A crafted PDF document can hack your Chrome PDF reader, Update Chrome now!

A security expert discovered that a crafted PDF document that includes an embedded JPG2000 image can trigger a buffer overflow in the Chrome PDF reader.

The security expert Aleksandar Nikolic from the Cisco Talos group has discovered an arbitrary code execution vulnerability (CVE-2016-1681) in PDFium, which is the PDF reader component installed by default in Google Chrome browser.

“Heap-based buffer overflow in the opj_j2k_read_SPCod_SPCoc function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 51.0.2704.63, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document.” states the description of the National Vulnerability Database.

The expert discovered that a crafted PDF document that includes an embedded JPG2000 (JP2) image can trigger an exploitable heap buffer overflow.

According to Nikolic could be the result in coding error by the Chrome development Team that hasn’t implemented an assert call in the OpenJPEG library that prevents the exploitation of the heap overflow.

“A heap buffer overflow vulnerability is present in the jpeg2000 image parser library as used by the Chrome’s PDF renderer, PDFium. The vulnerability is located in the underlying jpeg2000 parsing library, OpenJPEG, but is made exploitable in case of Chrome due to special build process.” wrote Nikolic

“An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted. The source of the vulnerability is located in the following code in function `opj_j2k_read_siz` in `j2k.c` file:”

Summarizing, it is enough that an attacker creates a PDF document that causes PDFium invoking the flawed implementation of the OpenJPEG library, in this way it create a buffer overflow.

Google promptly fixed the vulnerability, it applies a simple and effective solution by using a single line of code that changed an assert to anif. Below the timeline of the flaw in the Chrome PDF reader:

Timeline:

2016-05-19: Bug reported

2016-05-19: Bug acknowledged

2016-05-20: Bug fixed, with fix publicly available in chromium

2016-05-25: Bug fix shipped in Chrome Stable 51.0.2704.63

2016-06-08: Talos releases details

The last Chrome version 51.0.2704.63 include the fix for the Chrome PDF reader.

Be careful, the Google Chrome Browser implements an automatic update process, but users must still restart their browser to enable the changes

Such kind of flaw is very insidious because users frequently browse PDF documents, just by opening a malicious document it could cause problems to a vulnerable browser.

Don’t waste time, update your Google Chrome Browser!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chrome PDF reader, Heap-based buffer overflow)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.