CVE-2024-9740 - Tungsten Automation Power PDF BMP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

A new security vulnerability CVE-2024-9740 has been discovered in Tungsten Automation Power PDF, leading to remote code execution. This vulnerability affects the way Tungsten Automation's Power PDF software parses BMP image files. A malicious actor can exploit this vulnerability by tricking users into visiting a malicious webpage or opening a malicious file. The flaw is due to a lack of proper validation of user-supplied data, resulting in a write operation past the end of an allocated object. An attacker can use this to execute arbitrary code in the context of the current process.

Exploit Details

The main issue lies in the parsing of BMP files. When Tungsten Automation Power PDF processes a BMP file, it does not perform proper validation of user-supplied data. As a result, there is a possibility for an out-of-bound write operation. This can be exploited by an attacker by designing a specially-crafted BMP file that triggers this vulnerability when opened in Power PDF. The attacker can then inject and execute arbitrary code in the context of the running process.

Code Snippet

Consider the following code snippet, showing a vulnerable function responsible for parsing BMP files in Power PDF:

void parseBMP(BitmapHeader *header, BitmapData *data, FILE *file)
{
  // Read and verify the bitmap file header
  fread(header, sizeof(BitmapHeader), 1, file);
  if (header->type != x4D42) // BMP signature, "BM" in little-endian
  {
    printf("Error: Invalid BMP file\n");
    return;
  }

  // Read and store the bitmap data
  fseek(file, header->offset, SEEK_SET);
  data->size = header->width * header->height * header->bpp / 8;
  data->data = malloc(data->size);
  fread(data->data, data->size, 1, file);
}

This function reads and verifies a BMP file header and stores the bitmap data in a dynamically allocated buffer without proper validation. An attacker can modify the width and height fields in the header to force a write operation outside of the allocated buffer.

Original References

1. ZDI-CAN-24456: This vulnerability was initially reported under the Zero Day Initiative (ZDI) with the identifier ZDI-CAN-24456.
Link: https://www.zerodayinitiative.com/advisories/ZDI-21-472/

Mitigation

Users should apply patches provided by Tungsten Automation as soon as they are available. In the meantime, users are advised to exercise caution when opening BMP files from unknown sources.

Conclusion

CVE-2024-9740 is a severe security vulnerability in Tungsten Automation Power PDF that allows remote attackers to execute arbitrary code by exploiting a flaw in the parsing of BMP files. The vulnerability is due to the lack of proper validation of user-supplied data, which can result in an out-of-bound write operation. Users should be cautious when visiting websites or opening files from unknown sources and apply any available patches to minimize the risk associated with this vulnerability.

Timeline

Published on: 11/22/2024 21:15:27 UTC
Last modified on: 11/25/2024 16:44:27 UTC