In this blog post, we are going to look at current exploitation of CVE-2010-0188: An integer overflow in the parsing of the dot range option in TIFF files. The vulnerability was publicly announced in February 2010. Examples of exploit code are readily available on the Internet and a very good explanation of how the exploit works has been provided by Fortinet.
The exploit described by Fortinet utilizes an AcroForm described in XML. The XML contains an image field with an embedded TIFF image that triggers the vulnerability.
This is all pretty straight forward. However, the other day I encountered a PDF file that was triggering this vulnerability in a more complicated fashion. Let’s take a look at the actual file.
It looks pretty similar to previous TIFF exploit files as that the object of interest is an AcroForm. Here is how object 19 looks like:
The template which references Object 10 is particularly interesting:
The data that is being written to the form field is a base64-encoded tiff image that contains an invalid DotRange parameter. Voila exploitation ensues. I did not look at the shell code since I was mostly curious about the ways in which exploits can be set up with PDFs.