Denial Of Service through crafted PDF File
Hello Poppler team,
During an incident response procedure for a client, it was found that some malicious customers were uploading malcrafted PDF files, among other things, that are later manipulated by staff.
The goal is still unclear, but when analyzing the files, this is what I have found out:
- Malcrafted files totally crash Files (Simple file manager for GNOME) EVEN without opening the file - seems the program access their header when you attempt to see files properties, size, etc.
- If you attempt to open them (as some staff did) they either crash EVINCE or consume your processing power
- By researching Evince, we isolated Poppler as the vulnerable surface
- After confirmation, we tested, and can confirm it affects Latest up to date linux versions
- No evidence of privilege escalation/remote control has been found so far
Technical DETAILS PDF files containing particularly crafted data trigger an infinite loop that causes stream file reads to keep failing, inside the error() in poppler/Error.cc
Here is the sequence of functions that we see:
- FileStream::getPos()
- GooString::appendfv(char const*, __va_list_tag*),
- GooString::appendfv(char const*, __va_list_tag*),
- _poppler_error_cb(ErrorCategory, long long, char const*), ...Repeats
I will attach a case file near identical to original (We had to carefully clean personal information, so it is slightly modified but seems to still work). Attachment will be in a separate confidential report to team members.
Thank you,
Carlos Andres Ramirez