Vulnerabilities > CVE-2017-2821 - Use After Free vulnerability in Lexmark Perceptive Document Filters 11.3.0.2400/11.4.0.2452

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

An exploitable use-after-free exists in the PDF parsing functionality of Lexmark Perspective Document Filters 11.3.0.2400 and 11.4.0.2452. A crafted PDF document can lead to a use-after-free resulting in direct code execution.

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary An exploitable use-after-free exists in the PDF parsing functionality of the Lexmark Perspective Document Filters 11.3.0.2400 and 11.4.0.2452. A crafted PDF document can lead to a use-after-free resulting in direct code execution. ### Tested Versions Lexmark Perceptive Document Filters 11.3.0.2400 - x86 Lexmark Perceptive Document Filters 11.4.0.2452 - x86 ### Product URLs http://www.lexmark.com/en_us/partners/enterprise-software/technology-partners/oem-technologies/document-filters.html ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-416: Use After Free ### Details This vulnerability is present in the Lexmark Document filter parsing which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. This product is mainly used by MarkLogic for document conversions as part of their web-based document search and rendering. It can convert common formats such as Microsoft's document formats into more useable and easily viewed formats. There is a vulnerability in the parsing and conversion of a PDF document. A specially crafted PDF file can lead to a use-after-free and ultimately code execution. Let's investigate this vulnerability. After attempt of convert a malicious PDF by the Lexmark library we see the following state: ``` LD_LIBRARY_PATH=. gdb --args ./isys_doc2text --html -o /tmp/output poc.pdf [1] File type: Adobe Acrobat (PDF) (51); Capabilities: 15 - poc.pdf Program received signal SIGSEGV, Segmentation fault. 0x084512c8 in ?? () (gdb) peda_active gdb-peda$ context [----------------------------------registers-----------------------------------] EAX: 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 --> 0xf5ddb4d0 (0xf5ddb4c8) EBX: 0xf4e592a0 --> 0x1c9ad8 ECX: 0x84077f0 --> 0x0 EDX: 0xbfd00000 ESI: 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 (0xf5ddb4d0) EDI: 0x8452398 --> 0x84532d8 --> 0x84532e0 --> 0x0 EBP: 0xffffa858 --> 0xffffa8c8 --> 0xffffa8e8 --> 0xffffa908 --> 0xffffa928 (0xffffa958) ESP: 0xffffa82c --> 0xf4dadf6b (add esp,0x10) EIP: 0x84512c8 --> 0x0 EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x84512c2: add BYTE PTR [eax],al 0x84512c4: add BYTE PTR [eax],al 0x84512c6: add BYTE PTR [eax],al => 0x84512c8: add BYTE PTR [eax],al 0x84512ca: add BYTE PTR [eax],al 0x84512cc: test eax,0xf0000000 0x84512d1: mov ah,0xdd 0x84512d3: cmc [------------------------------------stack-------------------------------------] 0000| 0xffffa82c --> 0xf4dadf6b (add esp,0x10) 0004| 0xffffa830 --> 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 (0xf5ddb4d8) 0008| 0xffffa834 --> 0xf5f23000 --> 0xdfa7c 0012| 0xffffa838 --> 0x28 ('(') 0016| 0xffffa83c --> 0xf4dadeae (pop ebx) 0020| 0xffffa840 --> 0x28 ('(') 0024| 0xffffa844 --> 0x0 0028| 0xffffa848 --> 0xffffa888 --> 0xffffa8b8 --> 0xf4e592a0 --> 0x1c9ad8 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV gdb-peda$ xinfo $pc 0x84512c8 --> 0x0 Virtual memory mapping: Start : 0x0806e000 End : 0x08497000 Offset: 0x3e32c8 Perm : rw-p Name : [heap] gdb-peda$ bt #0 0x084512c8 in ?? () #1 0xf4dae36a in ?? () from ./libISYSpdf6.so #2 0xf4dae4b3 in ?? () from ./libISYSpdf6.so #3 0xf4d316cf in ?? () from ./libISYSpdf6.so #4 0xf4d316fc in ?? () from ./libISYSpdf6.so #5 0xf4d32eea in ?? () from ./libISYSpdf6.so #6 0xf4d33081 in ?? () from ./libISYSpdf6.so #7 0xf4d3520f in ?? () from ./libISYSpdf6.so #8 0xf4d8cd79 in ?? () from ./libISYSpdf6.so #9 0xf4d8d050 in ?? () from ./libISYSpdf6.so #10 0xf4d8a02c in ?? () from ./libISYSpdf6.so #11 0xf4cb1d99 in ?? () from ./libISYSpdf6.so #12 0xf4cbc532 in ?? () from ./libISYSpdf6.so #13 0xf4cbd4e8 in ?? () from ./libISYSpdf6.so #14 0xf4caf328 in Ext_Read_Character () from ./libISYSpdf6.so #15 0xf366b0bb in ?? () from ./libISYSreadershd.so #16 0xf3669eaa in ?? () from ./libISYSreadershd.so #17 0xf375648a in ?? () from ./libISYSreadershd.so #18 0xf37652c6 in ?? () from ./libISYSreadershd.so #19 0xf3856d14 in ?? () from ./libISYSreadershd.so #20 0xf385b021 in ?? () from ./libISYSreadershd.so #21 0xf3853d40 in ?? () from ./libISYSreadershd.so #22 0xf5accf64 in ?? () from ./libISYSreaders.so #23 0xf5ad1abd in ?? () from ./libISYSreaders.so #24 0xf7fcd5e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so #25 0x08054a4d in ?? () #26 0x0805c160 in ?? () #27 0x0805de17 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) () #28 0xf620f14d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so #29 0xf621a739 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so #30 0xf6216894 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so #31 0x08053d7b in ?? () #32 0xf5c49af3 in __libc_start_main (main=0x8053350, argc=0x5, argv=0xffffcff4, init=0x80642f0, fini=0x80642e0, rtld_fini=0xf7feb160 <_dl_fini>, stack_end=0xffffcfec) at libc-start.c:287 #33 0x0804f5e1 in ?? () ``` As we can see code flow has been redirected to the heap somehow. Using rr and re-running application we gonna try to stop at moment when code execution is redirected to the above heap address. ``` gdb-peda$ [----------------------------------registers-----------------------------------] EAX: 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 --> 0xf55584d0 (0xf55584c8) EBX: 0xf44d62a0 --> 0x1c9ad8 ECX: 0x8a9d790 --> 0x0 EDX: 0xbfd00000 ESI: 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 (0xf55584d0) EDI: 0x8ae8338 --> 0x8ae9278 --> 0x8ae9280 --> 0x0 EBP: 0xfffaf9d8 --> 0xfffafa48 --> 0xfffafa68 --> 0xfffafa88 --> 0xfffafaa8 (0xfffafad8) ESP: 0xfffaf9b0 --> 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 (0xf55584d8) EIP: 0xf442af68 --> 0x830850ff EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xf442af62: sub esp,0xc 0xf442af65: mov eax,DWORD PTR [esi] 0xf442af67: push esi => 0xf442af68: call DWORD PTR [eax+0x8] 0xf442af6b: add esp,0x10 0xf442af6e: test eax,eax 0xf442af70: je 0xf442af88 0xf442af72: lea esp,[ebp-0xc] Guessed arguments: arg[0]: 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 --> 0xf55584d8 (0xf55584d0) [------------------------------------stack-------------------------------------] 0000| 0xfffaf9b0 --> 0x8ae7270 --> 0xf55584f0 --> 0xf55584e8 --> 0xf55584e0 (0xf55584d8) 0004| 0xfffaf9b4 --> 0xf56a0000 --> 0xdfa7c 0008| 0xfffaf9b8 --> 0x28 ('(') 0012| 0xfffaf9bc --> 0xf442aeae --> 0xf2c3815b --> 0x26748d20 0016| 0xfffaf9c0 --> 0x28 ('(') 0020| 0xfffaf9c4 --> 0x0 0024| 0xfffaf9c8 --> 0xfffafa08 --> 0xfffafa38 --> 0xf44d62a0 --> 0x1c9ad8 0028| 0xfffaf9cc --> 0xf44d62a0 --> 0x1c9ad8 [------------------------------------------------------------------------------] Legend: code, data, rodata, value gdb-peda$ telescope $eax+0x8 1 $280 = 0x45bd 0000| 0xf55584f8 --> 0x8ae7268 --> 0x0 gdb-peda$ pdisass 0x8ae7268 Dump of assembler code from 0x8ae7268 to 0x8ae7288:: Dump of assembler code from 0x8ae7268 to 0x8ae7288: 0x08ae7268: add BYTE PTR [eax],al 0x08ae726a: add BYTE PTR [eax],al 0x08ae726c: test eax,0xf0000000 0x08ae7271: test BYTE PTR [ebp-0xb],dl 0x08ae7274: lock test BYTE PTR [ebp-0xb],dl 0x08ae7278: js 0x8ae720c 0x08ae727a: scas al,BYTE PTR es:[edi] 0x08ae727b: or BYTE PTR [eax+eax*1],ah 0x08ae727e: add BYTE PTR [eax],al 0x08ae7280: add BYTE PTR [eax],al 0x08ae7282: add BYTE PTR [eax],al 0x08ae7284: js 0x8ae72f9 0x08ae7286: scas al,BYTE PTR es:[edi] 0x08ae7287: or BYTE PTR ds:0x68000000,cl End of assembler dump. ``` Seeing the above assembly listing, we can notice a virtual function call based on corrupted vftable. To understand better what exactly happened we can look at some source code. Lexmark developers use a modified version of the Xpdf / Poppler library in libISYSpdf6.so. Further analysis reveals that a call to malformed vftable appears in `TextFontInfo` constructor and is directly related with `GfxFont` object: ``` xpdf-3.04\xpdf\TextOutputDev.cc Line 427 TextFontInfo::TextFontInfo(GfxState *state) { Line 428 GfxFont *gfxFont; Line 429 Line 430 gfxFont = state->getFont(); Line (...) Line 456 if (gfxFont && !gfxFont->isCIDFont()) { ``` `gfxFont` object is read from `state` and later in `line 456` call to virtual function `isCIDFont` is made. After a bit of analysis of the Xpdf code in context of places where `state` object can change, depending on how particular `PostScript tags` are executed, this part of the code was monitored. Beside that, the life cycle of the object that is most interesting is `gfxFont 0x8ae7270` (see the second listing above: ESI == this ). All these observation should reveal places where `gfxFont` object was corrupted or eventually released which later leads to the call of the malformed vtftable. ``` libISYSpdf6 image base: 0xF430C000 Line 1 [Gfx::execOp] opName : BT func addr : 0xf43ae550 Line 2 [Gfx::execOp] opName : Td func addr : 0xf43b0e90 Line 3 [Gfx::execOp] opName : Tf func addr : 0xf43b2280 Line 4 [Gfx::opSetFont] lookup -> Font name : F1 Line 5 [Gfx::opSetFont] GfxFontDict::GfxFontDict : 0xf44d3fb0 Line 6 [0xf43bf213] WRITE *0x8ae7270 <- 0xf44d3fd0 Line 7 #0 0xf43bf213 in ?? () from ./libISYSpdf6.so Line 8 #1 0xf43bface in ?? () from ./libISYSpdf6.so Line 9 free(0x8ae7270) Line 10 [0xf5420d61] WRITE *0x8ae7270 <- 0x8ae5eb0 Line 11 #0 _int_free (av=0xf5558420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015 Line 12 #1 0xf560882f in operator delete(void*) () from /usr/lib/i386-linux-gnu/libstdc++.so.6 Line 13 [Gfx::opSetFont] Font NOT found Line 14 [Gfx::opSetFont] GfxFontDict::GfxFontDict : this = 0xfffafa78 arg0 = 0x8a94388 Line 15 [0xf5421a21] WRITE *0x8ae7270 <- 0xf5558450 Line 16 #0 _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=160) at malloc.c:3493 Line 17 #1 0xf5423888 in __GI___libc_malloc (bytes=160) at malloc.c:2891 Line 18 [0xf54219c5] WRITE *0x8ae7270 <- 0xf5558750 Line 19 #0 _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=160) at malloc.c:3561 Line 20 #1 0xf5423888 in __GI___libc_malloc (bytes=160) at malloc.c:2891 Line 21 post malloc(0x8ae7270) Line 22 [Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : BaseFont Line 23 [0xf43a828c] WRITE *0x8ae7270 <- 0x8ae7358 Line 24 #0 0xf43a828c in ?? () from ./libISYSpdf6.so Line 25 #1 0xf43b23c6 in ?? () from ./libISYSpdf6.so Line 26 [Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : Type Line 27 [Gfx::opSetFont] sub_F43A81D0 [if FALSE]: fontName : Subtype Line 28 [Gfx::opSetFont] GfxFont::makeFont Line 29 [Gfx::opSetFont] GfxFontDict::_desctrGfxFontDict : 0xfffafa78 Line 30 free(0x8ae7270) Line 31 [0xf5420d61] WRITE *0x8ae7270 <- 0xf5558450 Line 32 #0 _int_free (av=0xf5558420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015 Line 33 #1 0xf435e883 in ?? () from ./libISYSpdf6.so Line 34 [Gfx::doSetFont] Font : 0x8ae9928 - vftable : 0xf44d3fb0 Line 35 [Gfx::execOp] opName : Tj func addr : 0xf43bc9f0 Line 36 [0xf54219c5] WRITE *0x8ae7270 <- 0xf55584f0 Line 37 #0 _int_malloc (av=av@entry=0xf5558420 <main_arena>, bytes=bytes@entry=40) at malloc.c:3561 Line 38 #1 0xf5423888 in __GI___libc_malloc (bytes=40) at malloc.c:2891 Line 39 [TextFontInfo::TextFontInfo] Font : 0x8ae9928 - vftable : 0xf44d3fb0 Line 40 [Gfx::execOp] opName : ET func addr : 0xf43ae5e0 Line 41 [Gfx::execOp] opName : Q func addr : 0xf43ae6e0 Line 42 [0xf43ae6c3][CHANGE] state *0x8a99424 <- 0x8a9d790 Line 43 ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[Font] 0x8ae7270 Line 44 [TextFontInfo::TextFontInfo] Font : 0x8ae7270 - vftable : 0xf55584f0 Line 45 Line 46 Program received signal SIGSEGV, Segmentation fault. Line 47 0x08ae7268 in ?? () ``` Having all these printed out information during code execution, we can clearly see now that at `line 30 gfxFont` object is released. In two places we can observe that address under its' vftable. `*0x8ae7270` is overwritten first by the free in the code executed at `lines 31-33` and later by the malloc in the code at `lines 36-38`. This all happens inside the `opSetFont` handler. Next when executing the `Q` tag handler, we can see that current font object assigned to `state` has been change to this released one `lines 41-43`. At `line 44` the released `gfxFont` object calls its virtual function. An attacker having control of the heap layout using proper PostScript tag combinations can leverage this use-after-free vulnerability to achieve arbitrary code execution. ### Crash Information ``` Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 --> 0xf5ddb4d0 (0xf5ddb4c8) EBX: 0xf4e592a0 --> 0x1c9ad8 ECX: 0x84077f0 --> 0x0 EDX: 0xbfd00000 ESI: 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 --> 0xf5ddb4d8 (0xf5ddb4d0) EDI: 0x8452398 --> 0x84532d8 --> 0x84532e0 --> 0x0 EBP: 0xffffa858 --> 0xffffa8c8 --> 0xffffa8e8 --> 0xffffa908 --> 0xffffa928 (0xffffa958) ESP: 0xffffa82c --> 0xf4dadf6b (add esp,0x10) EIP: 0x84512c8 --> 0x0 EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x84512c2: add BYTE PTR [eax],al 0x84512c4: add BYTE PTR [eax],al 0x84512c6: add BYTE PTR [eax],al => 0x84512c8: add BYTE PTR [eax],al 0x84512ca: add BYTE PTR [eax],al 0x84512cc: test eax,0xf0000000 0x84512d1: mov ah,0xdd 0x84512d3: cmc [------------------------------------stack-------------------------------------] 0000| 0xffffa82c --> 0xf4dadf6b (add esp,0x10) 0004| 0xffffa830 --> 0x84512d0 --> 0xf5ddb4f0 --> 0xf5ddb4e8 --> 0xf5ddb4e0 (0xf5ddb4d8) 0008| 0xffffa834 --> 0xf5f23000 --> 0xdfa7c 0012| 0xffffa838 --> 0x28 ('(') 0016| 0xffffa83c --> 0xf4dadeae (pop ebx) 0020| 0xffffa840 --> 0x28 ('(') 0024| 0xffffa844 --> 0x0 0028| 0xffffa848 --> 0xffffa888 --> 0xffffa8b8 --> 0xf4e592a0 --> 0x1c9ad8 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x084512c8 in ?? () gdb-peda$ exploitable Description: Segmentation fault on program counter Short description: SegFaultOnPc (4/29) Hash: ae6e0c4798a72212d8ed8d1244fde9d3.4bca40fcccba05375e1144a7be3e77a5 Exploitability Classification: EXPLOITABLE ``` Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker. ``` Other tags: AccessViolation (28/29) gdb-peda$ exploitable -m Warning: machine string printing is deprecated and may be removed in a future release. EXCEPTION_FAULTING_ADDRESS:0x000000084512c8 EXCEPTION_CODE:0xb FAULTING_INSTRUCTION:add BYTE PTR [eax],al MAJOR_HASH:ae6e0c4798a72212d8ed8d1244fde9d3 MINOR_HASH:4bca40fcccba05375e1144a7be3e77a5 STACK_DEPTH:32 STACK_FRAME:[heap]+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSpdf6.so!Ext_Read_Character+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreadershd.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreadershd.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreadershd.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreadershd.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreadershd.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreadershd.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreadershd.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreaders.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSreaders.so+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYS11df.so!IGR_Open_Stream_Ex+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/isys_doc2text+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/isys_doc2text+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/isys_doc2text!main_doc2text(ISYS_NS::CISYScommander::CResult*, void*)+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSshared.so!ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSshared.so!bool ISYS_NS::CISYScommander::execute<char>(int, char**)+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/libISYSshared.so!ISYS_NS::CISYScommander::execute(int, char**)+0x0 STACK_FRAME:/home/icewall/Downloads/Perceptive_Document_Filters_11.3_Build_2400/linux-intel-gcc- 32/isys_doc2text+0x0 INSTRUCTION_ADDRESS:0x000000084512c8 INVOKING_STACK_FRAME:0 DESCRIPTION:Segmentation fault on program counter SHORT_DESCRIPTION:SegFaultOnPc (4/29) OTHER_RULES:AccessViolation (28/29) CLASSIFICATION:EXPLOITABLE ``` Explanation:The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker. ``` Description: Segmentation fault on program counter Short description: SegFaultOnPc (4/29) Hash: ae6e0c4798a72212d8ed8d1244fde9d3.4bca40fcccba05375e1144a7be3e77a5 Exploitability Classification: EXPLOITABLE ``` Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be controlled by an attacker. ``` Other tags: AccessViolation (28/29) ``` ### Timeline * 2017-04-24 - Vendor Disclosure * 2017-08-28 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos.
idSSV:96450
last seen2017-11-19
modified2017-09-12
published2017-09-12
reporterRoot
titleLexmark Perceptive Document Filters PDF GfxFont Code Execution Vulnerability(CVE-2017-2821)

Talos

idTALOS-2017-0322
last seen2019-05-29
published2017-08-28
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0322
titleLexmark Perceptive Document Filters PDF GfxFont Code Execution Vulnerability