Vulnerability Spotlight: Google PDFium Tiff Code Execution

Type talosblog
Reporter (Earl Carter)
Modified 2017-10-19T20:51:03


<h2><span class="s1">Overview</span></h2><div class="p1"><span class="s1"><br /></span></div><div class="p1"><span class="s1">Talos is disclosing a single off-by-one read/write vulnerability found in the TIFF image decoder functionality of PDFium as used in Google Chrome up to and including version 60.0.3112.101. Google Chrome is the most widely used web browser today and a specially crafted PDF could trigger the vulnerability resulting in memory corruption, possible information leak, and potential code execution. This issue has been fixed in Google Chrome version <a href="">62.0.3202.62</a>.</span></div><div class="p1"><span class="s1"></span></div><a name='more'></a><br /><br /><h2><span class="s1">TALOS-2017-0432</span></h2><div class="p1"><span class="s1"><br /></span></div><div class="p1"><span class="s1">Discovered by Aleksandar Nikolic of Cisco Talos</span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">Talos-2017-0432 / CVE-2017-5133 is an off-by-one read/write vulnerability residing in the TIFF image decoder functionality of PDFium. PDFium is an open sourced PDF renderer developed by Google and used in the Chrome web browser, online services, and other standalone applications. A heap-based buffer overflow is present in the code that is responsible for decoding a compressed TIFF image stream.<span class="Apple-converted-space"> </span></span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">The vulnerability results from the function responsible for parsing a pixel of data.<span class="Apple-converted-space">  </span>During this process it always reads 4 bytes from the 'dest_buffer' even if the buffer length is less than 4 bytes. This potentially leads to an off-by-one read on the heap, followed immediately by an off-by-one-write. However, there are several conditions that need to be satisfied in order to access the vulnerable code. The resulting off-by-one read/write could result in memory corruption, a possible information leak, or potential code execution.<span class="Apple-converted-space">  </span>Full details of the vulnerability are available <a href="">here</a>.</span></div><div class="p1"><span class="s1"><br /></span></div><h2><span class="s1">Coverage</span></h2><div class="p1"><span class="s1"><br /></span></div><div class="p1"><span class="s1">The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or</span></div><div class="p2"><span class="s1"></span><br /></div><style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Monaco; color: #000000; background-color: #ffffff} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Monaco; color: #000000; background-color: #ffffff; min-height: 14.0px} span.s1 {font-variant-ligatures: no-common-ligatures} </style> <br /><div class="p1"><span class="s1">Snort Rule: 44294-44295</span></div><div class="feedflare"> <a href=""><img src="" border="0"></img></a> </div><img src="" height="1" width="1" alt=""/>