Vulnerabilities > CVE-2018-3845 - Double Free vulnerability in Hyland Perceptive Document Filters 11.4.0.2647

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

hyland

CWE-415

NVD

Published: 2018-04-26

Updated: 2023-01-31

Summary

In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.

Vulnerable Configurations

Part	Description	Count
Application	Hyland Hyland Perceptive Document Filters 11.4.0.2647	1

Common Weakness Enumeration (CWE)

CWE-415 - Double Free

Seebug

bulletinFamily	exploit
description	### Summary An exploitable double free exists in the OpenDocument to JPEG conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution. ### Tested Versions Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux ### Product URLs https://www.hyland.com/en/perceptive#docfilters ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-415: Double Free ### Details This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of an OpenDocument document to JPEG. A specially crafted OpenDocument file can lead to a SkCanvas object double free and remote code execution. Let’s investigate this vulnerability. After we attempt to convert a malicious OpenDocument using the Hyland library we see the following state: ``` //page heap is turned on +hpa windbg.exe isys_doc2text.exe --jpg malicious_opendocument (4c0.1e70): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00f5e788 ebx=00000000 ecx=10f06f00 edx=02000000 esi=1056ef98 edi=10570ff0 eip=6235cfd1 esp=00f5e770 ebp=00f5e794 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 ISYSreadershd!IGR_ImageExport+0xe7f71: 6235cfd1 8b01 mov eax,dword ptr [ecx] ds:002b:10f06f00=???????? ``` Showing more context ``` 0:000> u eip-5 ISYSreadershd!IGR_ImageExport+0xe7f6c: 6235cfcc 0c85 or al,85h 6235cfce c9 leave 6235cfcf 7406 je ISYSreadershd!IGR_ImageExport+0xe7f77 (6235cfd7) 6235cfd1 8b01 mov eax,dword ptr [ecx] 6235cfd3 6a01 push 1 6235cfd5 ff10 call dword ptr [eax] 6235cfd7 8b7e08 mov edi,dword ptr [esi+8] 6235cfda 85ff test edi,edi ``` We see an obvious attempt of a virtual function call on a previously freed object. Further examination confirms our assumptions: ``` 0:000> !heap -p -a ecx address 10f06f00 found in _DPH_HEAP_ROOT @ 78f1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 12da9af8: 10f06000 2000 6329ab22 verifier!AVrfDebugPageHeapFree+0x000000c2 77045918 ntdll!RtlDebugFreeHeap+0x0000003c 76ff5be1 ntdll!RtlpFreeHeap+0x00056161 76f9fa0d ntdll!RtlFreeHeap+0x000007cd 62676591 ISYSreadershd!IGR_ImageExport+0x00401531 62640792 ISYSreadershd!IGR_ImageExport+0x003cb732 623d973c ISYSreadershd!IGR_ImageExport+0x001646dc 61e0eb4c ISYSreadershd+0x0003eb4c 622a628e ISYSreadershd!IGR_ImageExport+0x0003122e 622a5ed3 ISYSreadershd!IGR_ImageExport+0x00030e73 6233d6c4 ISYSreadershd!IGR_ImageExport+0x000c8664 622ac13f ISYSreadershd!IGR_ImageExport+0x000370df 622ac3c0 ISYSreadershd!IGR_ImageExport+0x00037360 622acb3b ISYSreadershd!IGR_ImageExport+0x00037adb 622abe79 ISYSreadershd!IGR_ImageExport+0x00036e19 622673e4 ISYSreadershd!ISYS_GetHeapHandle+0x000ea7e4 62d441fa isysreaders+0x001d41fa 631cef8f ISYS11df!IGR_Render_Page+0x0000005f 0037a2c8 isys_doc2text+0x0002a2c8 003771fb isys_doc2text+0x000271fb 0037612f isys_doc2text+0x0002612f 003a4c52 isys_doc2text+0x00054c52 003a2cc5 isys_doc2text+0x00052cc5 0037cf76 isys_doc2text+0x0002cf76 00457f44 isys_doc2text+0x00107f44 751c8654 KERNEL32!BaseThreadInitThunk+0x00000024 76fc4a77 ntdll!__RtlUserThreadStart+0x0000002f 76fc4a47 ntdll!_RtlUserThreadStart+0x0000001b ``` Checking the Linux version we can obtain a bit more information from partial-symbols : ``` image base : 0xf4a9b000 0xf54c5000 r-xp /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so [----------------------------------registers-----------------------------------] EAX: 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 EBX: 0xf54dff0c --> 0xa42fcc ECX: 0x8a17e1c --> 0x0 EDX: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 ESI: 0x8a17e18 --> 0xf54da798 --> 0xf51e89d0 --> 0x83e58955 EDI: 0x8a16300 --> 0xf54da780 --> 0xf51f0770 --> 0x57e58955 EBP: 0xffa1e4a8 --> 0xffa1e4c8 --> 0xffa1e4e8 --> 0xffa1e508 --> 0xffa1e528 --> 0xffa1e578 (--> ...) ESP: 0xffa1e480 --> 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 (--> ...) EIP: 0xf51f06c0 --> 0x830450ff EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xf51f06ba: sub esp,0xc 0xf51f06bd: mov eax,DWORD PTR [edx] 0xf51f06bf: push edx => 0xf51f06c0: call DWORD PTR [eax+0x4] 0xf51f06c3: add esp,0x10 0xf51f06c6: mov esi,DWORD PTR [edi+0x4] 0xf51f06c9: test esi,esi 0xf51f06cb: je 0xf51f06e1 Guessed arguments: arg[0]: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 //Double Free call stack #0 0xf51f06bf in ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl () from ./libISYSreadershd.so #1 0xf51e89e9 in ?? () from ./libISYSreadershd.so #2 0xf4b4b028 in ?? () from ./libISYSreadershd.so #3 0xf51d9b1f in ISYS_NS::CGdiCanvas::~CGdiCanvas() () from ./libISYSreadershd.so #4 0xf51e8829 in ?? () from ./libISYSreadershd.so #5 0xf51f01e8 in ISYS_NS::CGdiBitmapImpl::~CGdiBitmapImpl() () from ./libISYSreadershd.so #6 0xf51e88e9 in ?? () from ./libISYSreadershd.so #7 0xf51db388 in ?? ISYS_NS::CGdiBitmap::~CGdiBitmap() from ./libISYSreadershd.so #8 0xf5227233 in ?? () from ./libISYSreadershd.so #9 0xf50b3221 in ?? () from ./libISYSreadershd.so #10 0xf522172d in ?? () from ./libISYSreadershd.so #11 0xf51a621f in ?? () from ./libISYSreadershd.so #12 0xf518a8bd in ?? () from ./libISYSreadershd.so #13 0xf591c6c3 in ?? () from ./libISYSreaders.so #14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so #15 0x0805bda0 in ?? () #16 0x08061690 in ?? () #17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult, void) () #18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult) const () from ./libISYSshared.so #19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char) () from ./libISYSshared.so #20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char) () from ./libISYSshared.so #21 0x08054e88 in ?? () #22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291 #23 0x080531b1 in ?? () ``` Tracking this object’s life cycle we can see its creation inside ISYS_NS::CGdiCanvasImpl::CGdiCanvasImpl method: ``` Object allocation call stack #0 0xf51f0977 in ISYS_NS::CGdiCanvasImpl () from ./libISYSreadershd.so #1 0xf51e65d0 in ?? () from ./libISYSreadershd.so #2 0xf5229bf4 in ?? () from ./libISYSreadershd.so #3 0xf50b9f46 in ?? () from ./libISYSreadershd.so #4 0xf50b3539 in ?? () from ./libISYSreadershd.so #5 0xf5196e5d in ?? () from ./libISYSreadershd.so #6 0xf591c595 in ?? () from ./libISYSreaders.so #7 0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so #8 0x0805bbd8 in ?? () #9 0x08061690 in ?? () #10 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult, void) () #11 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult) const () from ./libISYSshared.so #12 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char) () from ./libISYSshared.so #13 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char) () from ./libISYSshared.so #14 0x08054e88 in ?? () #15 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291 #16 0x080531b1 in ?? () .text:F51F095C push 0FCh ; unsigned int .text:F51F0961 call operator new(uint) .text:F51F0966 mov esi, eax .text:F51F0968 pop ecx .text:F51F0969 pop eax .text:F51F096A push edi ; SkBitmap * .text:F51F096B push esi ; this .text:F51F096C call SkCanvas::SkCanvas(SkBitmap const&) .text:F51F0971 add esp, 10h .text:F51F0974 mov edx, [ebp+arg_0] .text:F51F0977 mov [edx+8], esi ``` Further inside the sub_F511F5F0 function we can observe a call at address F511FCE3 to SkCanvas::~SkCanvas virtual destructor which deallocates the vulnerable object: ``` sub_F511F5F0 (...) .text:F511FCD7 sub esp, 0Ch .text:F511FCDA mov edx, [ebp+var_164] .text:F511FCE0 mov eax, [edx] .text:F511FCE2 push edx .text:F511FCE3 call dword ptr [eax+4] ; SkCanvas::~SkCanvas .text:F511FCE6 add esp, 10h Call stack for dealocation #0 0xf46f6bed in SkCanvas::~SkCanvas() () from ./libISYSgraphics.so #1 0xf511fce6 in ?? () from ./libISYSreadershd.so #2 0xf5083569 in ?? () from ./libISYSreadershd.so #3 0xf50832e4 in ?? () from ./libISYSreadershd.so #4 0xf508331d in ?? () from ./libISYSreadershd.so #5 0xf50833bb in ?? () from ./libISYSreadershd.so #6 0xf5224987 in ?? () from ./libISYSreadershd.so #7 0xf50b4af7 in ?? () from ./libISYSreadershd.so #8 0xf50b4cdd in ?? () from ./libISYSreadershd.so #9 0xf50ba2d1 in ?? () from ./libISYSreadershd.so #10 0xf50b3539 in ?? () from ./libISYSreadershd.so #11 0xf5196e5d in ?? () from ./libISYSreadershd.so #12 0xf591c595 in ?? () from ./libISYSreaders.so #13 0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so #14 0x0805bbd8 in ?? () #15 0x08061690 in ?? () #16 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult, void) () #17 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult) const () from ./libISYSshared.so #18 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char) () from ./libISYSshared.so #19 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char) () from ./libISYSshared.so #20 0x08054e88 in ?? () #21 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291 #22 0x080531b1 in ?? () ``` Next, during destruction of ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl object a call to SkCanvas::~SkCanvas virtual destructor is made again: ``` .text:F51F0690 ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl() proc near .text:F51F0690 (...) .text:F51F06BA sub esp, 0Ch .text:F51F06BD mov eax, [edx] .text:F51F06BF push edx .text:F51F06C0 call dword ptr [eax+4] ; SkCanvas::~SkCanvas() .text:F51F06C3 add esp, 10h Call stack for second free #0 0xf51f06c0 in ?? () from ./libISYSreadershd.so #1 0xf51e89e9 in ?? () from ./libISYSreadershd.so #2 0xf4b4b028 in ?? () from ./libISYSreadershd.so #3 0xf51d9b1f in ?? () from ./libISYSreadershd.so #4 0xf51e8829 in ?? () from ./libISYSreadershd.so #5 0xf51f01e8 in ?? () from ./libISYSreadershd.so #6 0xf51e88e9 in ?? () from ./libISYSreadershd.so #7 0xf51db388 in ?? () from ./libISYSreadershd.so #8 0xf5227233 in ?? () from ./libISYSreadershd.so #9 0xf50b3221 in ?? () from ./libISYSreadershd.so #10 0xf522172d in ?? () from ./libISYSreadershd.so #11 0xf51a621f in ?? () from ./libISYSreadershd.so #12 0xf518a8bd in ?? () from ./libISYSreadershd.so #13 0xf591c6c3 in ?? () from ./libISYSreaders.so #14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so #15 0x0805bda0 in ?? () #16 0x08061690 in ?? () #17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult, void) () #18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult) const () from ./libISYSshared.so #19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char) () from ./libISYSshared.so #20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char) () from ./libISYSshared.so #21 0x08054e88 in ?? () #22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291 #23 0x080531b1 in ?? () ``` resulting in the double free of SkCanvas object. An attacker who properly manipulates the heap state between the object's first deallocation and its second deallocation can easily turn this double free vulnerability into arbitrary code execution. ### Crash Information ``` ==6702== Command: ./isys_doc2text --jpg -o /tmp ./storage/7afffeb388f9aebf11226b95328be2f7 ==6702== [1] File type: Open Document Format (76); Capabilities: 7 - ./storage/7afffeb388f9aebf11226b95328be2f7 [00000000] IGR_RENDER_PAGE failed on ./storage/7afffeb388f9aebf11226b95328be2f7 with code 4 [Could not read ZIP file entry] ==6702== Invalid read of size 4 ==6702== at 0x78956BD: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x784B21E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd ==6702== at 0x402D7B8: operator delete(void) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so) ==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== Block was alloc'd at ==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so) ==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so) ==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult, void) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== ==6702== Invalid write of size 4 ==6702== at 0x8D2A02F: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so) ==6702== by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd ==6702== at 0x402D7B8: operator delete(void) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so) ==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== Block was alloc'd at ==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so) ==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so) ==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult, void) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== ==6702== Invalid free() / delete / delete[] / realloc() ==6702== at 0x402D7B8: operator delete(void) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6702== by 0x8D2A036: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so) ==6702== by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd ==6702== at 0x402D7B8: operator delete(void) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so) ==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== Block was alloc'd at ==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so) ==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so) ==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so) ==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult, void) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text) ==6702== [1] Returned 3 page(s) ==6702== ==6702== HEAP SUMMARY: ==6702== in use at exit: 21,065 bytes in 12 blocks ==6702== total heap usage: 64,861 allocs, 64,850 frees, 42,305,231 bytes allocated ==6702== ==6702== LEAK SUMMARY: ==6702== definitely lost: 0 bytes in 0 blocks ==6702== indirectly lost: 0 bytes in 0 blocks ==6702== possibly lost: 0 bytes in 0 blocks ==6702== still reachable: 21,065 bytes in 12 blocks ==6702== suppressed: 0 bytes in 0 blocks ==6702== Rerun with --leak-check=full to see details of leaked memory ==6702== ==6702== For counts of detected and suppressed errors, rerun with: -v ==6702== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0) ``` ### Timeline * 2018-02-22 - Vendor Disclosure * 2018-03-22 - Vendor patched * 2018-04-26 - Public Release
id	SSV:97298
last seen	2018-06-08
modified	2018-05-17
published	2018-05-17
reporter	Knownsec
title	Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability(CVE-2018-3845)

Talos

id	TALOS-2018-0528
last seen	2019-05-29
published	2018-04-26
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0528
title	Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Seebug

Talos

References