Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.

%PDF-1.7 %���� 1 0 obj <>/Metadata 358 0 R/ViewerPreferences 359 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��Wmo�F���؏�J^�ݻ�)�$�SO��4�):E8\`JL�����Θ�����\\������<3;t����6���s\\���k>"W�A����/��E6�̳rR�;��ĩ�l�/�\]r���yj���������s� 0N���xä!N�Y��֯?�y��0����\_�í#�Y��y?�ƹ!�����{���ջ^>��d�� ♷dp�n�ʆ �2�I����'cXz�� >'���%�2��n��6�1k��GpG�CO��,f�>=+��ѧ�&��;� ���ʔs�w=�$�2^ѿ��v-m�Z�����O�(��Q�i N??�Hz���E�� �Ł�� �cV>Y

CVE-2022-4048

Improper Input Validation vulnerability in multiple CODESYS V3 products allows an authenticated remote attacker to block consecutive logins of a specific type.

%PDF-1.7 %���� 1 0 obj <>/Metadata 375 0 R/ViewerPreferences 376 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��WmoG���؏{�no�\_"��M�(���"Y8\*�Q|��O��́S�p� Gk�\`w��yf��g��e1�MG9;K΋"}��d��ŧd�Ȓ��d:O�i>O�������l�鐋^�$�}K&�����g��w�@�q� �IC����ڭ\_ �vk3���\_��֓Ѭ�J^��IfH/'?o�^�d�6�'�^\`� �K��(m�,����d8����~(�sr�n )�>���v��9�,�%�o!�ȋ"�U��\*ϋo1=�Yϸ��0�ɵ�Ly����\*���6�FC����\] @��և�Y��9zŚ�#���o-ņ^/��<�t��H�\[t�3+��,��K���+!\*� ���-�!�oJ�4���|���\]����c$�/�9�m�u���t>!4�ǿ����� �q�Q��3Υ�\\Ù5���m��x�S��P@W�N,�6m�9&�\[h��,ԣ�a�Vי\]3��@�D�7�\]) �Tm����.�ϩ��l�ѻE�h�B����FQ,�j9�<-@�X�\`(�Z�Q<�;Y֣�0'\_�Ȁ�@����q���њ�e��8��ΑM>8%�e~G��HG�o3��PW8kZ����R\\r\_�����M�i��r��8���2G�}�~��|7�G�|Ar�\_A��O���I�K) �b��4̓����x��w0hm��7%���+x��C�8���� �w���R�e���%s5(�T5oWp�U��1�\_ ̫�� l+ہ|f�4� G�d��'��I�����lU�n"��X�b��t��}��t ڕGq��W�=��̄:(��9Ҩe��(���c�x�桎�����o��0�i��x�e�H�����Y;�

CVE-2022-22508

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

2023-05-15 10:00 (CEST) VDE-2023-007  

**WAGO: Unauthenticated command execution via Web-based-management**  
Share: Email | Twitter  

**Published**

2023-05-15 10:00 (CEST)

**Last update**

2023-05-08 16:11 (CEST)

**Vendor(s)**

WAGO GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

751-9301

Compact Controller CC100

FW20 <= FW22

751-9301

Compact Controller CC100

\= FW23

752-8303/8000-002

Edge Controller

\= FW22

750-81xx/xxx-xxx

PFC100

FW20 <= FW22

750-81xx/xxx-xxx

PFC100

\= FW23

750-82xx/xxx-xxx

PFC200

FW20 <= FW22

750-82xx/xxx-xxx

PFC200

\= FW23

762-5xxx

Touch Panel 600 Advanced Line

\= FW22

762-6xxx

Touch Panel 600 Marine Line

\= FW22

762-4xxx

Touch Panel 600 Standard Line

\= FW22

**Summary**

The “legal information” plugin of web-based-management contained a vulnerability which allowed execution of arbitrary commands with privileges of www user.

**CVE ID**

**Last Update:**

May 4, 2023, 9:18 a.m.

**Severity**

**Weakness**

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')  (CWE-78) 

**Summary**

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

**Details**

**Impact**

Exploiting the vulnerability provides arbitrary command execution with privileges of the 'www' user. Via this flaw an attacker can change device configuration, create users or even take over the system.

**Solution**

**Mitigation**

As general security measures strongly WAGO recommends:

1.  Use general security best practices to protect systems from local and network attacks.
2.  Do not allow direct access to the device from untrusted networks.
3.  Update to the latest firmware according to the table in chapter solutions.
4.  Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy.

The BSI provides general information on securing ICS in the ICS Compendium (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/ICS-Security\_compendium.pdf).

**Remediation**

Wago recommends all effected users to update to the firmware version listed below:

Article No°

Product Name

Fixed Version

751-9301

Compact Controller CC100

FW24

752-8303/8000-002

Edge Controller

FW22 Patch 1 or higher patch level

752-8303/8000-002

Edge Controller

FW24

750-81xx/xxx-xxx

PFC100

FW22 Patch 1 or higher patch level

750-81xx/xxx-xxx

PFC100

FW24

750-82xx/xxx-xxx

PFC200

FW22 Patch 1 or higher patch level

750-82xx/xxx-xxx

PFC200

FW24

762-5xxx

Touch Panel 600 Advanced Line

FW22 Patch 1 or higher patch level

762-5xxx

Touch Panel 600 Advanced Line

FW24

762-6xxx

Touch Panel 600 Marine Line

FW22 Patch 1 or higher patch level

762-6xxx

Touch Panel 600 Marine Line

FW24

762-4xxx

Touch Panel 600 Standard Line

FW22 Patch 1 or higher patch level

762-4xxx

Touch Panel 600 Standard Line

FW24

**Reported by**

The vulnerability was reported by Quentin Kaiser from ONEKEY.  
Coordination done by CERT@VDE.

CVE-2023-1698: VDE-2023-007 | CERT@VDE

One long-awaited security move caused a ripple effect in the cybercrime ecosystem.

Ever since Microsoft decided to block Office macros by default, threat actors have been forced to evolve, adopting new methods for delivering malware at an unprecedented rate.

For a long time, threat actors have used malicious Microsoft Office macros to get a hook inside of their target's computers. It was for that reason that, in 2022, Microsoft finally — though unevenly — began blocking macros by default on files downloaded from the Internet.

Now, without their favorite toy, hackers are having to come up with new ways to get their malware where they want it to go.

"In a lot of ways, they're just kind of throwing spaghetti at the wall to see what sticks," says Selena Larson, author of a new report on the trend. "The energy that they're spending to create new attack chains is really unique," and cyber defenders are going to have to keep up.

**How Attackers Have Adjusted**

Rarely has such a simple policy change made such a big difference in the cybercrime landscape. In 2021, the year of Microsoft's announcement, researchers from Proofpoint tracked well beyond a thousand malicious campaigns utilizing macros.

In 2022 — the year the policy change took effect — macro-enabled attacks plummeted 66%. Thus far in 2023, macros have all but disappeared in cyberattacks.

In their place, hackers need some other solution. Container files emerged as a popular alternative last year, allowing attackers to bypass Microsoft's "mark-of-the-Web" tag for files downloaded from the Internet. Once Microsoft addressed that workaround, however, such files went the way of the macro.

Since then, hackers have been searching for their new golden goose.

For example, in H2 2022, Proofpoint researchers observed a significant rise in HTML smuggling — slipping an encoded script through an HTML attachment. In 2023, good ol' PDFs have proven a popular file format for attackers. And last December, some malicious campaigns began utilizing Microsoft's notes-taking app OneNote as a means for delivering their malware. By January, dozens of threat actors piled onto the trend, and, in recent months, over 120 campaigns have made use of OneNote.

Nothing has stuck, though. "We haven't seen anything that has the same type of durability as the macro-enabled attachment," Larson says.

**What This Means for Security Teams**

"Attackers are having to be more creative now, which presents more opportunities for them to screw up or make mistakes," Larson says.

Still, forcing cybercriminals out of their comfort zone comes with a cost. "The speed and the rate and scope of the changes that they're making — all the different attack chains that they're experimenting with — stands out," she says.

And so, cyber defenders will have to move equally fast to keep up. "We're having to be proactive to threat actor behavior and come up with new detections and rules and such, because threat actors are trying different ways to bypass existing detections," she says.

Organizations, too, will need to keep up-to-date with the latest trends. Take security trainings: "I know that a lot of the time, people are trained on macro-enabled documents. Now you have to make your users aware of the new PDF methods and use real-world examples of potential threats to incorporate into security training," she says.

"But from an overall, holistic security viewpoint, I don't think there's anything that needs to drastically change, as long as you are ensuring that users are aware," Larson says. "Just being, like, 'Hey, look out for this type of thing!'"

How Cybercriminals Adapted to Microsoft Blocking Macros by Default

Synapsoft pdfocus 1.17 is vulnerable to local file inclusion and server-side request forgery Directory Traversal.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-23169: GitHub - S4nshine/CVE-2023-23169

 In Xpdf 4.04 (and earlier), a PDF object loop in the embedded file tree leads to infinite recursion and a stack overflow.




CVE-2023-2664: A stack-overflow in xpdf4.04 - forum.xpdfreader.com

In Xpdf 4.04 (and earlier), a bad color space object in the input PDF file can cause a divide-by-zero.




**Description**  
There exists FPE in ImageStream::ImageStream(Stream\*, int, int, int) at xpdf-4.04/xpdf/Stream.cc:370:23.It's a division-by-zero error.  
**My test program**  
pdfimages  
**Command and argument**  
./pdfimages poc-file /dev/null

poc-file is attached.  
**ASAN Info**

Code: Select all

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2894348==ERROR: AddressSanitizer: FPE on unknown address 0x000000798907 (pc 0x000000798907 bp 0x0c0c000005a7 sp 0x7ffd7d2a6b50 T0)
        #0 0x798907 in ImageStream::ImageStream(Stream*, int, int, int) /root/target/latest/20230404/xpdf-4.04/xpdf/Stream.cc:370:23
        #1 0x4f8e3c in ImageOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, int*, int, int) /root/target/latest/20230404/xpdf-4.04/xpdf/ImageOutputDev.cc:324:18
        #2 0x604d02 in Gfx::doImage(Object*, Stream*, int) /root/target/latest/20230404/xpdf-4.04/xpdf/Gfx.cc:4621:7
        #3 0x5aff8e in Gfx::opXObject(Object*, int) /root/target/latest/20230404/xpdf-4.04/xpdf/Gfx.cc:4104:2
        #4 0x5d7c8b in Gfx::execOp(Object*, Object*, int) /root/target/latest/20230404/xpdf-4.04/xpdf/Gfx.cc:862:3
        #5 0x5d6c68 in Gfx::go(int) /root/target/latest/20230404/xpdf-4.04/xpdf/Gfx.cc:747:12
        #6 0x5d5598 in Gfx::display(Object*, int) /root/target/latest/20230404/xpdf-4.04/xpdf/Gfx.cc:669:3
        #7 0x77583e in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /root/target/latest/20230404/xpdf-4.04/xpdf/Page.cc:422:10
        #8 0x774d48 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /root/target/latest/20230404/xpdf-4.04/xpdf/Page.cc:368:3
        #9 0x7890a1 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /root/target/latest/20230404/xpdf-4.04/xpdf/PDFDoc.cc:442:27
        #10 0x7892d8 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /root/target/latest/20230404/xpdf-4.04/xpdf/PDFDoc.cc:460:5
        #11 0x4fc0e4 in main /root/target/latest/20230404/xpdf-4.04/xpdf/pdfimages.cc:156:10
        #12 0x7f4cb41b0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #13 0x44b69d in _start (/root/target/latest/20230404/xpdf-4.04/install_map16/bin/pdfimages+0x44b69d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /root/target/latest/20230404/xpdf-4.04/xpdf/Stream.cc:370:23 in ImageStream::ImageStream(Stream*, int, int, int)
    ==2894348==ABORTING

**Source Code**

Code: Select all

    ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) {
      int imgLineSize;
    
      str = strA;
      width = widthA;
      nComps = nCompsA;
      nBits = nBitsA;
    
      nVals = width * nComps;
      inputLineSize = (nVals * nBits + 7) >> 3;
      if (width > INT_MAX / nComps ||
          nVals > (INT_MAX - 7) / nBits) {
        // force a call to gmallocn(-1,...), which will throw an exception
        inputLineSize = -1;
      }
      ......
    Omit remaining code
      ......
    }

**Version**  
xpdf:4.04

CVE-2023-2662: A FPE in pdfimages xpdf4.04

In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0.

**Achieve Success with Lightbend****Lightbend solutions help virtually any industry or vertical bring their digital strategies to life.**

**What's New(s)**  

**AWARD****Frost & Sullivan—2022 Company of the Year**

Lightbend/Kalix has been named by Frost & Sullivan as the recipient of the 2022 North American Serverless Computing Company of the Year Award.

Read More (PDF)

**Kalix Webinars****Catch up with On-Demand Webinars**

Check out our latest webinars on-demand over at Kalix.io. Hear from Lightbend luminaries and learn how Kalix removes the hurdles of distributed data, distributed systems and all underlying architecture complexity.

Watch Now

> Akka delivers the scalability and resiliency required to handle our current number of participants and expected growth.

READ CASE STUDY

> For core financial transactional systems where data quality and consistency are paramount, we strongly recommend Akka.

READ CASE STUDY

> Akka has enabled Tubi to provide customer experiences unlike any other in the video-on-demand space.

READ CASE STUDY

> We've cut software development costs by 30% and our hardware costs by 50%—helping us to offer highly competitive pricing.

READ CASE STUDY

**Strategic Partners Powered by Lightbend**

**Talk to an Expert**

We'd love to learn about your requirements, answer your unique questions, and review ways that Lightbend can help you and your organization.

Contact Us

CVE-2023-31442: Lightbend | Power Your Innovation with Cloud Native Applications | @lightbend

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3.

We found multiple heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3).

**Command Input**

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

All poc\_file are attached.

**Sanitizer Dump**

    ==3904316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000e0b at pc 0x0000004ab577 bp 0x7ffe4a6cc310 sp 0x7ffe4a6cbad8
    READ of size 32 at 0x603000000e0b thread T0
        #0 0x4ab576 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x5bcdd7 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, PoDoFo::PdfString, PoDoFo::PdfAESV3Revision) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1908:5
        #2 0x5a39a5 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:47
        #3 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
        #9 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #10 0x7fc7de7ed082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)
    
    0x603000000e0b is located 0 bytes to the right of 27-byte region [0x603000000df0,0x603000000e0b)
    allocated by thread T0 here:
        #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7fc7dec9d87f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x7d5c2a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff8170: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
      0x0c067fff8180: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8190: 00 fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
      0x0c067fff81a0: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
      0x0c067fff81b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
    =>0x0c067fff81c0: 00[03]fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff81d0: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff81e0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
      0x0c067fff81f0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff8200: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff8210: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3904316==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_files.zip

CVE-2023-31567: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3) · Issue #71 · podofo/podofo

Podofo v0.10.0 was discovered to contain a heap-use-after-free via the component PoDoFo::PdfEncrypt::IsMetadataEncrypted().

We found a heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()).

**Command Input**

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

poc\_file are attached.

**Sanitizer Dump**

    ==3903368==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000300 at pc 0x00000071995b bp 0x7ffffefd2300 sp 0x7ffffefd22f8
    READ of size 1 at 0x613000000300 thread T0
        #0 0x71995a in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47
        #1 0x717ec2 in PoDoFo::PdfParserObject::parseStream() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:219:45
        #2 0x716a06 in PoDoFo::PdfParserObject::DelayedLoadStreamImpl() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:90:13
        #3 0x69c223 in PoDoFo::PdfObject::delayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:359:35
        #4 0x699211 in PoDoFo::PdfObject::DelayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:351:5
        #5 0x69a130 in PoDoFo::PdfObject::Write(PoDoFo::OutputStream&, PoDoFo::PdfWriteFlags, PoDoFo::PdfEncrypt const*, PoDoFo::charbuff_t<void>&) const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:212:5
        #6 0x756b85 in PoDoFo::PdfWriter::WritePdfObjects(PoDoFo::OutputStreamDevice&, PoDoFo::PdfIndirectObjectList const&, PoDoFo::PdfXRef&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:175:18
        #7 0x753a27 in PoDoFo::PdfWriter::Write(PoDoFo::OutputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:97:9
        #8 0x67467b in PoDoFo::PdfMemDocument::Save(PoDoFo::OutputStreamDevice&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:249:16
        #9 0x67426f in PoDoFo::PdfMemDocument::Save(std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:233:11
        #10 0x4dfe62 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:49:9
        #11 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #12 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)
    
    0x613000000300 is located 256 bytes inside of 352-byte region [0x613000000200,0x613000000360)
    freed by thread T0 here:
        #0 0x4ddb3d in operator delete(void*) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
        #1 0x5c0821 in PoDoFo::PdfEncryptAESV3::~PdfEncryptAESV3() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:623:7
        #2 0x4e1cd6 in std::default_delete<PoDoFo::PdfEncrypt>::operator()(PoDoFo::PdfEncrypt*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
        #3 0x6778a7 in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::reset(PoDoFo::PdfEncrypt*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
        #4 0x6768ec in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::operator=(std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:307:2
        #5 0x675e46 in PoDoFo::PdfMemDocument::SetEncrypted(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfPermissions, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfKeyLength) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:321:15
        #6 0x4dfe4b in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:48:9
        #7 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #8 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x5a387f in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:43
        #2 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #3 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #4 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #5 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #6 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #7 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
        #8 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #9 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const
    Shadow bytes around the buggy address:
      0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8030: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c267fff8060:[fd]fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3903368==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31566: Heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()) · Issue #70 · podofo/podofo

Tag

#pdf