Fuzzing HTTP Server (PDF.js)

Hi Internet

Summary: While fuzzing Mozilla PDF.js a format string vulnerability it was observed that the development server used in PDF.js gets crash when a malformed URI(bad request) is sent.

PS: The patch for the path traversal bug which was found perviously gave rise to this issue.

I have used boofuzz in the case to fuzz PDF.js, boofuzz is a fork of and the successor to the venerable sulley fuzzing framework, for installation you can simply use pip.

pip install boofuzz

Then,

session = Session(
    target=Target(
        connection=SocketConnection("127.0.0.1", 8888, proto='tcp')))

In boofuzz each message starts with an s_initialize()

s_initialize(name="Request")
    with s_block("Request-Line"):
        s_group("Method", ['GET'])
        s_string("/", name='Request-URI')
        s_string('HTTP/1.1', name='HTTP-Version')

Vulnerable code in PDF.js (webserver.js):

  _handler: function (req, res) {
     var url = req.url.replace(/\/\//g, '/');
     var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
     // guard against directory traversal attacks,
     // e.g. /../../../../../../../etc/passwd
     // which let you make GET requests for files outside of this.root
     var pathPart = path.normalize(decodeURI(urlParts[1]));

If you see the bold part of the above code the PDF.js did not have any guard for malformed URI sent in various methods.

However, the fuzzer ran for an hour and it was observed that the HTTP server of PDF.js can't handle malformed strings and server gets crash. While fuzzing with boofuzz its better to start Wireshark on 'lo' to see all the fuzzed request which are sent to the server. I found /%s%s%s was used in this case.

curl -v -X GET 127.0.0.1:8888/%s%s%s

The PDF.js server gets crash and below traces are left.

Server running at http://localhost:8888/
[12:16:22] 'server' errored after 1.01 h
[12:16:22] URIError: URI malformed
at decodeURI ()
at WebServer._handler (/Users/Dhiraj/Desktop/pdf.js/test/webserver.js:86:35)
at Server.emit (events.js:188:13)
at Server.EventEmitter.emit (domain.js:459:23)
at parserOnIncoming (_http_server.js:676:12)
at HTTPParser.parserOnHeadersComplete (_http_common.js:113:17)

However, the bug was submitted to Mozilla and a patch was deployed for same.

Patch code in PDF.js (webserver.js):

    try {
       // Guard against directory traversal attacks such as
       // `/../../../../../../../etc/passwd`, which let you make GET requests
       // for files outside of `this.root`.
       var pathPart = path.normalize(decodeURI(urlParts[1]));
     } catch (ex) {
       // If the URI cannot be decoded, a `URIError` is thrown. This happens for
       // malformed URIs such as `http://localhost:8888/%s%s` and should be
       // handled as a bad request.
       res.writeHead(400);
       res.end('Bad request', 'utf8');
       return;
     }
     var queryPart = urlParts[3];
     var verbose = this.verbose;

If you are a mozillian and you like my work towards PDF.js, don't hesitate to vouch me :) Hope you like the read.
https://mozillians.org/en-US/u/Dhiraj_Mishra/

Thank you

Dhiraj

Read More

I swiped right

Hi Internet,

Summary: By using multi-gesture trackpad along with Safari browser in MacBook Pro, one can view sensitive data which is cached in your Safari browser. (Note: This is not a back button browsing vulnerability)

I figured out this issue while playing around with Safari browser, looks like the most recent activity of any authenticated or un-authenticated website is stored in cache of Safari browser and by taking the advantage of multi-gesture trackpad we can retrieve any or all information about that activity.

Looks like Apple provides a feature in trackpad which allows users to swipe between the pages or applications. It also allows you to tap, swipe, pinch, or spread one or more fingers to perform useful actions but seems they forgot to add some security measures in this.

Trackpad settings

Steps to reproduce:
1. Open safari browser (v12.0.2 (14606.3.4) was used in this case)
2. Login to any dynamic website (I've used www.gmail.com)
3. Perform your dynamic activity
4. Logout (But don't close your safari browser)
5. Now swipe right

You would actually see your recent data, between the pages. I've also created a video proof-of-concept for same.

Apple says: After reviewing your report we do not see any actual security implications. (I think this was the lamest vendor response).



But, I feel like this is an interesting issue which can be exploited by local attacker. Also this only works with safari browser. I hope you like the read.

Thank you

Dhiraj

Read More

Metadata and potential password leak in aria2

Hi Internet,

Summary: aria2 is a lightweight multi-protocol command-line utility, which store's "HTTP Basic Authentication" username and password in a file when `--log` attribute is used.

This issue was observed while performing the code review of aria2, However the file HttpConnection.cc was responsible for this issue, below is the vulnerable code :

1. It was observed that URL's which gets downloaded via `--log=` attribute stored sensitive information.
2. In combination with HTTP authentication a username and password can be part of the URL.
    `aria2c --log=file https://user:passwd@example.com/`

In such case the log file contains password as well, sometimes URL's may contain secret tokens, e.g. private file shared on a file hosting service. In general storing metadata at unexpected places should be avoided, rest other utility like cURL was patched to this issue, it uses HTTP digest authentication mechanism for such case.

Moving further this issue was patched and such information will be masked in latest versions of aria2. This is also similar to when URL of downloads gets stored via filesystem attributes on systems that support unix extended attributes. You can see these attributes on Linux systems by running getfattr -d [filename]

Later CVE-2019-3500 was assigned to this issue, hope you like the read.

Thank you

Dhiraj

Read More

Path traversal in mozilla pdf.js

Hi Internet,

Summary: A path traversal issue was observed in Mozilla PDF.js which is a PDF reader in JavaScript. (This issue is unpatched)

This issue was observed while code review of PDF.js (gulpfile.js)

PDF.js is built into version 19+ of firefox and a chrome extension is also available on chrome web store. To install and get a local copy of PDF.js here are the below steps :

Then navigate to http://127.0.0.1:8888/

I've used the attribute --path-as-is from cURL to verify this issue.

This was reported to mozilla via bugzilla but team says "The server with pdf.js is intended to be a development server and should not be exposed to public networks. I suppose we could update the docs to state that." and a upstream issue was filed against this[1].

Thank you

Dhiraj

Read More

null-pointer dereference in poppler library - CVE-2018-19149

Hi Internet,

Summary: While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04 LTS), a null-pointer dereference was observed, initially this was reported to evince but the evince team advised that the issue is in poppler, the library used by evince to render PDF, poppler version: 0.62.0-2ubuntu2.2 is vulnerable to null-pointer dereference, however the issue is already fixed in poppler 0.70, but this will still crash your evince v3.28.4 if poppler is not updated to v.0.70. Fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version.

Initially, I started fuzzing with evince which is a document reader which comes by default with most of the linux distribution. Also created a malformed PDF files to provide input to AFL, after a successfully compile of evince with afl-gcc, the final command was,

It took three days to get 21 crashes in which 6 unique crashes where observed, while analyzing the crash with triage_crashes which is one of the component which comes with AFL for analyzing crashes, I observed a null-PTR.

So basically a null-PTR is a type of error which causes a SIGSEGV, segmentation fault to the program, and this usually happens when a program or binary try to read or write to the memory with null-PTR.

I went ahead and reported this to GNOME, because evince is one of there asset, the team says "The issue is in Poppler, the library used by Evince to render PDF" arggh!, so stupid am I, I taught `libpoppler-glib.so` is one of the shared object in evince but didn't know that poppler is a PDF rendering library which comes by default in most of the PDF reader in linux distribution, and there is a standalone repo out there for poppler.

Also, GNOME evince team says "it seems it has already been addressed. See https://gitlab.freedesktop.org/poppler/poppler/merge_requests/93, Nevertheless, if the issue is still present, please file a bug in https://gitlab.freedesktop.org/poppler/poppler/"

Okay no worries, I still went ahead and file a bug in poppler, but the team over there asked me what poppler version am i using, and it was version 0.62.0-2ubuntu2.2 and they said the issue is already fixed in poppler version 0.70 After I read this, I was like....

Img Src: https://knowyourmeme.com/photos/1189534-canada

Pheww!, does that mean, my three days of fuzzing just went = to 0 OR am I actually missing something over here ?

I went back to the stack-trace read it again and also check whether am I fuzzing all the latest build of the binary for sure I was fuzzing the latest build of evince but not poppler. Hmmmmmm! I knew my fuzzing system was fully updated but still just to cross check, I did full apt-get update and upgrade but my poppler version remains the same all the time which is 0.62.0-2ubuntu2.2 strange.

I need a guidance over here, and didn't knew what to do ahead, so I contacted MITRE for this and went for a nap, they suggested - "That a fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version. For example, an out-of-bounds write finding is still very useful in that case, but not out-of-bounds read, NULL pointer dereference,divide-by-zero, etc."

Ohhh, I see so the latest version of poppler is still not shipped for most of the linux distribution out there, now i understood the entire concept, later MITRE also helped me by assigning a CVE to this issue which is CVE-2018-19149 - Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.

An upstream bug is filed in Ubuntu launchpad to track this issue. 

PS: Its not about collecting CVE's, CVE's are just a reference number to an issue you can point for a vulnerability when you show case it somewhere, rather than pointing it to various post. (Personal opinion).

Lessons learned from this:
1. I didn't know poppler is a library which is used by evince and other PDF reader to render PDF's.
2. I understood how to create a malformed PDF to provide input to AFL while fuzzing.
3. The reply from MITRE helped me to resolve my query.
4. During all this, I also got my hands on hongfuzz

Hope you like the read, view this on oss-security mailing list.

Thank you
Dhiraj

Read More