New issue
Advanced search Search tips

Issue 737023 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Use-after-free in ResetPDFWindow();

Reported by manhluat...@gmail.com, Jun 27 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce the problem:
the poc will cause crashes on Chrome and Chromium ASAN as well.

What is the expected behavior?

What went wrong?
At | CFFL_FormFiller::GetPDFWindow | , it invokes |ResetPDFWindow| and get a return as its return value itself as well.

https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_formfiller.cpp?sq=package:chromium&l=364 

For example, |MyField3| is a TextField box so it is defined at here: https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_textfield.cpp?sq=package:chromium&l=235

It's trying to make a new |CPWL_Wnd|, destroy the old one at line 240th, then make a new one at 246th line then call |UpdateField| <-- where the problems occur.

|UpdateField| is defined here: https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp?sq=package:chromium&l=324

is responsible for updating fields on various pages. 

It calls |GetWidget| at https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp?sq=package:chromium&l=330

which invokes |GetPageView| at https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp?sq=package:chromium&l=110

|GetPageView| -> |GetPage| -> |Form_GetPage| (pdfium_engine) -> ... which later ends up at |OnLoad| |OnFormat| <-- we can run script here.

So what could we do at this place ?

We run:
  this.getField("MyField3").borderStyle  = "dashed";
  this.getField("MyField3").setFocus();
  gc();

to trigger |GetPDFWindow| , we changed its borderstyle, so Age will change, then calls |ResetPDFWindow| -> |DestroyPDFWindow|... after it's done.  |UpdateField| returns back to |ResetPDFWindow| at 
https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_textfield.cpp?sq=package:chromium&l=248

but... the PDFWindow has been freed earlier.

UAF occurs.

I would like to use `gc();` to can see the crash on Chrome Mac OSX.

Did this work before? N/A 

Chrome version: 58.0.3029.110  Channel: n/a
OS Version: OS X 10.12.5
Flash Version:
 
poc.pdf
3.6 KB Download

Comment 1 Deleted

Comment 2 Deleted

This bug and the previous ones are found by code review though.
Components: Internals>Plugins>PDF
Project Member

Comment 5 by ClusterFuzz, Jun 27 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6198274011955200.
Cc: tsepez@chromium.org thestig@chromium.org
No UAFs for me on Linux with pdfium_test. Does this require the Chrome PDF Viewer?
But regular Linux builds crash, so let me test with Chromium + ASAN.
Cc: -thestig@chromium.org
Labels: M-60 M-61 M-59 OS-Chrome OS-Linux OS-Windows
Owner: thestig@chromium.org
Status: Assigned (was: Unconfirmed)
I'll add it to my queue. Can someone add the appropriate security flags?

Comment 10 Deleted

Comment 11 Deleted

Comment 12 Deleted

Comment 13 Deleted

Labels: Security_Impact-Stable Security_Severity-High
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 5 2017

Labels: -Pri-2 Pri-1
Project Member

Comment 16 by sheriffbot@chromium.org, Jul 12 2017

thestig: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Hi folks
Any updates ? It's been nearly a month.
Thanks.
Ah, the assignee has been out for a few weeks. Let me see if I can take a stab at it in the mean time.
Cc: thestig@chromium.org
Owner: tsepez@chromium.org
CL at https://pdfium-review.googlesource.com/c/8350
This is a nice bit of deductive work, by the way.  The CL just hits it with a big hammer for the time being.
Labels: reward-topanel
Status: Fixed (was: Assigned)
Project Member

Comment 22 by sheriffbot@chromium.org, Jul 21 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-59 -M-60
Labels: -reward-topanel reward-unpaid reward-5000
Congratulations manhluat93.php@! The VRP Panel decided to award $5,000 for this report!  A member of our finance team will be in touch to arrange for payment.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: -reward-unpaid reward-inprocess
Thank you for the bounty!

Please credit to "Luật Nguyễn (@l4wio) of KeenLab, Tencent";

Regards.
Project Member

Comment 28 by sheriffbot@chromium.org, Aug 5 2017

Labels: Merge-Request-61
Project Member

Comment 29 by sheriffbot@chromium.org, Aug 5 2017

Labels: -Merge-Request-61 Merge-Review-61 Hotlist-Merge-Review
This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+ awhalley@ (Security TPM) for M61 merge review.
govind@ - good for 61
Labels: -Merge-Review-61 Merge-Approved-61
Approving merge to M61 Chrome OS.
77417ec9e already in chromium/3163 branch.
Labels: -Merge-Approved-61
Removing "Merge-Approved-61" label per comment #33.
Labels: Release-0-M61
Labels: CVE-2017-5111
Cc: rharrison@chromium.org
Project Member

Comment 38 by sheriffbot@chromium.org, Oct 27 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Comment 40 Deleted

Sign in to add a comment