Lucene search

K
talosblog[email protected] (Earl Carter)TALOSBLOG:1C63D340907E057A3F66778EEFC1F0CD
HistoryOct 19, 2017 - 1:51 p.m.

Vulnerability Spotlight: Google PDFium Tiff Code Execution

2017-10-1913:51:00
[email protected] (Earl Carter)
feedproxy.google.com
31

0.037 Low

EPSS

Percentile

90.8%

<h2><span>Overview</span></h2><div><span><br /></span></div><div><span>Talos is disclosing a single off-by-one read/write vulnerability found in the TIFF image decoder functionality of PDFium as used in Google Chrome up to and including version 60.0.3112.101. Google Chrome is the most widely used web browser today and a specially crafted PDF could trigger the vulnerability resulting in memory corruption, possible information leak, and potential code execution. This issue has been fixed in Google Chrome version <a href=“https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html”>62.0.3202.62</a>.</span></div><div><span></span></div><a></a><br /><br /><h2><span>TALOS-2017-0432</span></h2><div><span><br /></span></div><div><span>Discovered by Aleksandar Nikolic of Cisco Talos</span></div><div><span></span><br /></div><div><span>Talos-2017-0432 / CVE-2017-5133 is an off-by-one read/write vulnerability residing in the TIFF image decoder functionality of PDFium. PDFium is an open sourced PDF renderer developed by Google and used in the Chrome web browser, online services, and other standalone applications. A heap-based buffer overflow is present in the code that is responsible for decoding a compressed TIFF image stream.<span> </span></span></div><div><span></span><br /></div><div><span>The vulnerability results from the function responsible for parsing a pixel of data.<span>  </span>During this process it always reads 4 bytes from the ‘dest_buffer’ even if the buffer length is less than 4 bytes. This potentially leads to an off-by-one read on the heap, followed immediately by an off-by-one-write. However, there are several conditions that need to be satisfied in order to access the vulnerable code. The resulting off-by-one read/write could result in memory corruption, a possible information leak, or potential code execution.<span>  </span>Full details of the vulnerability are available <a href=“http://www.talosintelligence.com/reports/TALOS-2017-0432”>here</a>.</span></div><div><span><br /></span></div><h2><span>Coverage</span></h2><div><span><br /></span></div><div><span>The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.</span></div><div><span></span><br /></div><style type=“text/css”>p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Monaco; color: #000000; background-color: #ffffff} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Monaco; color: #000000; background-color: #ffffff; min-height: 14.0px} span.s1 {font-variant-ligatures: no-common-ligatures} </style> <br /><div><span>Snort Rule: 44294-44295</span></div><div>
<a href=“http://feeds.feedburner.com/~ff/feedburner/Talos?a=qTMQMTBbfnA:uEJnzTrt5TU:yIl2AUoC8zA”><img src=“http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA”></img></a>
</div><img src=“http://feeds.feedburner.com/~r/feedburner/Talos/~4/qTMQMTBbfnA” height=“1” width=“1” alt />