Skip to content

Adobe PDF Vulnerability: Stack overflow in Font File parsing

Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.

The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.
Categories: Malware, News, SpyBye
Defined tags for this entry: , ,

Libevent-2.0.7-rc release

Nick announced the release of Libevent-2.0.7-rc today. Here is an excerpt from his email:

Thanks to everybody who reported and fixed bugs in Libevent 2.0.6-rc,
Libevent 2.0.7-rc should be much more stable and portable, especially
for people using IOCP, Windows, rate-limiting, or threads.

There are also numerous small bugfixes thoughout the codebase (though
still not, alas, in the http stuff).

For a complete list of changes, just see the ChangeLog included with
the source distribution.


You can download source code of libevent releases from monkey.org
Categories: Libevent, News
Defined tags for this entry: ,