pdf2ruby utility code injection vulnerability about origami HOT 11 CLOSED

Should be fixed by 1ef83a8

from origami.

@ndbroadbent

from origami.

Wow, awesome work @bcoles! Wasn't expecting an RCE!

I think this is important to fix, especially because this library is used by security researchers. You don't want to run this script on your laptop and risk having all your private data stolen, among other things.

from origami.

Just confirming that I've tested this PDF in my app, and there's no RCE if you're just using the actual Origami library:

[info ] ...Reading header...
[info ] ...Parsing revision 1...
[info ] ...Parsing xref table...
[warn ] Unable to parse xref table! Xrefs might be stored into an XRef stream.
[info ] ...Parsing trailer...
[info ] ...Propagating types...

PDF::Reader also crashes properly with PDF::Reader::MalformedPDFError.

from origami.

That makes sense. This issue was identified while manually reviewing the utilities - not as a result of fuzzing.

from origami.

Also worth noting that pdfcop does not see the PDF document as dangerous.

root@kali:~/pdf/origami# ./bin/pdfcop poc.pdf 
[2017-10-01 06:07:58 -0400] PDFcop is running on target `poc.pdf', policy = `standard'
[2017-10-01 06:07:58 -0400]   File size: 598 bytes
[2017-10-01 06:07:58 -0400]   MD5: c783a006a5d6ac91cba50caf92176f05
[2017-10-01 06:07:58 -0400] > Inspecting document structure...
[2017-10-01 06:07:58 -0400] > Inspecting document catalog...
[2017-10-01 06:07:58 -0400] > Inspecting JavaScript names directory...
[2017-10-01 06:07:58 -0400] > Inspecting attachment names directory...
[2017-10-01 06:07:58 -0400] > Inspecting document pages...
[2017-10-01 06:07:58 -0400]   >> Inspecting page...
[2017-10-01 06:07:58 -0400] > Inspecting document streams...
[2017-10-01 06:07:58 -0400] Document accepted by policy `standard'.

from origami.

Thank you for submitting this issue. The problem lies in the pdf2ruby script and not in the library itself.

This script is just an experimental thing I had written a long time ago, but it is largely broken for multiple reasons and I doubt there is any real world scenario where it could be of any use.

Code execution could also be achieved with string interpolation by the way. Are you depending on this script for some reason? If not, I think I am just going to strip it out of the repository (there's no point in maintaining something useless and insecure).

from origami.

Hi @gdelugre

I'm not dependent on this script, nor Origami for that matter.

I recently did some fuzzing of the pdf-reader Ruby gem. @ndbroadbent asked me to take a look at Origami.

During the process of fuzzing, I identified some issues which I wanted to verify by reproducing the issues outside of the fuzzer. To verify, rather than write a loader, I used the existing pdf2ruby utility for the sake of simplicity. Unrelated manual review of the utility quickly revealed the potential for code execution.

Regarding string interpolation, I tried, however it failed as # is rejected by the parser when parsing the PDF parameter keys and values. It may be possible to use string interpolation however I opted to use hex encoding rather than spend time investigating further.

from origami.

Hi @gdelugre, I'm also not depending on the pdf2ruby script, so no problem if you want to remove it. However, I am using Origami on my server to parse AcroForm and XFA data for fillable PDF forms.

from origami.

Looks like that fixed it. Parameters are escaped.

from origami.

Fixed as of 2.0.4

from origami.