PDF Form Filling and Flattening Tool Buffer Overflow
| Release Date | 2006-05-23 |
| Product | PDF Tools AG - PDF Form Filling and Flattening Tool |
| Versions | 3.0 (Windows) (other versions and platforms untested) |
| Severity | High |
| Author | George D. Gal <ggal_at_vsecurity.com> |
| Vendor Status | Vendor Notified, Fix Available |
| CVE Candidate | CVE-2006-2549 |
| Reference | Original Advisory |
Product Description
From the pdf-tools.com website[1]:
"PDF Tools AG is a world leader in PDF (The Adobe Portable Document Format) programming technology, delivering reliable PDF products to international customers in virtually all market segments."
"PDF Form Filling and Flattening Tool is a command line tool that can create, edit, fill in and delete form fields in a PDF document."
Vulnerability Overview
On April 18th, 2006 VSR identified a stack-based buffer overflow in the PDF Tools AG PDF Form Filling and Flattening tool. Although this is a traditional command line utility there may be a risk to those users of the application who use it within web application or a network service, particularly when relying on user supplied input to generate the PDF form field name or value pairs.
In situations where user supplied input is used to populate a control file of name value pairs without sufficient input validation the form field names are susceptible to overflow. The buffer overflow occurs as a direct result of unsafe string copy operations to a 256 byte fixed length buffer. The binary is also susceptible to overflows of the PDF form field names when specified on the command line instead of within a control file.
The following command may be used to check for the existence of the vulnerability in the PDF form filling and flattening tool:
./pdformp.exe input.pdf output.pdf `perl -e 'print "A"x260;'`=foo
Vendor Response
PDF Tools AG was first notified on 2006-04-19. The following time line outlines the responses from the vendor regarding this issue:
| 2006-04-20 | Acknowledgment of security notification received from VSR. Vendor stated that they only support registered customers of the product. |
| 2006-05-02 | Vendor response acknowledging overflow which will be resolved in the next pre-release version. |
| 2006-05-10 | Vendor response providing estimated release schedule. |
| 2006-05-15 | Vendor response notifying VSR of publicly released fix. |
| 2006-05-23 | VSR advisory released |
Recommendation
PDF Tools AG customers should upgrade to the latest build of the PDF Form Filling and Flattening tool (build 3.1.0.12) released on May 10th, 2006.
The upgrade is available via:
http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell
Common Vulnerabilities and Exposures (CVE) Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE-2006-2549References
| 1. | PDF Tools AG Form Filling and Flattening Tool http://www.pdf-tools.com/asp/products.asp?name=FF&type=shell |
This advisory is distributed for educational purposes only, and comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Vulnerability Disclosure PolicyCopyright © 2007 Virtual Security Research, LLC. All rights reserved.
