A crafted PDF document can hack your Chrome PDF reader, Update Chrome now!

Pierluigi Paganini June 09, 2016

A security expert discovered that a crafted PDF document that includes an embedded JPG2000 image can trigger a buffer overflow in the Chrome PDF reader.

The security expert Aleksandar Nikolic from the Cisco Talos group has discovered an arbitrary code execution vulnerability (CVE-2016-1681) in PDFium, which is the PDF reader component installed by default in Google Chrome browser.

“Heap-based buffer overflow in the opj_j2k_read_SPCod_SPCoc function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 51.0.2704.63, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document.” states the description of the National Vulnerability Database.

The expert discovered that a crafted PDF document that includes an embedded JPG2000 (JP2) image can trigger an exploitable heap buffer overflow.

According to Nikolic could be the result in coding error by the Chrome development Team that hasn’t implemented an assert call in the OpenJPEG library that prevents the exploitation of the heap overflow.

“A heap buffer overflow vulnerability is present in the jpeg2000 image parser library as used by the Chrome’s PDF renderer, PDFium. The vulnerability is located in the underlying jpeg2000 parsing library, OpenJPEG, but is made exploitable in case of Chrome due to special build process.” wrote Nikolic

“An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted. The source of the vulnerability is located in the following code in function `opj_j2k_read_siz` in `j2k.c` file:”

Chrome PDF reader flaw

Summarizing, it is enough that an attacker creates a PDF document that causes PDFium invoking the flawed implementation of the OpenJPEG library, in this way it create a buffer overflow.

Google promptly fixed the vulnerability, it applies a simple and effective solution by using a single line of code that changed an assert to anif. Below the timeline of the flaw in the Chrome PDF reader:

Timeline:

2016-05-19: Bug reported
2016-05-19: Bug acknowledged
2016-05-20: Bug fixed, with fix publicly available in chromium
2016-05-25: Bug fix shipped in Chrome Stable 51.0.2704.63
2016-06-08: Talos releases details 

The last Chrome version 51.0.2704.63 include the fix for the Chrome PDF reader.

Be careful, the Google Chrome Browser implements an automatic update process, but users must still restart their browser to enable the changes

Such kind of flaw is very insidious because users frequently browse PDF documents, just by opening a malicious document it could cause problems to a vulnerable browser.

Don’t waste time, update your Google Chrome Browser!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chrome PDF reader, Heap-based buffer overflow)



you might also like

leave a comment