Vulnerabilities > CVE-2018-3844 - Use After Free vulnerability in Hyland Perceptive Document Filters 11.4.0.2647

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

hyland

CWE-416

NVD

Published: 2018-04-26

Updated: 2023-01-31

Summary

In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted DOCX document can lead to a use-after-free resulting in direct code execution.

Vulnerable Configurations

Part	Description	Count
Application	Hyland Hyland Perceptive Document Filters 11.4.0.2647	1

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

Seebug

bulletinFamily	exploit
description	### Summary An exploitable use after free exists in the DOCX to HTML conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted DOCX document can lead to a use-after-free resulting in direct code execution. ### Tested Versions Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux ### Product URLs https://www.hyland.com/en/perceptive#docfilters ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-416: Use After Free ### Details This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a DOCX document to HTML. A specially crafted DOCX file can lead to a use-after-free and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious DOCX using the Hyland library we see the following state: ``` //page heap is turned on +hpa windbg.exe isys_doc2text.exe --html malicious.docx (448c.13a8): Access violation - code c0000005 (first/second chance not available) First chance exceptions are reported before any exception handling. This exception may be expected and handled. Time Travel Position: 31815B:0 eax=289aaff0 ebx=289aaff0 ecx=24f40f90 edx=62f058a0 esi=00000080 edi=63299690 eip=62f058ac esp=0084e148 ebp=0084e150 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246 ISYSreadershd!IGR_ImageExport+0x2c084c: 62f058ac 8b01 mov eax,dword ptr [ecx] ds:002b:24f40f90=63123300 ``` Showing more context ``` 62f058a0 55 push ebp 62f058a1 8bec mov ebp,esp 62f058a3 8b4904 mov ecx,dword ptr [ecx+4] 62f058a6 ff750c push dword ptr [ebp+0Ch] 62f058a9 ff7508 push dword ptr [ebp+8] 62f058ac 8b01 mov eax,dword ptr [ecx] 62f058ae ff5008 call dword ptr [eax+8] 62f058b1 33c9 xor ecx,ecx 62f058b3 3b450c cmp eax,dword ptr [ebp+0Ch] 62f058b6 0f94c0 sete al 62f058b9 5d pop ebp 62f058ba c20800 ret 8 ``` We see an obvious attempt of a virtual function call on a previously freed object. Further examination confirms our assumptions: ``` 0:000> !heap -p -a ecx address 24f40f90 found in _DPH_HEAP_ROOT @ 167b1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 29892208: 24f40000 2000 641bab22 verifier!AVrfDebugPageHeapFree+0x000000c2 77845958 ntdll!RtlDebugFreeHeap+0x0000003c 777f5c1d ntdll!RtlpFreeHeap+0x0005619d 7779fa0d ntdll!RtlFreeHeap+0x000007cd 63046591 ISYSreadershd!IGR_ImageExport+0x00401531 63010792 ISYSreadershd!IGR_ImageExport+0x003cb732 62b451f9 ISYSreadershd!IGR_HtmlExport+0x002f5c09 62aa3853 ISYSreadershd!IGR_HtmlExport+0x00254263 628e077d ISYSreadershd!IGR_HtmlExport+0x0009118d 62aa25b8 ISYSreadershd!IGR_HtmlExport+0x00252fc8 62aa36de ISYSreadershd!IGR_HtmlExport+0x002540ee 62aa389b ISYSreadershd!IGR_HtmlExport+0x002542ab 62849e59 ISYSreadershd+0x000a9e59 6284aa1b ISYSreadershd+0x000aaa1b 628486e8 ISYSreadershd+0x000a86e8 6399d749 isysreaders+0x001dd749 63999c2e isysreaders+0x001d9c2e 63e1edd3 ISYS11df!IGR_Open_Stream_Ex+0x000000b3 009b892f isys_doc2text+0x0002892f 009b71fb isys_doc2text+0x000271fb 009b612f isys_doc2text+0x0002612f 009e4c52 isys_doc2text+0x00054c52 009e2cc5 isys_doc2text+0x00052cc5 009bcf76 isys_doc2text+0x0002cf76 00a97f44 isys_doc2text+0x00107f44 748c8654 KERNEL32!BaseThreadInitThunk+0x00000024 777c4a77 ntdll!__RtlUserThreadStart+0x0000002f 777c4a47 ntdll!_RtlUserThreadStart+0x0000001b ``` Checking the Linux version we can obtain a bit more information from partial-symbols : ``` [----------------------------------registers-----------------------------------] RAX: 0x7ffff3104188 (:CSkiaStreamBridge+168>: 0x00007ffff2d612b0) RBX: 0x8 RCX: 0x0 RDX: 0x8 RSI: 0x7fffffffa590 --> 0xa1a0a0d474e5089 RDI: 0x6ea4e0 --> 0x6cf010 --> 0x0 RBP: 0x6d6c30 --> 0x5 RSP: 0x7fffffffa560 --> 0x8 RIP: 0x7ffff2d60de8 (:CSkiaStreamBridge::write(void const, unsigned long)+8>: 0x39481850ff078b48) R8 : 0x6 R9 : 0x0 R10: 0x6d6c30 --> 0x5 R11: 0x7ffff2be3950 --> 0x6c8948e8245c8948 R12: 0x7fffffffa590 --> 0xa1a0a0d474e5089 R13: 0x6d6c30 --> 0x5 R14: 0x0 R15: 0x7fffffffafb0 --> 0x7ffff3104188 (:CSkiaStreamBridge+168>: 0x00007ffff2d612b0) EFLAGS: 0x207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff2d60de0 <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)>: push rbx 0x7ffff2d60de1 <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)+1>: mov rdi,QWORD PTR [rdi+0x18] 0x7ffff2d60de5 <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)+5>: mov rbx,rdx => 0x7ffff2d60de8 <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)+8>: mov rax,QWORD PTR [rdi] 0x7ffff2d60deb <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)+11>: call QWORD PTR [rax+0x18] 0x7ffff2d60dee <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)+14>: cmp rax,rbx 0x7ffff2d60df1 <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)+17>: pop rbx 0x7ffff2d60df2 <ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long)+18>: sete al [------------------------------------stack-------------------------------------] 0000\| 0x7fffffffa560 --> 0x8 0008\| 0x7fffffffa568 --> 0x7ffff2be3980 --> 0x241c8b481374c084 0016\| 0x7fffffffa570 --> 0x6d6c30 --> 0x5 0024\| 0x7fffffffa578 --> 0x6d6c30 --> 0x5 0032\| 0x7fffffffa580 --> 0x64 ('d') 0040\| 0x7fffffffa588 --> 0x7ffff2881736 --> 0x77020000026dbb80 0048\| 0x7fffffffa590 --> 0xa1a0a0d474e5089 0056\| 0x7fffffffa598 --> 0x68dd90 --> 0x7ffff5b62780 --> 0x44f2894902f98341 [------------------------------------------------------------------------------] Legend: code, data, rodata, value //Use After Free call stack #0 in ISYS_NS::CSkiaStreamBridge::write(void const, unsigned int) () from ./libISYSgraphics.so #1 in sk_write_fn(png_struct_def, unsigned char, unsigned int) () from ./libISYSgraphics.so #2 in png_write_data () from ./libISYSgraphics.so #3 in png_write_sig () from ./libISYSgraphics.so #4 in png_write_info_before_PLTE () from ./libISYSgraphics.so #5 in png_write_info () from ./libISYSgraphics.so #6 in SkPNGImageEncoder::doEncode(SkWStream, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const) () from ./libISYSgraphics.so #7 in SkPNGImageEncoder::onEncode(SkWStream, SkBitmap const&, int, SkImageEncoderDetails const) () from ./libISYSgraphics.so #8 in SkImageEncoder::encodeStream(SkWStream, SkBitmap const&, int, SkImageEncoderDetails const) () from ./libISYSgraphics.so #9 in SkImageEncoder::EncodeStream(SkWStream, SkBitmap const&, SkImageEncoder::Type, int, SkImageEncoderDetails const) () from ./libISYSgraphics.so #10 in CairoPNGCanvas::closeCanvas() () from ./libISYSreadershd.so #11 in common::EscherDraw::closeCanvas() () from ./libISYSreadershd.so #12 in TextHtmlWriter::addDrawing(intermediate::common::IDrawing) () from ./libISYSreadershd.so #13 in TextHtmlWriter::writeParasRunObjects(std::list<intermediate::common::IObject, std::allocator<intermediate::common::IObject> >, double, double) () from ./libISYSreadershd.so #14 in TextHtmlWriter::writeParagraph(WriterBaseStream&, intermediate::common::ITextParagraph, bool, bool, bool) () from ./libISYSreadershd.so #15 in TextHtmlWriter::writeParagraphs(intermediate::common::ITextDocumentContent const, WriterBaseStream&) () from ./libISYSreadershd.so #16 in TextHtmlWriter::writeContent(intermediate::common::ITextDocumentContent const) () from ./libISYSreadershd.so #17 in TextDocumentWriter::convert() () from ./libISYSreadershd.so #18 in ISYS_NS::LibraryHD::CDocument::processWriter(WriterBase) () from ./libISYSreadershd.so #19 in ISYS_NS::LibraryHD::CDocument::openWord(ISYS_NS::CStream, common::tools::XMLScanner::XMLScannerType) () from ./libISYSreadershd.so #20 in ISYS_NS::LibraryHD::CDocument::open(IGR_Stream, int, wchar_t const) () from ./libISYSreadershd.so #21 in ISYS_NS::LibraryHD::IGR_HDAPI_Open(IGR_Stream, int, wchar_t const, void*, wchar_t) () from ./libISYSreadershd.so #22 in ISYS_NS::exports::IGR_Open_File_FromStream(wchar_t const, wchar_t const, ISYS_NS::CStream, bool, ISYS_NS::exports::Ext_Open_Options, int, wchar_t const, int, int, void, int, int, Error_Control_Block) () from ./libISYSreaders.so #23 in ISYS_NS::exports::IGR_Open_Stream_Ex(IGR_Stream, int, unsigned short const, int, int, void, Error_Control_Block) () from ./libISYSreaders.so #24 in IGR_Open_Stream_Ex () from ./libISYS11df.so #25 in processStream(std::string const&, tagTIGR_Stream, bool, int, int, bool, std::ostream&, int, double) () #26 in processFile(std::string const&, int, int, bool, std::ostream&) () #27 in main () ``` Tracking this object’s life cycle we can see its creation inside TextHtmlWriter::addDrawing method: ``` Object allocation call stack #0 in ISYS_NS::CTemporaryStream::CTemporaryStream(wchar_t const, unsigned int) () from ./libISYSshared.so #1 in TextHtmlWriter::addDrawing(intermediate::common::IDrawing) () from ./libISYSreadershd.so #2 in TextHtmlWriter::writeParasRunObjects(std::list<intermediate::common::IObject, std::allocator<intermediate::common::IObject> >, double, double) () from ./libISYSreadershd.so #3 in TextHtmlWriter::writeParagraph(WriterBaseStream&, intermediate::common::ITextParagraph, bool, bool, bool) () from ./libISYSreadershd.so #4 in TextHtmlWriter::writeParagraphs(intermediate::common::ITextDocumentContent const, WriterBaseStream&) () from ./libISYSreadershd.so #5 in TextHtmlWriter::writeContent(intermediate::common::ITextDocumentContent const) () from ./libISYSreadershd.so #6 in TextDocumentWriter::convert() () from ./libISYSreadershd.so #7 in ISYS_NS::LibraryHD::CDocument::processWriter(WriterBase) () from ./libISYSreadershd.so #8 in ISYS_NS::LibraryHD::CDocument::openWord(ISYS_NS::CStream, common::tools::XMLScanner::XMLScannerType) () from ./libISYSreadershd.so #9 in ISYS_NS::LibraryHD::CDocument::open(IGR_Stream, int, wchar_t const) () from ./libISYSreadershd.so #10 in ISYS_NS::LibraryHD::IGR_HDAPI_Open(IGR_Stream, int, wchar_t const, void*, wchar_t) () from ./libISYSreadershd.so #11 in ISYS_NS::exports::IGR_Open_File_FromStream(wchar_t const, wchar_t const, ISYS_NS::CStream, bool, ISYS_NS::exports::Ext_Open_Options, int, wchar_t const, int, int, void, int, int, Error_Control_Block) () from ./libISYSreaders.so #12 in ISYS_NS::exports::IGR_Open_Stream_Ex(IGR_Stream, int, unsigned short const, int, int, void, Error_Control_Block) () from ./libISYSreaders.so #13 in IGR_Open_Stream_Ex () from ./libISYS11df.so #14 in processStream(std::string const&, tagTIGR_Stream, bool, int, int, bool, std::ostream&, int, double) () #15 in processFile(std::string const&, int, int, bool, std::ostream&) () #16 in main () // libISYSreadershd image base : 0xF4AE6000 .text:F4FA1060 TextHtmlWriter::addDrawing(intermediate::common::IDrawing ) proc near (...) text:F4FA1AFB push 0A00000h ; unsigned int .text:F4FA1B00 push 0 ; wchar_t * .text:F4FA1B02 push eax ; this .text:F4FA1B03 call ISYS_NS::CTemporaryStream::CTemporaryStream(wchar_t const,uint) ; VULN OBJECT .text:F4FA1B08 mov dword ptr [esp], 10h ; unsigned int .text:F4FA1B0F call operator new(uint) ``` Further during ISYS_NS::LibraryHD::CDocument::~CDocument object destruction inside the sub_F4FC12A0 function we can observe a call at address F4FC12FD which deallocates the vulnerable object: ``` sub_F4FC12A0 (...) .text:F4FC12F7 sub esp, 0Ch .text:F4FC12FA mov eax, [edx] .text:F4FC12FC push edx .text:F4FC12FD call dword ptr [eax+4] .text:F4FC1300 .text:F4FC1300 i: .text:F4FC1300 add esp, 10h .text:F4FC1303 .text:F4FC1303 loc_F4FC1303: ; CODE XREF: sub_F4FC12A0+55↑j .text:F4FC1303 sub esp, 0Ch .text:F4FC1306 push esi .text:F4FC1307 call std::_Rb_tree_increment(std::_Rb_tree_node_base ) .text:F4FC130C mov esi, eax .text:F4FC130E add esp, 10h .text:F4FC1311 cmp eax, edi .text:F4FC1313 jnz short loc_F4FC12F0 .text:F4FC1315 .text:F4FC1315 loc_F4FC1315: ; CODE XREF: sub_F4FC12A0+4A↑j .text:F4FC1315 sub esp, 8 .text:F4FC1318 mov eax, [ebp+var_10] .text:F4FC131B mov edx, [eax+8] .text:F4FC131E push edx .text:F4FC131F push eax .text:F4FC1320 call sub_F4FC4650 .text:F4FC1325 mov eax, [ebp+arg_0] .text:F4FC1328 add eax, 20h ; ' ' .text:F4FC132B mov [esp], eax .text:F4FC132E call common::EscherDraw::closeCanvas(void) Call stack for dealocation #0 0xf60a6fdb in ISYS_NS::CStream::~CStream() () from ./libISYSshared.so #1 0xf608ddee in ISYS_NS::CTemporaryStream::~CTemporaryStream() () from ./libISYSshared.so #2 0xf4fb550f in ?? () from ./libISYSreadershd.so #3 0xf4fc1300 in ?? () from ./libISYSreadershd.so #4 0xf4fbb9a8 in ?? () from ./libISYSreadershd.so #5 0xf4fa5da1 in ?? () from ./libISYSreadershd.so #6 0xf52f4dd5 in ISYS_NS::LibraryHD::CDocument::~CDocument () from ./libISYSreadershd.so #7 0xf52ece6b in ISYS_NS::LibraryHD::IGR_HDAPI_Open () from ./libISYSreadershd.so #8 0xf5973302 in ?? () from ./libISYSreaders.so #9 0xf597855d in ISYS_NS::exports::IGR_Open_File_FromStream () from ./libISYSreaders.so #10 0xf7f405e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so #11 0x080590eb in ?? () #12 0x08061690 in ?? () #13 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult, void) () #14 0xf617c73d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult) const () from ./libISYSshared.so #15 0xf6188ff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char) () from ./libISYSshared.so #16 0xf6185524 in ISYS_NS::CISYScommander::execute(int, char) () from ./libISYSshared.so #17 0x08054e88 in ?? () #18 0xf5af6637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffb96a24, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f88880 <_dl_fini>, stack_end=0xffb96a1c) at ../csu/libc-start.c:291 #19 0x080531b1 in ?? () ``` Next, few instruction below at F4FC132E a call to common::EscherDraw::closeCanvas method is made: ``` .text:F4FC1325 mov eax, [ebp+arg_0] .text:F4FC1328 add eax, 20h ; ' ' .text:F4FC132B mov [esp], eax .text:F4FC132E call common::EscherDraw::closeCanvas(void) ``` which internally as we could see on the Use After Free call stack listing calls ISYS_NS::CSkiaStreamBridge::write causing in the same way re-usage of the freed stream object. An attacker who properly manipulates the heap state between object deallocation and its re-usage can easily turn this use after free vulnerability into arbitrary code execution. ### Crash Information ``` ==24951== Command: ./isys_doc2text --html --no-images -o /tmp/dump /home/icewall/Advisory/perceptive/malicous.docx ==24951== [1] File type: Microsoft Word (25); Capabilities: 15 - /home/icewall/Advisory/perceptive/malicous.docx ==24951== Invalid read of size 8 ==24951== at 0xA7F3DE8: ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA67697F: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA314735: png_write_sig (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA32420A: png_write_info_before_PLTE (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA324396: png_write_info (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA6776CD: SkPNGImageEncoder::doEncode(SkWStream, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA677B11: SkPNGImageEncoder::onEncode(SkWStream, SkBitmap const&, int, SkImageEncoderDetails const) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA67F318: SkImageEncoder::encodeStream(SkWStream, SkBitmap const&, int, SkImageEncoderDetails const) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA67F523: SkImageEncoder::EncodeStream(SkWStream, SkBitmap const&, SkImageEncoder::Type, int, SkImageEncoderDetails const) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0x9550EE2: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x955168B: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9565EFD: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== Address 0xada3ae0 is 0 bytes inside a block of size 112 free'd ==24951== at 0x4C2F24B: operator delete(void) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24951== by 0x52A32C2: ISYS_NS::CTemporaryStream::~CTemporaryStream() (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSshared.so) ==24951== by 0x994BC10: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9955173: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x993A1EA: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9C3D345: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9C35E7E: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x86C44A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so) ==24951== by 0x86C9196: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so) ==24951== by 0x4E3F87A: IGR_Open_Stream_Ex (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYS11df.so) ==24951== by 0x416BE6: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/isys_doc2text) ==24951== by 0x41EB99: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/isys_doc2text) ==24951== Block was alloc'd at ==24951== at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24951== by 0x993B782: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x993F7A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9943B6A: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9949E52: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x994B979: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9951A44: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9C38AA4: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9C3B2C2: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9C3C3FB: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x9C35D75: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so) ==24951== by 0x86C44A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so) ==24951== pure virtual method called terminate called without an active exception ==24951== ==24951== Process terminating with default action of signal 6 (SIGABRT) ==24951== at 0x800C428: raise (raise.c:54) ==24951== by 0x800E029: abort (abort.c:89) ==24951== by 0x77C584C: __gnu_cxx::__verbose_terminate_handler() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21) ==24951== by 0x77C36B5: ??? (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21) ==24951== by 0x77C3700: std::terminate() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21) ==24951== by 0x77C423E: __cxa_pure_virtual (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21) ==24951== by 0xA7F3DED: ISYS_NS::CSkiaStreamBridge::write(void const, unsigned long) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA67697F: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA314735: png_write_sig (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA32420A: png_write_info_before_PLTE (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA324396: png_write_info (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ==24951== by 0xA6776CD: SkPNGImageEncoder::doEncode(SkWStream, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so) ``` ### Timeline * 2018-02-22 - Vendor Disclosure * 2018-03-22- Vendor patched * 2018-04-26 - Public Release
id	SSV:97297
last seen	2018-06-08
modified	2018-05-17
published	2018-05-17
reporter	Knownsec
title	Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability(CVE-2018-3844)

Talos

id	TALOS-2018-0527
last seen	2019-05-29
published	2018-04-26
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0527
title	Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Seebug

Talos

References