New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: UAF in CPWL_ComboBox::KillFocus

Reported by manhluat...@gmail.com, Sep 29 2017

Issue description

VULNERABILITY DETAILS

https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/pwl/cpwl_combo_box.cpp?type=cssq=package:chromium&l=175

void CPWL_ComboBox::KillFocus() {
  SetPopup(false);
  CPWL_Wnd::KillFocus();
}

----------------------------------------------------------------------

https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/pwl/cpwl_combo_box.cpp?type=cssq%3Dpackage:chromium&l=380

void CPWL_ComboBox::SetPopup(bool bPopup) {
...
  if (!bPopup) {
    m_bPopup = bPopup;
    Move(m_rcOldWindow, true, true); <------ (1)
    return;
  }



When it's trying to kill focus a combobox, it will invoke |CPWL_ComboBox::KillFocus| instead of |CPWL_Wnd::KillFocus|.

At (1) |Move| ends up calling |Form_Invalidate| which possible to run a script then trigger a UAF by destroying the widget's pdf window in the middle of KillFocus processing. Please see  bug 766957   bug 765921   bug 760455  for more explanation/details.

Please find attached PoC/asan/...


VERSION
Chrome Version: 61.0.3163.100 (Official Build) (64-bit)
Operating System: OS X / Win / Linux

REPRODUCTION CASE
Open the pdf file, click on scrollbar which has textbox printing "a".

 
asan
22.9 KB View Download
poc.in
3.5 KB Download
poc.pdf
4.3 KB Download
poc_mv.mov
5.5 MB Download
This is PoC controlling register [rdx], right at instruction calling function pointer. 

along with backtrace full from gdb.




combox_killfocus.in
3.7 KB Download
combox_killfocus.pdf
4.5 KB Download
gdb_btfull
14.9 KB View Download
Screenshot from 2017-09-29 17-54-08.png
367 KB View Download
Cc: thestig@chromium.org
Components: Internals>Plugins>PDF
Labels: Security_Severity-Medium Security_Impact-Stable M-62 Pri-1
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)
Cc: tsepez@chromium.org
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Cc: dsinclair@chromium.org
Owner: hnakashima@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 4 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/55469aed5acffcce3259d37418ba9e8b8e60d801

commit 55469aed5acffcce3259d37418ba9e8b8e60d801
Author: Henrique Nakashima <hnakashima@chromium.org>
Date: Wed Oct 04 16:02:44 2017

Fix UAF in SetVisible().

SetVisible() may be called during Destroy() which may be called
during SetVisible().

This fixes the latest in a family of bugs that happen after an
instance is freed by code triggered by JS code while it's executing
a method.

The CL has a lot of protection for many of these points where JS
may be executed and potentially destroy objects. The return types
of many methods that may execute JS have been changed to bool,
indicating whether the instance is still alive after the call.

Bug:  chromium:770148 
Change-Id: If5a9db4d8d6aac10f4dd6b645922bb96c116684d
Reviewed-on: https://pdfium-review.googlesource.com/15190
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>

[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_combo_box.cpp
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_wnd.cpp
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_scroll_bar.cpp
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_list_box.cpp
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit.h
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit_ctrl.h
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_caret.h
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit_ctrl.cpp
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_combo_box.h
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_wnd.h
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_caret.cpp
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit.cpp
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_list_box.h
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_scroll_bar.h
[modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_appstream.cpp

Status: Fixed (was: Started)
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 5 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -Security_Severity-Medium Security_Severity-High

Comment 11 Deleted

Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one! The VRP panel awarded $5,000 for this. Cheers!
Labels: -reward-unpaid reward-inprocess
Labels: -M-62 M-63
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 27 2017

Labels: Merge-Request-63
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 27 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@ (Security TPM) for M63 merge review
govind@ good for 63 if commit in #6 isn't already there.
Labels: -Merge-Review-63
#6 is already in M63 branch (M63 was branched on Oct 12th). 
Labels: Release-0-M63
Labels: CVE-2017-15411
Project Member

Comment 23 by sheriffbot@chromium.org, Jan 11

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Mar 27

Labels: -M-63 M-65
Labels: CVE_description-missing

Sign in to add a comment