New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 765384: Security: UAF in CFFL_InteractiveFormFiller::OnBeforeKeyStroke

Reported by manhluat...@gmail.com, Sep 14 2017

Issue description

Notice: this PoC works on stable chrome (XFA disabled)

To repro, open pdf file on Chromium ASAN then click anywhere on page 0.

It even crash on Stable Chrome (MacOS) since I'm using gc();



https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp?q=CFFL_InteractiveFormFiller::OnBeforeKeyStroke&sq=package:chromium&l=909

std::pair<bool, bool> CFFL_InteractiveFormFiller::OnBeforeKeyStroke(

[...]

  CPDFSDK_Annot::ObservedPtr pObserved(pData->pWidget);
  if (!pData->pWidget->OnAAction(CPDF_AAction::KeyStroke, fa,
                                 pData->pPageView)) { <---- run JS script here
    if (!IsValidAnnot(pData->pPageView, pData->pWidget))
      bExit = true;
    return {bRC, bExit};
  }

  if (!pObserved || !IsValidAnnot(pData->pPageView, pData->pWidget))
    return {bRC, true};

  if (nAge != pData->pWidget->GetAppearanceAge()) {
    CPWL_Wnd* pWnd = pFormFiller->ResetPDFWindow(
        pData->pPageView, nValueAge == pData->pWidget->GetValueAge());
    pData = reinterpret_cast<CFFL_PrivateData*>(pWnd->GetAttachedData());
    bExit = true;
  }

[...]



Root cause:

We can run JS script at 909th line, we can destroy this widget's pdf window,
later it uses |pData| (which is element in PDFWindow class |CPWL_Listbox|)

UAF occurs.

To destroy pdf window:

I killfocus on this annot, then setfocus again (with m_Age has been changed), it will invoke |ResetPDFWindow| afterwards.
 
onbeforekeystroke.pdf
2.5 KB Download
poc.mov
16.4 MB Download

Comment 1 by manhluat...@gmail.com, Sep 14 2017

Do we have some way to record properly a chrome window ?

Cause I see some PoC attaching .mp4 video with high quality.

Thanks.

Comment 2 by mea...@chromium.org, Sep 14 2017

Components: Internals>Plugins>PDF
Labels: Security_Severity-High Security_Impact-Stable
Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the report, I can reproduce the crash. Chrome doesn't have a builtin way of recording windows, but your PoC video is very clear. 

Tom: Can you please take a look? Thanks.

Comment 3 by mea...@chromium.org, Sep 14 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1

Comment 4 by tsepez@chromium.org, Sep 14 2017

Status: Started (was: Assigned)

Comment 5 by sheriffbot@chromium.org, Sep 15 2017

Project Member
Labels: M-61

Comment 6 by tsepez@chromium.org, Sep 15 2017

Cc: rharrison@chromium.org

Comment 7 by tsepez@chromium.org, Sep 15 2017

Comment 8 by sheriffbot@chromium.org, Sep 16 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 9 by sheriffbot@chromium.org, Sep 18 2017

Project Member
Labels: Merge-Request-62

Comment 10 by sheriffbot@chromium.org, Sep 18 2017

Project Member
Labels: -Merge-Request-62 Merge-Review-62 Hotlist-Merge-Review
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by abdulsyed@google.com, Sep 18 2017

Cc: awhaley@chromium.org
Labels: -Merge-Review-62 Merge-Approved-62
+awhalley@

I'm approving merge to M62. Branch:3202

Comment 12 by awhalley@chromium.org, Sep 18 2017

Labels: reward-topanel

Comment 13 by awhalley@chromium.org, Sep 22 2017

Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 14 by awhalley@google.com, Sep 22 2017

Nice one! The VRP panel decided to award $3,000 for this report!

Comment 15 by awhalley@chromium.org, Sep 22 2017

Labels: -reward-unpaid reward-inprocess

Comment 16 by sheriffbot@chromium.org, Sep 22 2017

Project Member
Cc: abdulsyed@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by sheriffbot@chromium.org, Sep 25 2017

Project Member
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by candr...@chromium.org, Sep 29 2017

Reminder to please merge to M62 branch 3202.

Comment 19 by thestig@chromium.org, Sep 29 2017

Will merge.

Comment 20 by thestig@chromium.org, Sep 29 2017

Comment 21 by awhalley@google.com, Oct 16 2017

Labels: -M-61 M-62

Comment 22 by awhalley@google.com, Oct 16 2017

Labels: Release-0-M62

Comment 23 by awhalley@chromium.org, Oct 18 2017

Labels: CVE-2017-5127

Comment 24 by sheriffbot@chromium.org, Dec 23 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by bugdroid1@chromium.org, Jan 4 2018

Project Member
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/df0a749452d933e4f434e2a33112667f1880db34

commit df0a749452d933e4f434e2a33112667f1880db34
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Thu Jan 04 20:19:21 2018

Remove allocations from JS test

This CL removes the millions of allocations from the test case for bug
765384. This takes the test execution from ~20s to ~400ms when run in
Debug.

Bug:  chromium:765384 
Change-Id: Ib1e9d3c6fb9853e541189e1a16f765d05202cdcc
Reviewed-on: https://pdfium-review.googlesource.com/22011
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/df0a749452d933e4f434e2a33112667f1880db34/testing/resources/bug_765384.in
[modify] https://crrev.com/df0a749452d933e4f434e2a33112667f1880db34/testing/resources/bug_765384.pdf

Comment 26 by sheriffbot@chromium.org, Mar 27 2018

Project Member
Labels: -M-62 M-65

Comment 27 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment