Comments (11)
Should be fixed by 1ef83a8
from origami.
from origami.
Wow, awesome work @bcoles! Wasn't expecting an RCE!
I think this is important to fix, especially because this library is used by security researchers. You don't want to run this script on your laptop and risk having all your private data stolen, among other things.
from origami.
Just confirming that I've tested this PDF in my app, and there's no RCE if you're just using the actual Origami library:
[info ] ...Reading header...
[info ] ...Parsing revision 1...
[info ] ...Parsing xref table...
[warn ] Unable to parse xref table! Xrefs might be stored into an XRef stream.
[info ] ...Parsing trailer...
[info ] ...Propagating types...
PDF::Reader
also crashes properly with PDF::Reader::MalformedPDFError
.
from origami.
That makes sense. This issue was identified while manually reviewing the utilities - not as a result of fuzzing.
from origami.
Also worth noting that pdfcop
does not see the PDF document as dangerous.
root@kali:~/pdf/origami# ./bin/pdfcop poc.pdf
[2017-10-01 06:07:58 -0400] PDFcop is running on target `poc.pdf', policy = `standard'
[2017-10-01 06:07:58 -0400] File size: 598 bytes
[2017-10-01 06:07:58 -0400] MD5: c783a006a5d6ac91cba50caf92176f05
[2017-10-01 06:07:58 -0400] > Inspecting document structure...
[2017-10-01 06:07:58 -0400] > Inspecting document catalog...
[2017-10-01 06:07:58 -0400] > Inspecting JavaScript names directory...
[2017-10-01 06:07:58 -0400] > Inspecting attachment names directory...
[2017-10-01 06:07:58 -0400] > Inspecting document pages...
[2017-10-01 06:07:58 -0400] >> Inspecting page...
[2017-10-01 06:07:58 -0400] > Inspecting document streams...
[2017-10-01 06:07:58 -0400] Document accepted by policy `standard'.
from origami.
Thank you for submitting this issue. The problem lies in the pdf2ruby
script and not in the library itself.
This script is just an experimental thing I had written a long time ago, but it is largely broken for multiple reasons and I doubt there is any real world scenario where it could be of any use.
Code execution could also be achieved with string interpolation by the way. Are you depending on this script for some reason? If not, I think I am just going to strip it out of the repository (there's no point in maintaining something useless and insecure).
from origami.
Hi @gdelugre
I'm not dependent on this script, nor Origami for that matter.
I recently did some fuzzing of the pdf-reader Ruby gem. @ndbroadbent asked me to take a look at Origami.
During the process of fuzzing, I identified some issues which I wanted to verify by reproducing the issues outside of the fuzzer. To verify, rather than write a loader, I used the existing pdf2ruby
utility for the sake of simplicity. Unrelated manual review of the utility quickly revealed the potential for code execution.
Regarding string interpolation, I tried, however it failed as #
is rejected by the parser when parsing the PDF parameter keys and values. It may be possible to use string interpolation however I opted to use hex encoding rather than spend time investigating further.
from origami.
Hi @gdelugre, I'm also not depending on the pdf2ruby
script, so no problem if you want to remove it. However, I am using Origami on my server to parse AcroForm and XFA data for fillable PDF forms.
from origami.
Looks like that fixed it. Parameters are escaped.
from origami.
Fixed as of 2.0.4
from origami.
Related Issues (20)
- Does Origami verify a pdf with more than one digital signatures? HOT 1
- Adding a FreeText annotation HOT 1
- encryption doesn't work on some pdf files
- Encoding::UndefinedConversionError: "\xEF" from ASCII-8BIT to UTF-8 HOT 1
- Encrypted PDF in GEM
- Documentation : How to get contents ? HOT 2
- integrate origami toggling into org and markdown visibility cycling?
- Library status HOT 1
- Add watermark and signature to existing pdf HOT 1
- pdf2graph is missing
- pdfcocoon is missing
- Encrypted PDF viewable in mac without asking for password
- Adding timestamp signature
- is possible to convert normal PDF to Acro Form ?
- How to parse outline
- Invalid xref stream for lazy: true
- Ruby 3.0 & origami (2.1.0): Origami::Date.now throws ArgumentError HOT 1
- Ruby 3.1: LoadError - cannot load such file -- matrix
- How to extract pdf glyphs for each fonts
- still 2.7 Using the last argument as keyword parameters is deprecated; maybe ** should be added to the call
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from origami.