TippingPoint Zero Day Initiative
 

(0Day) (Mobile Pwn2Own) Polaris Viewer DOCX VML Shape Tag Remote Code Execution Vulnerability

ZDI-13-211: August 29th, 2013

CVSS Score

Affected Vendors

    Samsung

Affected Products

    Infraware Polaris Viewer
    Infraware Polaris Office
    Galaxy S3
    Galaxy S4

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on vulnerable Polaris Viewer. User interaction is required to exploit this vulnerability in that the target must open a malicious file.

The specific flaw exists within the parsing of a DOCX file. A tag associated with a VML shape is not properly validated. As such, if it is too large, an overflow will occur into the adjacent buffer. By abusing this behavior an attacker can ensure this memory is under control and leverage the situation to achieve remote code execution under the context of the Polaris Viewer application.

Vendor Response

Samsung states:


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline.

Mitigation:

Samsung and Infraware have issued an update to correct this vulnerability. More details can be found at:
http://www.infraware.co.kr/bbs/noticeDetail_eng.aspx?number=5

Vendor Contact Timeline:

Sept 19, 2012 - MWR Labs demonstrated an exploit against the Samsung Galaxy S3 running Android 4.0.4 at Mobile Pwn2Own 2012.
Sept 20, 2012 - Samsung requested vulnerability information from ZDI so they can handle the vulnerability report.
Sept 24, 2012 - ZDI requested contact information and PGP keys for secure communication of vulnerability information from Samsung.
Sept 24, 2012 - Samsung provides ZDI with PGP and contact information.
Sept 25, 2012 - ZDI notifies Samsung of the preference that the vulnerability information go through Samsung's central incident response for tracking purposes.
Sept 26, 2012 - Samsung provides ZDI with contact information.
Sept 26, 2012 - Samsung Security Team contacts ZDI and provides PGP key for secure communication of the vulnerability information.
Sept 26, 2012 - ZDI e-mails vulnerability disclosure ZDI-CAN-1658 to security@samsung.com. It contains a vulnerability advisory and a proof of concept.
Sept 26, 2012 - security@samsung.com acknowledges receipt of the file. security@samsung.com requests ZDI disclosures to re-send due to issues reading the proof of concept. They are able to read the README.txt but state the poc.docx is corrupt.
Sept 26, 2012 - ZDI verifies that the poc.docx contains vulnerable condition and replies to security@samsung.com stating that the poc.docx is a proof of concept of the vulnerability and is malformed on purpose. It should be used to help you locate the vulnerable code.
Oct 8, 2012 - security@samsung.com requests full exploit from ZDI.
Oct 9, 2012 - ZDI states that the full exploit was not required from participants of Mobile Pwn2Own 2012.
...
Mar 25, 2013 - 180 day deadline from vulnerability disclosure passes. ZDI able to disclose vulnerability as 0-day according to Vulnerability Disclosure Policy.
Mar 25, 2013 - ZDI holds releasing advisory and waits for communication from Samsung.
...
Aug 4, 2013 - ZDI notifies Samsung that Mobile Pwn2Own vulnerability will be disclosed as a 0-day before the end of August. Notification happened in person at DEF CON.
Aug 5, 2013 - Samsung requests from ZDI via e-mail for more detail and a timeline of events associated with the vulnerability.
Aug 7, 2013 - ZDI provides timeline and requests support.
Aug 7, 2013 - Samsung states work with security@samsung.com to obtain vulnerability status update.
Aug 8, 2013 - ZDI notifies Samsung (security@samsung.com, m.security@samsung.com) of impending 0-day disclosure.
Aug 29, 2013 - No response from Samsung. ZDI discloses 0-day vulnerability advisory.
Sept 5, 2013 - Samsung requests ZDI remove 0-day advisory as they work on fix.
Sept 5, 2013 - ZDI denies request to remove 0-day advisory.
Sept 6, 2013 - Infraware contacts ZDI and denies existence of vulnerability.
Sept 6, 2013 - ZDI requests PGP keys for secure communication of vulnerability information.
Sept 6, 2013 - Infraware provides ZDI with PGP keys.
Sept 9, 2013 - ZDI e-mails vulnerability disclosure ZDI-CAN-1658 to Infraware.
Sept 10, 2013 - Infraware releases patch to address the vulnerability.


Disclosure Timeline

    2012-09-26 - Initial contact with vendor
    2013-08-29 - Public release of advisory

Credit

This vulnerability was discovered by:
    Tyrone Erasmus, MWR Labs
    Jacques Louw, MWR Labs
    Jon Butler, MWR Labs
    Nils, MWR Labs