�l����� ;��\`6�@��o������ӹ��C�N���Ѡ��9�?'�������%o>���y���Y�VAU\]-� ��.M��s��8�����ۗ���c6B��������C� ����7W��I���Ӛ�L������n���\`�Q�J��+�����T�yv��M<t�H"t4�&\`�KGR\]:� cF��ANh"�Dzv���|���o\_��Ǐ���?�0��k�^ԖJy�Vd�l���g��5zu�'m�׏�������ɇ�� 0\\�ð�:"���%cT�;F��T8uI�Pñ=Xh�<�K����{�v�c�����wo���ƌ��j?�=���0����� E�DP�QW,�Jeձ��(̻���E��R���aB��"a�h0 �U�� ��++ç����\*�y���XϮ�\]h@y��B�9R���E%�U����n��pX\\�BE�ק��VԖ:;��ǰk�m�;���e��g��o@�����������K�O;�٭�׷�"(�vO��5ГB>\`ա\]D��h�-8��wo�6U(zqz}�Em��g��Ofg0�.�Î(Nk���O�ki�Q�rMC4al��tp����5���n}������y�x��� �y�g��N��� 7���,��\\q蕱D4,�N,f@��u�M Vi{�N��dm&yv �WM���~����l�٭��/ �'\_��³�u���wx(7)"}��̩��b�TA8��7Uj�ua�7�#7�{q���ى��y�G���ػz�g��8� �ݕ�1b|� U\`�B�K��̶��8(NY)��n&�+h����DW��v2����ىƘ>h )Jl�J�R��V:���� ?�Y�h���r������\[������VA;+�{FP����f�^ +F�R�����4��NL�u���?:�Ϯɞ3�l����g��� g�w5�ݾh�da��\*���ӎ����R���:C��EՅ4;\*�ga$�)��I�K<��=\]��N���?��m( Zu�����\]PW�������ҘGb�$��o>�:�֒�tPL�rC�C/%xM��ӛ+RD!��-(�Q$���uM�K<�� W4H�:"��<�m�Nu� �f�.1O�l�%�C�������$������Θ@���3ڰ˧W;�Uh��G#X��5����h�f!�;�ĳ�\\��q� �t��\]2����6X�G�\[�����o\_�����p�İԄ=wb0р�0�� �ĳkLꑶ쀫�g��4��� ��x�Dxv ��،p���řی���~��}X�� &wA����P��x�� Ð�zP��\[Ӥ�LZ��ٵ��ȻI��$���Rh�� �)���ݦ(X��CH�\_�v�=2i���h��p��Ai��M�a8r�TDxߛ�����y�\]�Ώ��҈��-������K$�#�}Qg�x�Pxv����Rw����L�M��bR����R�� �2b��:~�|;�r�a�zv8�Hfd�\]E�����F}VGaG�ٱ\\xv��\[�Ѐ|:wl�:(��@=<(�!��-����h y�g��,&��ު>ua����^i<�t:~��.M��z�"<���\[��U�\]�r|�����aq+Ŧp���<���1h� \*:�IiY0���6۳���\[����%���r�����\*³\[ ~,�"4UG�n����:�V� P��/aX��#�~|\*�I��A}�����i�}zs5��l~I��٥��?�������Oj#BKttq��j9ܓ��=Y���D���q�K���o\_��xg{v�����sha�d�{�/�g�Zz��v���W�:�Xa"�<�YB�������ذإ�X�n!�������1X��l'�Zh{v�G4�i���������7�nM=�\` @�����n~�3Bhu��yQ ��C��j����"Em������"��p֥ $&-?������\]�c��7�+X�ó�G�|�5��\[}m��ME����T����x�t&��V��p�İ�����hT ��-�X��R=�r9�H�N�sK����գ����g��g�M6�tu�ٍG�\[34"�6�f���ꐸ�b\*\*.�����J�ih{$a6�������G#�ٵ��)\\�?�Bs�P�����&������ -mv �YbE(��AyX�d�a)�gIx$\*(\\�a�5&�6�l?DkIE�o� ����<��hπf�m�t�^<�=5�\]D=;C�³;�6��!����{�+8zlX��d<���HiX����|#�KڂUѦH�o:��ىv+�4�����/���"�����=���n ��0B()^4Z(��p��ؾ�������Hz\]��Po�N���??�lm�j�ͬĳ�Yz�ݷ0���5h\]��Ÿ~|\`�\\�4��J��8��~7�\[)z��a�Y�����#�X�YN���\\���ى�(3>��٨�{E���"���P���z;��gׁ��|��ko>�V�~|P�Qiu���͒"��/��\\U߁�()��۩\_�E�J���p�ԇSa\`\*h���6 �yzyn sd�b�z�B�hc�)� ����5g�첐�� $l�?�����ҫJ�{}����rN�PԢo(U�^e�O���J�~F����"m�B�@�4,�}l�zB�dRQ�/���{��8ó�5f��x|��G� �\]��r��l-<��Wd+l-��=w~��77��˻���2�Hm�c�'ܩ.1i� �yv����!{��XLF��)L�e�O����D{�4�C��d�I<�\\D�%�;��h��l�,\[H���r���\]

CVE-2023-28697

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-26930: GitHub - huanglei3/xpdf_aborted

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the TextOutputDev.cc function.

CVE-2023-26931

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via SharedFile::readBlock at /xpdf/Stream.cc.

XPDF v4.04

pdftotext poc

Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Syntax Error (2711): Dictionary key must be a name object Syntax Error (2715): Dictionary key must be a name object Syntax Error (2720): Dictionary key must be a name object Syntax Error: Dictionary key must be a name object Syntax Error: End of file inside dictionary Syntax Error (393): Illegal character <3d> in hex string Syntax Error (398): Illegal character <80> in hex string Syntax Error (399): Illegal character <67> in hex string Syntax Error (400): Illegal character <74> in hex string Syntax Error (401): Illegal character <68> in hex string Syntax Error (409): Illegal character '>' Syntax Error (172): Dictionary key must be a name object Syntax Error (393): Illegal character <3d> in hex string Syntax Error (398): Illegal character <80> in hex string Syntax Error (399): Illegal character <67> in hex string Syntax Error (400): Illegal character <74> in hex string Syntax Error (401): Illegal character <68> in hex string Syntax Error (409): Illegal character '>' Syntax Error (887): Illegal character ')' Syntax Error (1296): Illegal character ')' Syntax Error (1781): Illegal character ')' Syntax Error (2386): Dictionary key must be a name object Syntax Error (2390): Dictionary key must be a name object Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: End of file inside array Syntax Error: End of file inside dictionary

Program received signal SIGSEGV, Segmentation fault.

(gdb) bt

#0 0x00007ffff7a989df in \_IO\_new\_file\_seekoff (fp=0x555555b81c30, offset=1446, dir=0, mode=) at fileops.c:976 #1 0x00007ffff7a967cd in \_\_fseeko (fp=0x555555b81c30, offset=offset@entry=1446, whence=whence@entry=0) at fseeko.c:40 #2 0x0000555555848c19 in gfseek (f=, offset=offset@entry=1446, whence=whence@entry=0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/goo/gfile.cc:733 #3 0x00005555557ec8c1 in SharedFile::readBlock (this=0x555555b81fd0, buf=buf@entry=0x555555b832b8 "6 0 objnt 3 0 R\\r\\n/Resources <<\\r\\n/Font <<\\r\\n/F1 9 0 R \\r\\n>>\\r\\n/ProcSet 8 0 R\\r\\n>>\\r\\n/MediaBo\\202 \[0 0 612.0000 792.0000\]\\r\\n\\r\\n7 0 obj\\r\\n<< /Length 676 >> 00000 Name /ream\\r\\n2 J\\r\\nBT\\r\\n0\\r\\n57.3750 722.2800 Td\\r\\n( Simpl"..., pos=1446, size=256) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.cc:739 #4 0x00005555557ecfe8 in FileStream::fillBuf (this=this@entry=0x555555b83280) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.cc:842 #5 0x0000555555813d23 in FileStream::getChar (this=0x555555b83280) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.h:324 #6 0x00005555557b1153 in Object::streamGetChar (this=0x555555b833f0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:300 #7 Lexer::getChar (this=this@entry=0x555555b833e0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Lexer.cc:93 #8 0x00005555557b13fa in Lexer::getObj (this=0x555555b833e0, obj=obj@entry=0x555555b838e8) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Lexer.cc:125 #9 0x00005555557d078d in Parser::Parser (this=0x555555b838d0, xrefA=, lexerA=, allowStreamsA=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Parser.cc:35 #10 0x000055555582c0e2 in XRef::fetch (this=0x555555b83990, num=6, gen=0, obj=0x7fffff7ff330, recursion=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/XRef.cc:1231 #11 0x00005555556754a0 in Object::arrayGet (this=0x7fffff7ff320, recursion=0, obj=0x7fffff7ff330, i=1) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:243 #12 Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:566

CVE-2023-26935: GitHub - huanglei3/xpdf_heapoverflow

An issue found in XPDF v.4.04 allows an attacker to cause a denial of service via a crafted pdf file in the object.cc parameter.

poc:copy30 or copy31 ;link: https://github.com/huanglei3/xpdf\_Stack-backtracking/blob/main/copy30 $ gdb --args pdftotext copy30 pwndbg> r Syntax Error: Couldn't read xref table Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Syntax Error (2667): Dictionary key must be a name object Syntax Error (2671): Dictionary key must be a name object Syntax Error (2676): Dictionary key must be a name object Syntax Error: Dictionary key must be a name object Syntax Error: End of file inside dictionary Syntax Error (203): Illegal character <2f> in hex string Syntax Error (204): Illegal character <54> in hex string Syntax Error (205): Illegal character <79> in hex string Syntax Error (206): Illegal character <70> in hex string Syntax Error (209): Illegal character <52> in hex string Syntax Error (211): Illegal character <5d> in hex string Syntax Error (216): Illegal character '>' Syntax Error (268): Dictionary key must be a name object Syntax Error (273): Dictionary key must be a name object Syntax Error (396): Dictionary key must be a name object Syntax Error (399): Dictionary key must be a name object Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Syntax Error (268): Dictionary key must be a name object Syntax Error (273): Dictionary key must be a name object Program received signal SIGSEGV, Segmentation fault. 0x00005555557c014b in Object::copy (this=this@entry=0x555555b84078, obj=obj@entry=0x7fffff7ff130) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.cc:99 99 obj->cmd = copyString(cmd); LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ► 99 obj->cmd = copyString(cmd); pwndbg> bt #0 0x00005555557c014b in Object::copy (this=this@entry=0x555555b84078, obj=obj@entry=0x7fffff7ff130) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.cc:99 #1 0x000055555582cbd8 in XRef::fetch (this=0x555555b83990, num=<optimized out>, gen=<optimized out>, obj=0x7fffff7ff130, recursion=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/XRef.cc:1212 #2 0x00005555556754a0 in Object::arrayGet (this=0x7fffff7ff120, recursion=0, obj=0x7fffff7ff130, i=17) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:243 #3 Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:566 #4 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #5 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #6 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #7 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #8 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #9 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #10 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #11 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #12 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #13 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #14 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #15 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #16 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #17 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #18 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #19 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #20 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #21 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #22 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #23 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #24 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567

Tag

#pdf