Throwing Shade: Analysis of a Foxit Integer Overflow

August 01, 2018 | Vincent Lee

When your research is submitted to our program, it doesn’t sit on a server tucked in a dusty closet. Instead, we verify your findings before making an offer and develop detection guidance for our customers after the acquisition of the research. Your research allows us to provide valuable 0-day protection to our customers, which is how our program remains sustainable without us needing to resell your original report to any third-party.

Detection guidance development requires intimate knowledge of the attack vector and often takes us to seldom traversed documentation or deep into IDA-land. Today, I would like to take you on a short trip down the ZDI-18-755 (CVE-2018-14295) rabbit hole, which was reported by an anonymous researcher.

ZDI-18-755 is an integer overflow bug that can be triggered when parsing PDF documents with crafted shading patterns. The overflown value is passed as a size parameter for a subsequent memory allocation, making this a classic example of CWE-680: Integer overflow to buffer overflow. Specifically, the vulnerability resides in the processing of a Type 3 Shading pattern. A Shading pattern allows the author to “paint” an image with a color gradients. The image below shows examples of various shading types.

Different kinds of shading pattern types

A Type 3 Shading pattern translates to Radial Shading pattern according to Table 4.28 of the ISO 32000-1 (PDF 1.7) standard.

A PDF file is a collection of objects of various types. Together, these objects define the contents and structure of a PDF document. The following excerpt of a PDF file is a dictionary-typed object and has an object ID of 4. This object defines various parameters of a radial shade, such as the centers and radii of the starting and ending circles.

The dictionary entry of interest to this vulnerability is the /Function entry, which is an array of function-typed objects. According to documentation, this entry may contain 1 or more function-typed objects. In the above shading definition, the /Function array has specified the following four function-typed objects. Their object IDs are 7, 5, 5, and 6.

7 0 R
5 0 R
5 0 R
6 0 R

The definitions for the function-typed objects is as follow:

An integer overflow occurs when the program processes the /Function array entry. The following is the control flow diagram of the vulnerable section of the function:

This section of the function calculates the number of elements in the different fields of these function-typed objects and essentially performs the “m x n + m x n + p x q” calculation. It iterates through the /Function array and adds the intermediate multiplication results stored in eax+20 to edi. The value of edi is subsequently used by the malloc_wrapper_caller_caller_caller() function to allocate a buffer for the storage of these function-typed objects.

The calculation of edi was performed without integer overflow detection. With sufficiently large p, q, m, and n values, it is possible to overflow edi and cause the allocation of an undersized buffer. In the debugger output below, we can see edi has wrapped around and has a value of 0x11.

Here we see the subsequent call to malloc() and with the overflown edi value:

Here we see the subsequent accesses to the undersized allocated buffer. Page heap has caught the out-of-bounds write due to the use of an insufficiently large buffer.

This is definitely more information than anyone would want to know about PDF Shading, but such intimate knowledge of the attack vector is required for the development of detection logic and is exactly how we translate your research into valuable threat intelligence for our customers.

On a closing note, I came across a StackOverflow question that was concerned with weird shading definitions in PDFs exported by Google Drive as I was developing the detection logic. Interestingly, this is not the first time had inspired some bugs. I can’t help but wonder if the anonymous researcher had seen the StackOverflow question and decided to poke at it. I guess this is a question that will remain unanswered.

You can find me on Twitter @TrendyTofu, and follow the team for the latest in exploit techniques and security patches.