Command Injection in Xpdf-4.04
Lerr1uqs opened this issue · 0 comments
Overview
A command injection vulnerability was discovered in the Xpdf-4.04 PDF viewer software. The vulnerability exists within the PSOutputDev::PSOutputDev() function located in the xpdf-4.04/xpdf/PSOutputDev.cc file.
The affected function is responsible for initializing the PostScript output device with user-defined parameters, including a file name and custom code callback function. An attacker can exploit this vulnerability by injecting arbitrary commands into the fileName parameter with prefix |, which can be executed in following popen function.
Impact
This vulnerability presents a impact for other projects utilizing Xpdf-4.04 as their PDF parser and using user-supplied inputs as <PS-file>. When executing Xpdf, an attacker can inject arbitrary commands into the filename parameter, leading to command execution with the privileges of the user running the application. As a result, sensitive data could be compromised, files could be modified, or further attacks on the system could be launched.
Exploit Details
There is a command injection vulnerability present in the code when the | operator is combined with a subsequent command. This occurs within a conditional branch of the following C++ code:
cppCopy Code if (argc == 3) {
psFileName = new GString(argv[2]);Subsequently, within the constructor for PSOutputDev, if the first character of fileName is |, the program enters the popen function, resulting in a command injection vulnerability:
cppCopy Code } else if (fileName[0] == '|') {
fileTypeA = psPipe;
······
if (!(f = popen(fileName + 1, "w"))) {
error(errIO, -1, "Couldn't run print command '{0:s}'", fileName);
ok = gFalse;
return;
}Poc
./build/xpdf/pdftops ./in/helloworld.pdf '|`cat /etc/passwd > ./txt`'Conclusion
The command injection vulnerability discovered in Xpdf-4.04 could allow an attacker to execute arbitrary code with the privileges of the user running the application.