Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-33802 PoC — Sumatra PDF 安全漏洞

Source
https://github.com/CDACesec/CVE-2023-33802
Associated Vulnerability
Title:Sumatra PDF 安全漏洞 (CVE-2023-33802)
Description:Sumatra PDF是一个应用软件。用于 Windows 的 PDF、ePub、MOBI、CHM、XPS、DjVu、CBZ、CBR 阅读器。 Sumatra PDF Reader v3.4.6版本存在安全漏洞,该漏洞源于允许攻击者通过精心设计的文本文件造成拒绝服务 (DoS)。
Readme
# CVE-2023-33802

# SumatraPDF 3.4.6 -32-bit Denial Of Services (DoS)

## __Description__

* In this bug, a crash is addressed which is manifested when we open two large size text files (````first.txt & second.txt````) as input to SumatraPDF 32 bit. 
* Run the following command, or you can manually open the both files in SumatraPDF 32 bit(3.4.6).
```c++
SumatraPDF.exe first.txt second.txt
```
## __Crash Report for 32-bit version 3.4.6 application with WinDBG__

The following crash has been encountered.

```c++


Microsoft (R) Windows Debugger Version 10.0.22000.194 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\out\dbg32\crashinfo\sumatrapdfcrash.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Symbol search path is: srv*
Executable search path is: 
Windows 10 Version 19044 MP (12 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Debug session time: Tue Sep 27 14:18:04.000 2022 (UTC + 5:30)
System Uptime: not available
Process Uptime: 0 days 0:04:07.000
..............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(22a4.a40): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
eax=c0000034 ebx=020fe29c ecx=00000000 edx=00000000 esi=00000000 edi=0000029c
eip=772629fc esp=020fe0f0 ebp=020fe160 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200216
ntdll!NtWaitForSingleObject+0xc:
772629fc c20c00          ret     0Ch
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for SumatraPDF.exe

KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullPtr

    Key  : AV.Fault
    Value: Write

    Key  : Analysis.CPU.mSec
    Value: 2827

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 3238

    Key  : Analysis.Init.CPU.mSec
    Value: 640

    Key  : Analysis.Init.Elapsed.mSec
    Value: 12340

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 118

    Key  : Timeline.Process.Start.DeltaSec
    Value: 247

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 3.4.6.0


CONTEXT:  (.ecxr)
eax=00000000 ebx=01e76000 ecx=00000000 edx=00000000 esi=007914b5 edi=007914b5
eip=77257a6e esp=020ffbc8 ebp=020ffbd0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
ntdll!_RtlUserThreadStart+0x1b:
77257a6e cc              int     3
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0089b083 (SumatraPDF!CrashMe+0x00000013)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000000
Attempt to write to address 00000000

PROCESS_NAME:  SumatraPDF.exe

WRITE_ADDRESS:  00000000 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000000

FAULTING_THREAD:  ffffffff

STACK_TEXT:  
0089b083 0089b083 SumatraPDF!CrashMe+0x13


FAULTING_SOURCE_LINE:  C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\src\utils\BaseUtil.h

FAULTING_SOURCE_FILE:  C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\src\utils\BaseUtil.h

FAULTING_SOURCE_LINE_NUMBER:  200

FAULTING_SOURCE_CODE:  
   196: // but it seemed to confuse callstack walking
   197: inline void CrashMe() {
   198:     char* p = nullptr;
   199:     // cppcheck-suppress nullPointer
>  200:     *p = 0; // NOLINT
   201: }
   202: #if COMPILER_MSVC
   203: #pragma warning(pop)
   204: #endif
   205: 


SYMBOL_NAME:  SumatraPDF!CrashMe+13

MODULE_NAME: SumatraPDF

IMAGE_NAME:  SumatraPDF.exe

STACK_COMMAND:  .ecxr ; kb ; ** Pseudo Context ** Pseudo ** Value: d ** ; kb

FAILURE_BUCKET_ID:  NULL_POINTER_WRITE_CONTEXT_MISMATCH_c0000005_SumatraPDF.exe!CrashMe

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

IMAGE_VERSION:  3.4.6.0

FAILURE_ID_HASH:  {1595dcef-2e27-85d9-39da-85ddbd1355a2}

Followup:     MachineOwner
---------

0:000> !msec.exploitable

!exploitable 1.6.0.0
Warning: Unable to read from the TEB in the current thread.
Warning: Unable to read from the TEB in the current thread.
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at ntdll!_RtlUserThreadStart+0x000000000000001b (Hash=0xcc3d4e45.0x55921273)

User mode write access violations that are near NULL are unknown.


```


* The issue can be reproduced with and without PageHeap enabled on Windows 11 - 22563.1000 64-bit machine having version SumatraPDF 3.4.6 32-bit.

## Root_Cause_Analysis
* Below is the function, where it is crashing.
```c++
    if (s->buf == s->els) {
        newEls = (char*)Allocator::Alloc(s->allocator, allocSize);
        if (newEls) {
            memcpy(newEls, s->buf, s->len + 1);
        }
    } else {
        newEls = (char*)Allocator::Realloc(s->allocator, s->els, allocSize);
    }
    if (!newEls) {
        CrashAlwaysIf(gAllowAllocFailure.load() == 0);
        return nullptr;
    }
```
*  The `CrashAlwaysIf` macro is being called in the EnsureCap function as a way to handle a failure to allocate memory. When the Alloc or Realloc function returns a null pointer, indicating that memory allocation has failed, the CrashAlwaysIf macro is called to cause the program to crash intentionally because it internally calls `CrashMe` function that sets a null pointer to a non-null value, which will cause an access violation when the program tries to dereference the null pointer. This will trigger an exception and cause the program to crash.

## __Result__

* __Denial of Service__

## __Affected  Versions__ 

The vulnerability is tested to work on following version:
* SumatraPDF 3.4.6 32-bit.

## __Tested OS versions__

* Windows 11 - 22563.1000 64 bit
* Windows 10 - 10.0.19042.1586 64-bit
File Snapshot

 [4.0K]  /data/pocs/4ed4f5fdb78fb6a5ce4f29f4c2c9d55911391772
├── [133M]  first.txt
├── [6.6K]  README.md
└── [123M]  second.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.