New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Documalis Free PDF Editor and Scanner Windows file format exploit #13517
Conversation
|
Would you like help with your PR? This is identical to your previous PRs. |
Yes, if that is possible. thanks |
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
The two exploits should really be combined into a single module. Looking at the diff, they're basically the same. You can use a target you change the |
|
Cool. First of all, PR titles should be descriptive. See the updated title for how it should be done. |
|
I'll let you do the next step. Modules should be in the correct file hierarchy. You can accomplish this with the following commands: Hope this helps. If there are any CVEs associated with these modules, please add them to the |
|
thank you very much wvu-r7. I'll try. |
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
@metacom27 Any chance you can write up some documentation using the guides above? Its going to be harder for us to land this module without this. Also do you have a CVE for this bug? I didn't see one in your module's source code. If not please get in contact with @todb-r7 and he can help assign you a CVE for this issue. |
|
@metacom27 Applied some updates to your original post to format it in Markdown format so its easier to read. |
|
Removing the |
how do i do that? "smb_loris.rb" I don't know what happened in my windows :( |
|
Looks like the file was removed in this commit: 8d0b361. I would undo that commit if you can. As for how to do that, refer to https://stackoverflow.com/questions/22682870/git-undo-pushed-commits. The command you would most likely want is |
|
@gwillcox-r7 " I would undo that commit if you can." Not working. if you can delete everything and me post again Documalis Free PDF Editor and Scanner. |
feca37b
to
1a3ca6e
Compare
|
@metacom27 Pushed the necessary changes to your branch to remove the bad commit using |
|
@metacom27 Any update on getting CVEs assigned for these issues? @todb-r7 may be able to help if you need assistance with getting them assigned. |
|
Yes if he wants to help me. I've sent an email cveform.mitre.org " |
|
Heya @metacom27, since you've already put in for an assignment, we should just let that go, rather than risk a double assignment. Say do update here when you get the assignment. Always curious how long the front door takes on these things. (Also there will be an entirely new CVE ID assignment system in the fall, for what it's worth.) |
|
i'm going to do it . thank you |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some general changes that I will apply myself, but I wanted to point out three main areas of concern here that I think you might be better suited to answer. Namely the title, a missing reference, and a question regarding the versions that were available to test with and how many versions this vulnerability has been tested on.
Furthermore, whilst I couldn't comment on this earlier, the file name for the Ruby module and its corresponding documentation really needs to be either the CVE identifier (makes it easier for people to search for the right file, or it should at the very least contain details on what type of vulnerability it is (in this case a stack buffer overflow), as well as what an attacker gains by exploiting it (in this case RCE).
documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md
Outdated
Show resolved
Hide resolved
modules/exploits/windows/fileformat/documalis_pdf_editor_and_scanner.rb
Outdated
Show resolved
Hide resolved
modules/exploits/windows/fileformat/documalis_pdf_editor_and_scanner.rb
Outdated
Show resolved
Hide resolved
|
Quick update but did a quick test of these two bugs on version v5.7.2.9 of both versions (since these were the two versions I was able to download) and whilst both crashed, it seems that we would need to update the code as right now we are relying on the host EXE itself, which will change with every release. Edit: Whilst I originally advised that one could use bundled DLLs to provide some cross version compatibility, it seems that both products don't come with any additional DLLs. Its just a single EXE with a bunch of images and icons. All the external dependencies are Microsoft specific DLLs which will change depending on the OS version, patches, etc. So looks like EXE is honestly the best bet given this scenario. |
modules/exploits/windows/fileformat/documalis_pdf_editor_and_scanner.rb
Outdated
Show resolved
Hide resolved
…ctly calculates the maximum size of the payload and ensures we don't overrun this.
…se for the SEH handler overwrite within the exploit
…so remove the EDB field and replace it with a temporary CVE field
|
@metacom27 Went ahead and pushed some changes to your code that should address the problems mentioned above, specifically:
I still need to review and update a few minor things on the documentation, and then the last step should be do compliance checks aka linting to make sure the code conforms to our guidelines. After that we will just need to wait for the CVE ID to be assigned and then we can merge this in. |
…ocs.rb compliant. Also apply RuboCop updates to the module
… commit to fail for reasons other than the CVE being missing
|
Ok this should be ready to land once the CVE is assigned. @metacom27 do you have any updates on the CVE ID at all? |
|
@gwillcox-r7 I have not received any response from CVE . |
|
Hello @gwillcox-r7 "Corrected your exploit buffer size calculation so it correctly calculates the size of the buffer; this now allows the exploit to successfully calculate the size of the buffer so that we don't inadvertently end up crashing the target." I tried all his possibilities to control buffer but not working, the program crash after you close the shell connection. This is the only way this vulnerability works. e.g "PDF Shaper 3.5 - Local Buffer Overflow " After the shell connection close the program crash. I think it's better to close and delete the exploit module. |
Ah sorry I should have been clearer with my explanation! My apologies! The issue was that before this fix, the target would crash without the attacker ever getting a shell. This was happening cause you were not calculating the size of the buffer correctly. You are correct that the target will still crash after the attacker exits their shell, but the real issue that we were trying to fix here was the fact that due to an incorrect buffer size calculation, your original exploit wasn't granting the attacker any shells at all. All it was doing was crashing the target. I'll update the code so long to add in some exploit notes to note that the target does indeed crash after we exit the shell. |
|
All right, I'm nervous about assigning a CVE for you when it's already in process upstream. Here's my suggestion, @metacom27 :
@gwillcox-r7 if it's not a breaking change to land this module without a CVE, then I say release it, and I can open an issue referencing this PR to remember to actually assign one in the unknowable future. (If it /is/ a rule-breaking action to land without a CVE, then hang on a week?) Finally, this is a huge hassle, sorry about that. Next time, just go with a Rapid7 assignment -- much faster throughput here! All this caution is because untangling multiple assignments is always a huge pain for many, many organizations, and should be avoided at most costs. |
…ce, fix some alignment issues for Notes section
|
@todb-r7 Thanks, will get this landed now and we can circle back on adding the CVE later this week/beginning of next week (aka August 10th) if nothing has happened by then. @metacom27 Can you keep us updated and let us know if MITRE does assign a CVE for this vuln? Going to merge in your work in the meantime and we'll create a separate PR to add in the CVE when it gets assigned. |
…G PDF Stack Buffer Overflow
Release NotesNew module |
|
@todb-r7 Hello I followed your advice if MITER does not respond by August 10th. I canceled CVE from MITRE because it does not respond to my request. Thanks for everything |
|
Hello I received an email from mitre.org about CVE The information regarding CVE-2020-24035 is already populated to the CVE master list (see http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2020-7374). If you have additional information that is not contained in the CVE entry and would like to update the entry, please use the CVE request web form (https://cveform.mitre.org/) and select “Request an update to an existing CVE Entry”. Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software. Online resources;
https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2020-7374 |
|
@metacom27 I think the way we were going to solve this was the way that @todb-r7 mentioned at metacom27#1, have you taken a look at that PR so long? Otherwise I can just create a separate PR on my side and add in the CVE-ID manually then we can close that PR and the associated issue at #13934 that @todb-r7 created. |
|
Yep, CVE-2020-7374 should be the canonical ID. Merge metacom27#1 and it should be all well in the land. |
Download
http://documalis.com/free-pdf-editor
http://documalis.com/free-pdf-scanner
Targets
Targets Win 7 and Win 10
Verification
Open PDF file and the vulnerability is triggered.