PoDoFo Heap Use-After-Free Vulnerability in PdfTokenizer::ReadDictionary Allowing Denial-of-Service and Arbitrary Code Execution

A heap use-after-free vulnerability has been identified in PoDoFo versions 0.10.0 to 0.10.5, specifically within the PdfTokenizer::ReadDictionary function. This vulnerability allows remote attackers to cause a denial-of-service condition by crashing the application, and under certain circumstances, to execute arbitrary code by supplying a crafted PDF file. The issue stems from improper memory management when the function processes malformed dictionary entries in PDF files, leading to unsafe memory access.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the application. However, it can also lead to arbitrary code execution under the privileges of the user running the application, and potentially allow for privilege escalation if combined with other local vulnerabilities.

Reproduction

The vulnerability can be reproduced by using the PoDoFo tool 'podofopdfinfo' to process a crafted PDF file that exploits the heap use-after-free condition. This can be done by first creating a PDF file with malformed dictionary syntax that triggers the vulnerability, and then using 'podofopdfinfo' to open the file, which will result in an application crash. With a controlled memory layout, this exploitation could be chained to execute arbitrary code.

Remediation

Users are advised to upgrade to the latest version of PoDoFo, as version 1.0.2 has addressed this vulnerability. Additionally, avoid analyzing untrusted or externally supplied PDF files with PoDoFo tools, and consider running PoDoFo utilities in a sandboxed environment or container.