Chrome PDF Reader’s Bug Allows Arbitrary Code Execution

Often, vulnerabilities in software are due to faulty implementations of elements developed by other code writers.

CVE-2016-1681, the heap-based buffer overflow vulnerability affecting PDFium, the default PDF reader that is included in the Google Chrome web browser. The vulnerability is present in OpenJPEG, the underlying jpeg2000 parsing library.

An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted,” the researcher Earl Carter said.

The flaw can be easily exploited through a PDF file with an embedded jpeg2000 whose SIZ marker specifies 0 components, which the team of Talos created as a PoC exploit.

In fact, the complexity of such an attack is rather low, and it does not require the hackers to achieve special privileges or perform any type of authentication. However, it does require user interaction, but users frequently browse PDF files when surfing the web and it shouldn’t be too hard for attackers to trick victims into downloading and viewing such a specially crafted file.

The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising,” Carter stated.

It is the vulnerability that can be exploited to achieve arbitrary code execution on the victim’s system, and can result in disruption of service, unauthorized information disclosure and modification.

In the particular case, the good news is that the flaw was discovered by the security researcher Aleksandar Nikolic, that responsibly disclosed it to the vendor (Google). They fixed it in a day, by simply changing the problematic ‘assert’ statement to an ‘if’. Version 51.0.2704.63 of the Chrome browser, which includes the fix, has been released on May 25. In order to avoid potential compromise, users should update to that version or the latest one (51.0.2704.79).

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.