CVE-2017-2821
Lexmark Perceptive Document Filters PDF GfxFont Code Execution Vulnerability
An exploitable use-after-free exists in the PDF parsing functionality of the Lexmark Perspective Document Filters 11.3.0.2400 and 11.4.0.2452. A crafted PDF document can lead to a use-after-free resulting in direct code execution.
Lexmark Perceptive Document Filters 11.3.0.2400 - x86 Lexmark Perceptive Document Filters 11.4.0.2452 - x86
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
This vulnerability is present in the Lexmark Document filter parsing which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. This product is mainly used by MarkLogic for document conversions as part of their web-based document search and rendering. It can convert common formats such as Microsoft’s document formats into more useable and easily viewed formats. There is a vulnerability in the parsing and conversion of a PDF document. A specially crafted PDF file can lead to a use-after-free and ultimately code execution. Let’s investigate this vulnerability. After attempt of convert a malicious PDF by the Lexmark library we see the following state:
LD_LIBRARY_PATH=. gdb --args ./isys_doc2text --html -o /tmp/output poc.pdf
[1] File type: Adobe Acrobat (PDF) (51); Capabilities: 15 - poc.pdf
Program received signal SIGSEGV, Segmentation fault.
0x084512c8 in ?? ()
(gdb) peda_active
gdb-peda$ context
[----------------------------------registers-----------------------------------]
EAX: 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 --> 0xf5ddb4d0 (0xf5ddb4c8)
EBX: 0xf4e592a0 --> 0x1c9ad8
ECX: 0x84077f0 --> 0x0
EDX: 0xbfd00000
ESI: 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 (0xf5ddb4d0)
EDI: 0x8452398 --> 0x84532d8 --> 0x84532e0 --> 0x0
EBP: 0xffffa858 --> 0xffffa8c8 --> 0xffffa8e8 --> 0xffffa908 --> 0xffffa928 (0xffffa958)
ESP: 0xffffa82c --> 0xf4dadf6b (add esp,0x10)
EIP: 0x84512c8 --> 0x0
EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x84512c2: add BYTE PTR [eax],al
0x84512c4: add BYTE PTR [eax],al
0x84512c6: add BYTE PTR [eax],al
=> 0x84512c8: add BYTE PTR [eax],al
0x84512ca: add BYTE PTR [eax],al
0x84512cc: test eax,0xf0000000
0x84512d1: mov ah,0xdd
0x84512d3: cmc
[------------------------------------stack-------------------------------------]
0000| 0xffffa82c --> 0xf4dadf6b (add esp,0x10)
0004| 0xffffa830 --> 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 (0xf5ddb4d8)
0008| 0xffffa834 --> 0xf5f23000 --> 0xdfa7c
0012| 0xffffa838 --> 0x28 ('(')
0016| 0xffffa83c --> 0xf4dadeae (pop ebx)
0020| 0xffffa840 --> 0x28 ('(')
0024| 0xffffa844 --> 0x0
0028| 0xffffa848 --> 0xffffa888 --> 0xffffa8b8 --> 0xf4e592a0 --> 0x1c9ad8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
gdb-peda$ xinfo $pc
0x84512c8 --> 0x0
Virtual memory mapping:
Start : 0x0806e000
End : 0x08497000
Offset: 0x3e32c8
Perm : rw-p
Name : [heap]
gdb-peda$ bt
#0 0x084512c8 in ?? ()
#1 0xf4dae36a in ?? () from ./libISYSpdf6.so
#2 0xf4dae4b3 in ?? () from ./libISYSpdf6.so
#3 0xf4d316cf in ?? () from ./libISYSpdf6.so
#4 0xf4d316fc in ?? () from ./libISYSpdf6.so
#5 0xf4d32eea in ?? () from ./libISYSpdf6.so
#6 0xf4d33081 in ?? () from ./libISYSpdf6.so
#7 0xf4d3520f in ?? () from ./libISYSpdf6.so
#8 0xf4d8cd79 in ?? () from ./libISYSpdf6.so
#9 0xf4d8d050 in ?? () from ./libISYSpdf6.so
#10 0xf4d8a02c in ?? () from ./libISYSpdf6.so
#11 0xf4cb1d99 in ?? () from ./libISYSpdf6.so
#12 0xf4cbc532 in ?? () from ./libISYSpdf6.so
#13 0xf4cbd4e8 in ?? () from ./libISYSpdf6.so
#14 0xf4caf328 in Ext_Read_Character () from ./libISYSpdf6.so
#15 0xf366b0bb in ?? () from ./libISYSreadershd.so
#16 0xf3669eaa in ?? () from ./libISYSreadershd.so
#17 0xf375648a in ?? () from ./libISYSreadershd.so
#18 0xf37652c6 in ?? () from ./libISYSreadershd.so
#19 0xf3856d14 in ?? () from ./libISYSreadershd.so
#20 0xf385b021 in ?? () from ./libISYSreadershd.so
#21 0xf3853d40 in ?? () from ./libISYSreadershd.so
#22 0xf5accf64 in ?? () from ./libISYSreaders.so
#23 0xf5ad1abd in ?? () from ./libISYSreaders.so
#24 0xf7fcd5e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so
#25 0x08054a4d in ?? ()
#26 0x0805c160 in ?? ()
#27 0x0805de17 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()
#28 0xf620f14d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so
#29 0xf621a739 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so
#30 0xf6216894 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so
#31 0x08053d7b in ?? ()
#32 0xf5c49af3 in __libc_start_main (main=0x8053350, argc=0x5, argv=0xffffcff4, init=0x80642f0, fini=0x80642e0, rtld_fini=0xf7feb160 <_dl_fini>,
stack_end=0xffffcfec) at libc-start.c:287
#33 0x0804f5e1 in ?? ()
As we can see code flow has been redirected to the heap somehow. Using rr and re-running application we gonna try to stop at moment when code execution is redirected to the above heap address.
gdb-peda$
[----------------------------------registers-----------------------------------]
EAX: 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 --> 0xf55584d0 (0xf55584c8)
EBX: 0xf44d62a0 --> 0x1c9ad8
ECX: 0x8a9d790 --> 0x0
EDX: 0xbfd00000
ESI: 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 (0xf55584d0)
EDI: 0x8ae8338 --> 0x8ae9278 --> 0x8ae9280 --> 0x0
EBP: 0xfffaf9d8 --> 0xfffafa48 --> 0xfffafa68 --> 0xfffafa88 --> 0xfffafaa8 (0xfffafad8)
ESP: 0xfffaf9b0 --> 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 (0xf55584d8)
EIP: 0xf442af68 --> 0x830850ff
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xf442af62: sub esp,0xc
0xf442af65: mov eax,DWORD PTR [esi]
0xf442af67: push esi
=> 0xf442af68: call DWORD PTR [eax+0x8]
0xf442af6b: add esp,0x10
0xf442af6e: test eax,eax
0xf442af70: je 0xf442af88
0xf442af72: lea esp,[ebp-0xc]
Guessed arguments:
arg[0]: 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 (0xf55584d0)
[------------------------------------stack-------------------------------------]
0000| 0xfffaf9b0 --> 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 (0xf55584d8)
0004| 0xfffaf9b4 --> 0xf56a0000 --> 0xdfa7c
0008| 0xfffaf9b8 --> 0x28 ('(')
0012| 0xfffaf9bc --> 0xf442aeae --> 0xf2c3815b --> 0x26748d20
0016| 0xfffaf9c0 --> 0x28 ('(')
0020| 0xfffaf9c4 --> 0x0
0024| 0xfffaf9c8 --> 0xfffafa08 --> 0xfffafa38 --> 0xf44d62a0 --> 0x1c9ad8
0028| 0xfffaf9cc --> 0xf44d62a0 --> 0x1c9ad8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
gdb-peda$ telescope $eax+0x8 1
$280 = 0x45bd
0000| 0xf55584f8 --> 0x8ae7268 --> 0x0
gdb-peda$ pdisass 0x8ae7268
Dump of assembler code from 0x8ae7268 to 0x8ae7288:: Dump of assembler code from 0x8ae7268 to
0x8ae7288:
0x08ae7268: add BYTE PTR [eax],al
0x08ae726a: add BYTE PTR [eax],al
0x08ae726c: test eax,0xf0000000
0x08ae7271: test BYTE PTR [ebp-0xb],dl
0x08ae7274: lock test BYTE PTR [ebp-0xb],dl
0x08ae7278: js 0x8ae720c
0x08ae727a: scas al,BYTE PTR es:[edi]
0x08ae727b: or BYTE PTR [eax+eax*1],ah
0x08ae727e: add BYTE PTR [eax],al
0x08ae7280: add BYTE PTR [eax],al
0x08ae7282: add BYTE PTR [eax],al
0x08ae7284: js 0x8ae72f9
0x08ae7286: scas al,BYTE PTR es:[edi]
0x08ae7287: or BYTE PTR ds:0x68000000,cl
End of assembler dump.
Seeing the above assembly listing, we can notice a virtual function call based on corrupted vftable.
To understand better what exactly happened we can look at some source code. Lexmark developers use a modified version of the Xpdf / Poppler library in libISYSpdf6.so.
Further analysis reveals that a call to malformed vftable appears in TextFontInfo
constructor and is directly related with GfxFont
object:
xpdf-3.04\xpdf\TextOutputDev.cc
Line 427 TextFontInfo::TextFontInfo(GfxState *state) {
Line 428 GfxFont *gfxFont;
Line 429
Line 430 gfxFont = state->getFont();
Line (...)
Line 456 if (gfxFont && !gfxFont->isCIDFont()) {
gfxFont
object is read from state
and later in line 456
call to virtual function isCIDFont
is made.
After a bit of analysis of the Xpdf code in context of places where state
object can change, depending on how particular PostScript tags
are executed, this part of the code was monitored. Beside that, the life cycle of the object that is most interesting is gfxFont 0x8ae7270
(see the second listing above: ESI == this ). All these observation should reveal places where gfxFont
object was corrupted or eventually released which later leads to the call of the malformed vtftable.
libISYSpdf6 image base: 0xF430C000
Line 1 [Gfx::execOp] opName : BT func addr : 0xf43ae550
Line 2 [Gfx::execOp] opName : Td func addr : 0xf43b0e90
Line 3 [Gfx::execOp] opName : Tf func addr : 0xf43b2280
Line 4 [Gfx::opSetFont] lookup -> Font name : F1
Line 5 [Gfx::opSetFont] GfxFontDict::GfxFontDict : 0xf44d3fb0
Line 6 [0xf43bf213] WRITE *0x8ae7270 <- 0xf44d3fd0
Line 7 #0 0xf43bf213 in ?? () from ./libISYSpdf6.so
Line 8 #1 0xf43bface in ?? () from ./libISYSpdf6.so
Line 9 free(0x8ae7270)
Line 10 [0xf5420d61] WRITE *0x8ae7270 <- 0x8ae5eb0
Line 11 #0 _int_free (av=0xf5558420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
Line 12 #1 0xf560882f in operator delete(void*) () from /usr/lib/i386-linux-gnu/libstdc++.so.6
Line 13 [Gfx::opSetFont] Font NOT found
Line 14 [Gfx::opSetFont] GfxFontDict::GfxFontDict : this = 0xfffafa78 arg0 = 0x8a94388
Line 15 [0xf5421a21] WRITE *0x8ae7270 <- 0xf5558450
Line 16 #0 _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=160) at
malloc.c:3493
Line 17 #1 0xf5423888 in __GI___libc_malloc (bytes=160) at malloc.c:2891
Line 18 [0xf54219c5] WRITE *0x8ae7270 <- 0xf5558750
Line 19 #0 _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=160) at
malloc.c:3561
Line 20 #1 0xf5423888 in __GI___libc_malloc (bytes=160) at malloc.c:2891
Line 21 post malloc(0x8ae7270)
Line 22 [Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : BaseFont
Line 23 [0xf43a828c] WRITE *0x8ae7270 <- 0x8ae7358
Line 24 #0 0xf43a828c in ?? () from ./libISYSpdf6.so
Line 25 #1 0xf43b23c6 in ?? () from ./libISYSpdf6.so
Line 26 [Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : Type
Line 27 [Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : Subtype
Line 28 [Gfx::opSetFont] GfxFont::makeFont
Line 29 [Gfx::opSetFont] GfxFontDict::_desctrGfxFontDict : 0xfffafa78
Line 30 free(0x8ae7270)
Line 31 [0xf5420d61] WRITE *0x8ae7270 <- 0xf5558450
Line 32 #0 _int_free (av=0xf5558420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
Line 33 #1 0xf435e883 in ?? () from ./libISYSpdf6.so
Line 34 [Gfx::doSetFont] Font : 0x8ae9928 - vftable : 0xf44d3fb0
Line 35 [Gfx::execOp] opName : Tj func addr : 0xf43bc9f0
Line 36 [0xf54219c5] WRITE *0x8ae7270 <- 0xf55584f0
Line 37 #0 _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=40) at
malloc.c:3561
Line 38 #1 0xf5423888 in __GI___libc_malloc (bytes=40) at malloc.c:2891
Line 39 [TextFontInfo::TextFontInfo] Font : 0x8ae9928 - vftable : 0xf44d3fb0
Line 40 [Gfx::execOp] opName : ET func addr : 0xf43ae5e0
Line 41 [Gfx::execOp] opName : Q func addr : 0xf43ae6e0
Line 42 [0xf43ae6c3][CHANGE] state *0x8a99424 <- 0x8a9d790
Line 43 ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[Font] 0x8ae7270
Line 44 [TextFontInfo::TextFontInfo] Font : 0x8ae7270 - vftable : 0xf55584f0
Line 45
Line 46 Program received signal SIGSEGV, Segmentation fault.
Line 47 0x08ae7268 in ?? ()
Having all these printed out information during code execution, we can clearly see now that at line 30
gfxFont
object is released. In two places we can observe that address under its’ vftable.
*0x8ae7270
is overwritten first by the free in the code executed at lines 31-33
and later by the malloc in the code at lines 36-38
.
This all happens inside the opSetFont
handler. Next when executing the Q
tag handler, we can see that current font object assigned to state
has been change to this released one lines 41-43
.
At line 44
the released gfxFont
object calls its virtual function. An attacker having control of the heap layout using proper PostScript tag combinations can leverage this use-after-free vulnerability to achieve arbitrary code execution.
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 --> 0xf5ddb4d0 (0xf5ddb4c8)
EBX: 0xf4e592a0 --> 0x1c9ad8
ECX: 0x84077f0 --> 0x0
EDX: 0xbfd00000
ESI: 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 (0xf5ddb4d0)
EDI: 0x8452398 --> 0x84532d8 --> 0x84532e0 --> 0x0
EBP: 0xffffa858 --> 0xffffa8c8 --> 0xffffa8e8 --> 0xffffa908 --> 0xffffa928 (0xffffa958)
ESP: 0xffffa82c --> 0xf4dadf6b (add esp,0x10)
EIP: 0x84512c8 --> 0x0
EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x84512c2: add BYTE PTR [eax],al
0x84512c4: add BYTE PTR [eax],al
0x84512c6: add BYTE PTR [eax],al
=> 0x84512c8: add BYTE PTR [eax],al
0x84512ca: add BYTE PTR [eax],al
0x84512cc: test eax,0xf0000000
0x84512d1: mov ah,0xdd
0x84512d3: cmc
[------------------------------------stack-------------------------------------]
0000| 0xffffa82c --> 0xf4dadf6b (add esp,0x10)
0004| 0xffffa830 --> 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 (0xf5ddb4d8)
0008| 0xffffa834 --> 0xf5f23000 --> 0xdfa7c
0012| 0xffffa838 --> 0x28 ('(')
0016| 0xffffa83c --> 0xf4dadeae (pop ebx)
0020| 0xffffa840 --> 0x28 ('(')
0024| 0xffffa844 --> 0x0
0028| 0xffffa848 --> 0xffffa888 --> 0xffffa8b8 --> 0xf4e592a0 --> 0x1c9ad8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x084512c8 in ?? ()
gdb-peda$ exploitable
Description: Segmentation fault on program counter
Short description: SegFaultOnPc (4/29)
Hash: ae6e0c4798a72212d8ed8d1244fde9d3.4bca40fcccba05375e1144a7be3e77a5
Exploitability Classification: EXPLOITABLE Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker.
Other tags: AccessViolation (28/29)
gdb-peda$ exploitable -m
Warning: machine string printing is deprecated and may be removed in a future release.
EXCEPTION_FAULTING_ADDRESS:0x000000084512c8
EXCEPTION_CODE:0xb
FAULTING_INSTRUCTION:add BYTE PTR [eax],al
MAJOR_HASH:ae6e0c4798a72212d8ed8d1244fde9d3
MINOR_HASH:4bca40fcccba05375e1144a7be3e77a5
STACK_DEPTH:32
STACK_FRAME:[heap]+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSpdf6.so!Ext_Read_Character+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreadershd.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreaders.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSreaders.so+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYS11df.so!IGR_Open_Stream_Ex+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/isys_doc2text+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/isys_doc2text+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/isys_doc2text!main_doc2text(ISYS_NS::CISYScommander::CResult*, void*)+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSshared.so!ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*)
const+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSshared.so!bool ISYS_NS::CISYScommander::execute<char>(int, char**)+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/libISYSshared.so!ISYS_NS::CISYScommander::execute(int, char**)+0x0
STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc-
32/isys_doc2text+0x0
INSTRUCTION_ADDRESS:0x000000084512c8
INVOKING_STACK_FRAME:0
DESCRIPTION:Segmentation fault on program counter
SHORT_DESCRIPTION:SegFaultOnPc (4/29)
OTHER_RULES:AccessViolation (28/29)
CLASSIFICATION:EXPLOITABLE
Explanation:The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: ‘call’) with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker. Description: Segmentation fault on program counter Short description: SegFaultOnPc (4/29) Hash: ae6e0c4798a72212d8ed8d1244fde9d3.4bca40fcccba05375e1144a7be3e77a5 Exploitability Classification: EXPLOITABLE
Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: ‘call’) with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker. Other tags: AccessViolation (28/29)
2017-04-24 - Vendor Disclosure
2017-08-28 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.