CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:C/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS
Percentile
74.8%
CVE-2016-3580
A vulnerability in PDF parser of the IX SDK exists that results in out of bounds heap memory access following an unchecked memory allocation operation under specific conditions.
Oracle Outside In IX sdk 8.5.1
http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html
In a PDF file an xref table contains multiple rows each containing three values ( except for the first row which specifies the first object being referenced and the number of objects). First value represents the 10 digit offset into the file where object is to be found. In a specially crafted PDF file, OID SDK PDF parser uses the specified value as a parameter in a call to realloc()
which can fail. The return value is checked for errors but is subsequently ignored. The original numerical value is then used as an upper bound in a loop where out of bounds read happens during process cleanup.
In a function at 0xB74C603A in libvs_pdf.so (base address being 0xB74BF000) either a call to malloc
or realloc
is being made indirectly. Final size is calculated as follows:
`
.text:B74C608E mov [edi+8], ecx
.text:B74C6091 imul ecx, ebp
.text:B74C6094 mov [esp+2Ch+var_14], ecx
.text:B74C6098 mov [esp+2Ch+c], ecx
.text:B74C609C mov eax, [edi]
.text:B74C609E mov [esp+2Ch+s], eax
.text:B74C60A1 call _SYSNativeReAlloc
`
Initially, register ecx
holds the value from the file. In this case it is multiplied by 0x10 in ebp
. The upper bound for the value in the file is 0x7ffffff, so the maximum size that can be passed to realloc
is 0x7ffffff0. In limited memory conditions, of about less than 2 gigabytes of virtual memory available, this reallocation will fail returning zero. Although there are checks for this condition, the same buffer is iterated over during process cleanup. Specifically, in the following code in function VwStreamClose
:
`
.text:B74D17C1 add esi, 10h [4]
.text:B74D17C4 mov eax, [esi] [1]
.text:B74D17C6 test eax, eax
.text:B74D17C8 jz short loc_B74D17D3
.text:B74D17CA mov edx, [esp+4Ch+arg_4]
.text:B74D17CE call sub_B74D14C0
.text:B74D17D3
.text:B74D17D3 loc_B74D17D3: ; CODE XREF: VwStreamClose+19Ej
.text:B74D17D3 add edi, 1 [2]
.text:B74D17D6 mov eax, [esp+4Ch+arg_4]
.text:B74D17DA cmp [eax+1D70h], edi [3]
.text:B74D17E0 ja short loc_B74D17C1
`
At [1], esi
points to the buffer that was previously subject to failed realloc()
. Register edi
serves as a counter, is increased by 1 each turn at [2] and compared to the initial value from the file at [3]. At [4], pointer in esi
is increased by 0x10. At this point, the parser expects that the memory reallocation was successful which leads to an out of bounds memory access.
The supplied minimized testcase triggers the out of bounds access in ixsample
application supplied with the SDK. In order to trigger it, a virtual memory limit must be set by executing:
`
# ulimit -Sv 1000000
`
2016-04-12 - Vendor Notification
2016-07-19 – Public Disclosure
Discovered by Aleksandar Nikolic of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2016-0101
Previous Report
TALOS-2016-0103
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:C/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS
Percentile
74.8%