CVE-2022-24198 - iText v7.1.17 Out-of-Bounds Exception via ARCFOUREncryption Encrypt Function Leading to Denial of Service Attack

In this long read post, we will dive into the details of CVE-2022-24198, a security vulnerability discovered in iText v7.1.17 that allows attackers to exploit an out-of-bounds exception via the component ARCFOUREncryption.encryptARCFOUR, leading to a Denial of Service (DoS) attack through a maliciously crafted PDF file. We will analyze the code snippet responsible for this vulnerability, learn how it can be exploited, and review the original references.

Background

iText is a popular, open-source Java library that allows developers to create, process, and manipulate PDF files. However, like many widely-used software, vulnerabilities can be discovered and exploited by malicious actors.

This vulnerability, CVE-2022-24198, was detected by security researchers and reported to the developers, who subsequently patched the issue in subsequent releases. Details of the vulnerability can be found in various security advisories, such as the National Vulnerability Database (NVD) and MITRE:

1. NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-24198
2. MITRE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24198

Code Snippet

The issue lies in the ARCFOUREncryption class, specifically in the encryptARCFOUR function. Here's an excerpt of the vulnerable code snippet:

public class ARCFOUREncryption {
    ...
    public void encryptARCFOUR(byte[] dataIn, int inOffset, int len, byte[] dataOut, int outOffset) {
        int length = len;
        for (int k = ; k < length; ++k) {
            stateX = (stateX + 1) & xff;
            stateY = (stateY + state[stateX]) & xff;
            byte temp = state[stateX];
            state[stateX] = state[stateY];
            state[stateY] = temp;
            dataOut[outOffset + k] = (byte)(dataIn[inOffset + k] ^ state[(state[stateX] + state[stateY]) & xff]);
        }
    }
    ...
}

The vulnerability occurs because the function doesn't properly handle the parameters inOffset and outOffset, which can be manipulated by an attacker to cause an out-of-bounds exception.

Exploit Details

To exploit this vulnerability, an attacker needs to craft a malicious PDF file containing specific parameters for inOffset and outOffset that will trigger an out-of-bounds exception. When the victim opens the PDF file using software that relies on iText v7.1.17, it will cause the application to crash, resulting in a Denial of Service (DoS) condition.

Mitigation

The iText developers have patched this vulnerability in subsequent releases, and it is highly recommended that users upgrade to the latest version of the iText library. Additionally, users should practice safe browsing habits, avoid opening suspicious PDF files, and ensure that their PDF processing software is up-to-date.

Conclusion

CVE-2022-24198 is a critical vulnerability in iText v7.1.17 that can be exploited by an attacker to cause a Denial of Service (DoS) attack through a maliciously crafted PDF file. By understanding how this vulnerability works, developers and users can take the necessary precautions to protect themselves and their applications. Stay informed on security updates and ensure that your software is up-to-date to defend against potential threats.

Timeline

Published on: 02/01/2022 20:15:00 UTC
Last modified on: 02/04/2022 20:05:00 UTC