New issue
Advanced search Search tips

Issue 765921 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: UAF in CPWL_Caret::SetCaret

Reported by manhluat...@gmail.com, Sep 16 2017

Issue description

This bug affects on stable Chrome /w XFA disabled.



https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/pwl/cpwl_caret.cpp?sq=package:chromium&l=86

---------------------------------------------
void CPWL_Caret::SetCaret(bool bVisible,
                          const CFX_PointF& ptHead,
                          const CFX_PointF& ptFoot) {
  if (bVisible) {
    if (IsVisible()) {
      if (m_ptHead != ptHead || m_ptFoot != ptFoot) {
        m_ptHead = ptHead;
        m_ptFoot = ptFoot;
        m_bFlash = true;
        Move(m_rcInvalid, false, true);
      }
    } else {
      m_ptHead = ptHead;
      m_ptFoot = ptFoot;
      EndTimer();
      BeginTimer(PWL_CARET_FLASHINTERVAL);
      CPWL_Wnd::SetVisible(true); <---------- (1)
      m_bFlash = true;
      Move(m_rcInvalid, false, true);
    }
  } else {
    m_ptHead = CFX_PointF();
    m_ptFoot = CFX_PointF();
    m_bFlash = false;
    if (IsVisible()) {
      EndTimer();
      CPWL_Wnd::SetVisible(false);
    }
  }
}





At (1), |SetEditCaret| calls |SetCaret| -> ... ends up at |Invalidate| which invokes |Form_Invalidate| may call |GetPage| -> |LoadFXAnnots|. Then we can destroy pdf window |this| (CPWL_Edit) in the middle of this function -> UAF occurs.

It's kinda complex to trigger it, but I managed to do that.






 
Components: Internals>Plugins>PDF
Heyy good news

I've managed to make a PoC without user interaction.

I probably can take control registers, but let me get back my Linux build on Monday.

Cheers.
asan_noui
22.0 KB View Download
onsetfocus_noui.in
3.6 KB Download
onsetfocus_noui.pdf
4.4 KB Download
poc_noui.mov
5.0 MB Download

Comment 3 by mea...@chromium.org, Sep 17 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)
You can see that |rdx| is overwritten by arbitrary value, so it's definitely possible to take over RIP as well since it operating |call   QWORD PTR [rdx+0x28]|


control_reg.pdf
4.7 KB Download
control_reg.in
3.9 KB Download
Screenshot from 2017-09-18 11-59-10.png
373 KB View Download
poc_gdb
3.4 KB View Download
Cc: tsepez@chromium.org
Status: Started (was: Assigned)

Comment 8 by tsepez@chromium.org, Sep 19 2017

Labels: Security_Severity-High Security_Impact-Stable
Project Member

Comment 9 by bugdroid1@chromium.org, Sep 19 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/6f960347f8474a202d8dd99063bf8ce584896baf

commit 6f960347f8474a202d8dd99063bf8ce584896baf
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Tue Sep 19 17:57:30 2017

Setting focus on a widget may destroy the widget

When a widget has focus set, this can trigger an Invalidation call which
can trigger a page and annotation reload. This reload can destroy the
current widget we're handling.

This CL adds ObservedPtrs as needed so we can make sure the widgets are
still alive after we've done the Invalidation.

Bug:  chromium:765921 
Change-Id: I51cd24aa1ebd96abe9478efef5130a4e568dac1a
Reviewed-on: https://pdfium-review.googlesource.com/14290
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/6f960347f8474a202d8dd99063bf8ce584896baf/fpdfsdk/pwl/cpwl_caret.cpp
[modify] https://crrev.com/6f960347f8474a202d8dd99063bf8ce584896baf/fpdfsdk/pwl/cpwl_wnd.cpp
[modify] https://crrev.com/6f960347f8474a202d8dd99063bf8ce584896baf/fpdfsdk/pwl/cpwl_edit.cpp

Status: Fixed (was: Started)
Project Member

Comment 11 by sheriffbot@chromium.org, Sep 20 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Congrats! The VRP panel decided to award $5,000 for this report. Thank you!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M63
Labels: CVE-2017-15410
Project Member

Comment 18 by sheriffbot@chromium.org, Dec 27 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing
Project Member

Comment 20 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment