Vulnerabilities > CVE-2017-2863 - Out-of-bounds Write vulnerability in Iceni Infix 7.1.5

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
iceni
CWE-787

Summary

An out-of-bounds write vulnerability exists in the PDF parsing functionality of Infix 7.1.5. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Iceni
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary An out-of-bounds write vulnerability exists in the PDF parsing functionality of Infix 7.1.5. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability. ### Tested Versions Infix 7.1.5.0 ### Product URLs http://www.iceni.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-787 - Out-of-bounds Write ### Details An remote memory corruption vulnerability exists in the PDF parsing functionality of Infix. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. The vulnerable code is located in the Infix.exe file: ``` .text:0016B6E6 loc_16B6E6: ; CODE XREF: sub_16B550+16Cj .text:0016B6E6 mov ecx, [eax+4] .text:0016B6E9 mov eax, edi .text:0016B6EB mov [edi+248h], ecx .text:0016B6F1 call SetSize? .text:0016B6F6 test eax, eax .text:0016B6F8 jnz loc_16B5F8 .text:0016B6FE mov esi, [edi+23Ch] .text:0016B704 mov ebx, [ebx+10h] .text:0016B707 add esi, esi .text:0016B709 add esi, esi .text:0016B70B mov ecx, esi .text:0016B70D call GetMem .text:0016B712 push esi ; size_t .text:0016B713 push 0 ; int .text:0016B715 push eax ; void * .text:0016B716 mov [edi+238h], eax .text:0016B71C call _memset ``` The function SetSize? sets up the dword value located at EDI+23Ch. When a malformed file is being parsed this value is set to 0xFFFFFFFF which normally should indicate an error. However, due to further lack of error checking conditions this value (0xFFFFFFFF) is later used as an argument to memset function (size parameter) which causes the memory corruption to occur. ### Crash Information ``` (1f6c.1210): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Module load completed but symbols could not be loaded for Infix.exe Infix+0x4386e4: 017286e4 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0 ds:002b:03adf000=???????????????????????????????? 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: Infix+4386e4 017286e4 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 017286e4 (Infix+0x004386e4) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 03adf000 Attempt to write to address 03adf000 FAULTING_THREAD: 00001210 DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: Infix.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text> EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 03adf000 FOLLOWUP_IP: Infix+4386e4 017286e4 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0 WRITE_ADDRESS: 03adf000 WATSON_BKT_PROCSTAMP: 58f73f92 WATSON_BKT_PROCVER: 7.1.5.0 PROCESS_VER_PRODUCT: Infix WATSON_BKT_MODULE: Infix.exe WATSON_BKT_MODSTAMP: 58f73f92 WATSON_BKT_MODOFFSET: 4386e4 WATSON_BKT_MODVER: 7.1.5.0 MODULE_VER_PRODUCT: Infix BUILD_VERSION_STRING: 10.0.14393.1198 (rs1_release_sec.170427-1353) MODLIST_WITH_TSCHKSUM_HASH: 9a4fe3bd340efcdebb41942b61f6875a3e464100 MODLIST_SHA1_HASH: ce3c592f64e21469cc60bba09698aa4d4187b3dc NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 272 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: CLAB ANALYSIS_SESSION_TIME: 06-05-2017 13:14:49.0166 ANALYSIS_VERSION: 10.0.15063.400 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: PLK PROBLEM_CLASSES: ID: [0n292] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0x1210] Frame: [0] : Infix ID: [0n265] Type: [INVALID_POINTER_WRITE] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0x1210] Frame: [0] : Infix ID: [0n152] Type: [ZEROED_STACK] Class: Addendum Scope: BUCKET_ID Name: Add Data: Omit PID: [0x1f6c] TID: [0x1210] Frame: [0] : Infix BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 0144b536 to 017286e4 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 005ae738 0144b536 03a9c528 03a5d2f0 07424448 Infix+0x4386e4 005ae74c 0144787f 03a5d2f0 03a05ba8 01ca7450 Infix+0x15b536 005ae76c 01447b8f 03a9c528 00000000 00740001 Infix+0x15787f 005ae780 01368042 03a5d2f0 00000000 03ab7720 Infix+0x157b8f 005aea80 01367e6d 03a5d2f0 0c4377ca 03a05ae8 Infix+0x78042 005aecb0 01367b6a 03a5d2f0 0c43766e 03a05ba8 Infix+0x77e6d 005aed14 01364e81 0c43765a 03a05ba8 03a05cf8 Infix+0x77b6a 005aef68 0135b302 03a05ae8 0c437402 ffffffff Infix+0x74e81 005afd7c 0141dc40 0c4366ca 0170f0da 00000000 Infix+0x6b302 005afdb0 0170f087 012f0000 00000000 008b1d34 Infix+0x12dc40 005afe40 763262c4 00636000 763262a0 9d47c008 Infix+0x41f087 005afe54 77440fd9 00636000 97fb6ad6 00000000 KERNEL32!BaseThreadInitThunk+0x24 005afe9c 77440fa4 ffffffff 77462f0b 00000000 ntdll_773e0000!__RtlUserThreadStart+0x2f 005afeac 00000000 0170f0da 00636000 00000000 ntdll_773e0000!_RtlUserThreadStart+0x1b THREAD_SHA1_HASH_MOD_FUNC: a2b85724ec601ad99726087665d3f39d790ae40e THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4d1ba384990a1d47ae5be0d07d972784b6ce13c9 THREAD_SHA1_HASH_MOD: 86c7b2bc65373cd9f3c87bb69974533237b82a3c FAULT_INSTR_CODE: 417f0f66 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Infix+4386e4 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Infix IMAGE_NAME: Infix.exe DEBUG_FLR_IMAGE_TIMESTAMP: 58f73f92 STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_Infix.exe!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_Infix+4386e4 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: Infix.exe BUCKET_ID_IMAGE_STR: Infix.exe FAILURE_MODULE_NAME: Infix BUCKET_ID_MODULE_STR: Infix FAILURE_FUNCTION_NAME: Unknown BUCKET_ID_FUNCTION_STR: Unknown BUCKET_ID_OFFSET: 4386e4 BUCKET_ID_MODTIMEDATESTAMP: 58f73f92 BUCKET_ID_MODCHECKSUM: d926ba BUCKET_ID_MODVER_STR: 7.1.5.0 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: Infix.exe!Unknown WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/Infix.exe/7.1.5.0/58f73f92/Infix.exe/7.1.5.0/58f73f92/c0000005/004386e4.htm?Retriage=1 TARGET_TIME: 2017-06-05T11:14:58.000Z OSBUILD: 14393 OSSERVICEPACK: 1198 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS USER_LCID: 0 OSBUILD_TIMESTAMP: 2017-04-28 01:59:37 BUILDDATESTAMP_STR: 170427-1353 BUILDLAB_STR: rs1_release_sec BUILDOSVER_STR: 10.0.14393.1198 ANALYSIS_SESSION_ELAPSED_TIME: 276e ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_infix.exe!unknown FAILURE_ID_HASH: {5c2b2b2e-b2b0-92d7-bf23-0693a8f99652} Followup: MachineOwner --------- ``` ### Timeline * 2017-06-20 - Vendor Disclosure * 2017-07-11 - Public Release ### CREDIT * Discovered by Piotr Bania of Cisco Talos.
idSSV:96473
last seen2017-11-19
modified2017-09-14
published2017-09-14
reporterRoot
titleIceni Infix PDF parsing SetSize Code Execution Vulnerability(CVE-2017-2863)

Talos

idTALOS-2017-0367
last seen2019-05-29
published2017-07-11
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0367
titleIceni Infix PDF parsing SetSize Code Execution Vulnerability