Bug in Chrome’s PDF reader allows arbitrary code execution
Vulnerabilities in software often arise from faulty implementations of elements developed by other code writers.
Take for example CVE-2016-1681, the heap-based buffer overflow vulnerability affecting PDFium, the default PDF reader that is included in the Google Chrome web browser.
The vulnerability is present in OpenJPEG, the underlying jpeg2000 parsing library.
“An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted,” threat researcher Earl Carter explained.
The flaw can be easily exploited through a PDF file with an embedded jpeg2000 whose SIZ marker specifies 0 components (for more technical details check out this blog post), which the Talos team created as a PoC exploit.
The complexity of such an attack is low, and does not require the attackers to achieve special privileges or perform any type of authentication.
It does require user interaction, but users frequently browse PDF files when surfing the web and it shouldn’t be too hard for attackers to trick victims into downloading and viewing such a specially crafted file.
“The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising,” Carter pointed out.
The vulnerability can be exploited to achieve arbitrary code execution on the victim’s system, and can result in disruption of service, unauthorized information disclosure and modification.
In this particular case, the good news is that the flaw was discovered by a security researcher (Aleksandar Nikolic of Cisco Talos) that responsibly disclosed it to the vendor (Google). They fixed it in a day, by simply changing the problematic ‘assert’ statement to an ‘if’.
Version 51.0.2704.63 of the Chrome browser, which includes the fix, has been released on May 25. With the details about the vulnerability made public, users would do well to update to that version or the latest one (51.0.2704.79) in order to avoid potential compromise.