我的技术与生活——xpdf

CVE-2019-13288

搭建xpdf环境

cd $HOME
mkdir fuzzing_xpdf && cd fuzzing_xpdf/

# 相关依赖
sudo apt install build-essential
sudo apt update && sudo apt install -y build-essential gcc

# Download Xpdf 3.02 && build Xpdf
wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz
tar -xvzf xpdf-3.02.tar.gz
cd xpdf-3.02

./configure --prefix="$HOME/fuzzing_xpdf/install/"
make
make install

# Download PDF examples to test Xpdf
cd $HOME/fuzzing_xpdf
mkdir pdf_examples && cd pdf_examples
wget https://github.com/mozilla/pdf.js-sample-files/raw/master/helloworld.pdf
wget http://www.africau.edu/images/default/sample.pdf
wget https://www.melbpc.org.au/wp-content/uploads/2017/10/small-example-pdf-file.pdf

测试Xpdf

1	$HOME/fuzzing_xpdf/xpdf-3.02/xpdf/pdfinfo -box -meta $HOME/fuzzing_xpdf/pdf_examples/helloworld.pdf

搭建fuzz环境

sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cargo libgtk-3-dev
# try to install llvm 14 and install the distro default if that fails
sudo apt-get install -y lld-14 llvm-14 llvm-14-dev clang-14 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
sudo apt-get install -y ninja-build # for QEMU mode
sudo apt-get install -y cpio libcapstone-dev # for Nyx mode
sudo apt-get install -y wget curl # for Frida mode
sudo apt-get install -y python3-pip # for Unicorn mode
git clone https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make distrib
sudo make install

#将afl添加到环境变量path中
echo 'export PATH=$PATH:/home/hpp/AFLplusplus' >> ~/.bashrc
source ~/.bashrc

使用afl-clang-fast对Xpdf进行插桩

先清理掉之前Xpdf编译好的文件

1
2
3

rm -r $HOME/fuzzing_xpdf/install
cd $HOME/fuzzing_xpdf/xpdf-3.02/
make clean

编译xpdf并用 afl-clang-fast 编译器，进行插桩

export LLVM_CONFIG="llvm-config-11"
CC=$HOME/AFLplusplus/afl-clang-fast CXX=$HOME/AFLplusplus/afl-clang-fast++ ./configure --prefix="$HOME/fuzzing_xpdf/install/"
make
make install

开始fuzz模糊测试

-i :设置输入实例的文件夹

-o :设置用于存放模糊测试结果的文件夹

-s :设置一个静态随机数作为种子

— ：设置测试目标

@@ ：占位符，指代每一个输入文件

1	afl-fuzz -i $HOME/fuzzing_xpdf/pdf_examples/ -o $HOME/fuzzing_xpdf/out/ -s 123 -- $HOME/fuzzing_xpdf/xpdf-3.02/xpdf/pdftotext @@ $HOME/fuzzing_xpdf/output

在 ~/fuzzing_xpdf/out/default/crashes 里有导致程序奔溃的输入

hpp@swikar:~/fuzzing_xpdf/out/default/crashes$ ls
id:000000,sig:11,src:001045,time:342537,execs:245377,op:havoc,rep:15
id:000001,sig:11,src:000229,time:505563,execs:344967,op:havoc,rep:2
id:000002,sig:11,src:001638,time:566771,execs:383537,op:havoc,rep:1
id:000003,sig:11,src:001753+000851,time:820662,execs:526503,op:splice,rep:2
README.txt

将这些文件放到gdb中调试，看看是哪里出错

首先重新编译

rm -r $HOME/fuzzing_xpdf/install
cd $HOME/fuzzing_xpdf/xpdf-3.02/
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix="$HOME/fuzzing_xpdf/install/"
make
make install

然后gdb调试

1	gdb --args $HOME/fuzzing_xpdf/install/bin/pdftotext $HOME/fuzzing_xpdf/out/default/crashes/<your_filename> $HOME/fuzzing_xpdf/output

我这里是

1	gdb --args $HOME/fuzzing_xpdf/install/bin/pdftotext $HOME/fuzzing_xpdf/out/default/crashes/id:000000,sig:11,src:001045,time:342537,execs:245377,op:havoc,rep:15 $HOME/fuzzing_xpdf/output

pwndbg> run
#回溯用过的函数
pwndbg> bt
#24055 0x00005555555ff8f0 in Parser::makeStream (this=0x5555561b1030, dict=0x7fffffa71880, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:156
#24056 0x00005555555ff51a in Parser::getObj (this=0x5555561b1030, obj=0x7fffffa71880, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:94
#24057 0x0000555555623714 in XRef::fetch (this=0x5555556cc230, num=7, gen=0, obj=0x7fffffa71880) at XRef.cc:823
#24058 0x00005555555fa57e in Object::fetch (this=0x5555561b0c58, xref=0x5555556cc230, obj=0x7fffffa71880) at Object.cc:106
#24059 0x000055555559c94c in Dict::lookup (this=0x5555561b0c00, key=0x55555564ca6f "Length", obj=0x7fffffa71880) at Dict.cc:76
#24060 0x00005555555fb269 in Object::dictLookup (this=0x7fffffa71b00, key=0x55555564ca6f "Length", obj=0x7fffffa71880) at /home/hpp/fuzzing_xpdf/xpdf-3.02/xpdf/Object.h:253
#24061 0x00005555555ff8f0 in Parser::makeStream (this=0x5555561b0b50, dict=0x7fffffa71b00, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:156
#24062 0x00005555555ff51a in Parser::getObj (this=0x5555561b0b50, obj=0x7fffffa71b00, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:94
# 发现一直在调用Parser::getObj 函数

查看Parser.cc:94的源码

while (!buf1.isCmd(">>") && !buf1.isEOF()) {
      if (!buf1.isName()) {
	error(getPos(), "Dictionary key must be a name object");
	shift();
      } else {
	key = copyString(buf1.getName());
	shift();
	if (buf1.isEOF() || buf1.isError()) {
	  gfree(key);
	  break;
	}
      //不断调用getObj使程序奔溃
	obj->dictAdd(key, getObj(&obj2, fileKey, encAlgorithm, keyLength,
				 objNum, objGen));
      }
    }

定位到这

由于本人代码能力一般，修复不了bug,通过chatgpt修复了一下

在源码的基础上增加了一个次数的限制

//定义两个全局变量
#define MAX_OBJ_CALLS 10000
int callCount = 0;

while (!buf1.isCmd(">>") && !buf1.isEOF()) {
      if (!buf1.isName()) {
	error(getPos(), "Dictionary key must be a name object");
	shift();
      } else {
	key = copyString(buf1.getName());
	shift();
	if (buf1.isEOF() || buf1.isError()) {
	  gfree(key);
	  break;
	}

	        // 增加调用次数限制
        if (callCount >= MAX_OBJ_CALLS) {
            error(getPos(), "Too many calls to getObj, possible infinite loop");
            gfree(key);
            obj->initError();  // 初始化为错误对象
            break;
        }
        callCount++;  // 增加调用次数
        
        
	obj->dictAdd(key, getObj(&obj2, fileKey, encAlgorithm, keyLength,
				 objNum, objGen));
      }
    }

这样可以有效限制调用次数

再次make clean,重新插桩编译，跑了很久发现了另外一个，是其他的输入的问题，无限递归的bug已经修复了

这是xpdf4.02中Parser.cc的部分源码

// 增加了递归的上限
// Max number of nested objects.  This is used to catch infinite loops
// in the object structure.
#define recursionLimit 500

// 增加了递归次数的检查
  // array
  if (!simpleOnly && recursion < recursionLimit && buf1.isCmd("[")) {
      ...
  // dictionary or stream
  } else if (!simpleOnly && recursion < recursionLimit && buf1.isCmd("<<")) {
      ...
    
// 对比之前版本，发现多了 recursion 这个参数
    // stream objects are not allowed inside content streams or
    // object streams
    if (allowStreams && buf2.isCmd("stream")) {
      if ((str = makeStream(obj, fileKey, encAlgorithm, keyLength,
                objNum, objGen, recursion + 1))) {
          ...

漏洞来源

在 Xpdf 4.01.01 中，Parser.cc 文件中的 Parser::getObj() 函数可能通过精心构造的文件导致无限递归。远程攻击者可以利用此漏洞发动拒绝服务（DoS）攻击。此漏洞与 CVE-2018-16646 类似。

参考文献

[1]:Fuzzing101学习笔记 - 星盟安全团队

[2]:Fuzzing101/Exercise 1 at main · antonio-morales/Fuzzing101

[3]:CVE-2019-13288 : In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause infinite r

站点信息

xpdf

参考文献

评论区

目录

公告栏