Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-2886: TALOS-2017-0393 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the .PSD parsing functionality of ACDSee Ultimate 10.0.0.292. A specially crafted .PSD file can cause an out of bounds write vulnerability resulting in potential code execution. An attacker can send a specific .PSD file to trigger this vulnerability.

CVE
#vulnerability#mac#windows#microsoft#cisco#intel#amd

Summary

A memory corruption vulnerability exists in the .PSD parsing functionality of ACDSee Ultimate 10.0.0.292. A specially crafted .PSD file can cause an out of bounds write vulnerability resulting in potential code execution. An attacker can send a specific .PSD file to trigger this vulnerability.

Tested Versions

ACDSee Ultimate 10,0,0,292 (IDE_PSD 5,7,690,1)

Product URLs

https://www.acdsee.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

Code responsible for the vulnerability is provided below:

    .text:00000000000D8756                 movsxd  rdx, dword ptr [rcx+64h]     ; zero
    .text:00000000000D875A                 mov     rax, [rcx+80h]               ; rcx+0x80 = points to location in PSD file
    .text:00000000000D8761                 movzx   eax, word ptr [rax+rdx*2]    ; 16-bit value from the file
    .text:00000000000D8765                 mov     rdx, [rcx+88h]
    .text:00000000000D876C                 rol     ax, 8                        ; rol the value
    .text:00000000000D8770                 movzx   esi, ax
    .text:00000000000D8773                 mov     r8d, esi                     ; size argument for memmove = from the PSD file
    .text:00000000000D8776                 call    before_memmove

And this is how it looks in action (before & after actual memmove):

    0:006> g
    Breakpoint 0 hit
    IDE_PSD+0xc83df:
    00000000`027983df e84c0b0500      call    IDE_PSD!IEP_ShowPlugInDialog+0x4d090 (00000000`027e8f30)
    0:006> r
    rax=0000000000002201 rbx=0000000000002201 rcx=000000000266eb50
    rdx=0000000003e86a73 rsi=000000000266eb50 rdi=00000000026365e0
    rip=00000000027983df rsp=0000000003e7fbe0 rbp=0000000003e7fd48
     r8=0000000000002201  r9=00000000025bfc0c r10=0000000000000000
    r11=0000000000000246 r12=0000000003e7fed0 r13=00000000025bfc0c
    r14=0000000003e7fd60 r15=0000000000000000
    iopl=0         nv up ei ng nz ac pe cy
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
    IDE_PSD+0xc83df:
    00000000`027983df e84c0b0500      call    IDE_PSD!IEP_ShowPlugInDialog+0x4d090 (00000000`027e8f30)
    0:006> !heap -triage
    **********************************************************
    ** !heap: Searching all heaps for errors...               
    **********************************************************

    ** !heap: Analyzing heap at 00000000004c0000...
    ** !heap: Analyzing heap at 0000000000010000...
    ** !heap: Analyzing heap at 00000000001d0000...
    ** !heap: Analyzing heap at 0000000000450000...



    ** !heap: The extension did not find any heap errors.
    ...

    0:006> p
    (11538.f0a8): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    IDE_PSD!IEP_ShowPlugInDialog+0x4d0e7:
    00000000`027e8f87 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
    0:006> !heap -triage
    **********************************************************
    ** !heap: Searching all heaps for errors...               
    **********************************************************

    ** !heap: Analyzing heap at 00000000004c0000...
    ** !heap: Analyzing heap at 0000000000010000...
    ** !heap: Analyzing heap at 00000000001d0000...
    ** !heap: Analyzing heap at 0000000000450000...


    ** !heap: The following heaps have invalid free lists. This means
              that the neighbors of one element in the list did not point
              back to the element: either Element->Flink->Blink != Element,
              or Element->Blink->Flink != Element.
    ** !heap: Corrupt free lists are quite common. They almost always result
              from use-after-free errors in the application.
    ** !heap: To view the erroneous entry and its neighbors in the list:
              dt ntdll!_LIST_ENTRY <element>

    Heap address        Erroneous element   Element flink       Element blink
    ----------------------------------------------------------------------------
    4c0000              4c0150              2637080             266fa50             

    ** !heap: The following heap entries have a block size that does not
              match the previous block size field of the next block. This
              is sometimes the result of user corruption, but occasionally
              it can be detected if an unrelated exception occurs while
              executing heap code.
    ** !heap: To view the state of the invalid blocks:
              !heap -i <heap address>
              !heap -i <entry address>

                                                                Next block's
    Heap address        Entry address       Entry size (B)      prev. size (B)
    ----------------------------------------------------------------------------
    4c0000              266eb40             2f0                 1b380               

In short byte value is taken directly from the .PSD file (see address 0x007BE521). This value is later used as a size argument to memmove function. This gives the attacker the opportunity to cause a memory corruption, potentially resulting in code execution.

Crash Information

    0:006> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************

    *** ERROR: Module load completed but symbols could not be loaded for ACDSeeQVUltimate10.exe
    GetUrlPageData2 (WinHttp) failed: 12002.

    DUMP_CLASS: 2

    DUMP_QUALIFIER: 0

    FAULTING_IP: 
    IDE_PSD!IEP_ShowPlugInDialog+4d0e7
    00000000`02568f87 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]

    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 0000000002568f87 (IDE_PSD!IEP_ShowPlugInDialog+0x000000000004d0e7)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000001
       Parameter[1]: 0000000002411000
    Attempt to write to address 0000000002411000

    FAULTING_THREAD:  000105d0

    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

    PROCESS_NAME:  ACDSeeQVUltimate10.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

    EXCEPTION_CODE_STR:  c0000005

    EXCEPTION_PARAMETER1:  0000000000000001

    EXCEPTION_PARAMETER2:  0000000002411000

    FOLLOWUP_IP: 
    IDE_PSD!IEP_ShowPlugInDialog+4d0e7
    00000000`02568f87 f3a4            rep movs byte ptr [rdi],byte ptr [rsi]

    WRITE_ADDRESS:  0000000002411000 

    WATSON_BKT_PROCSTAMP:  582f5f4b

    WATSON_BKT_PROCVER:  10.0.0.292

    PROCESS_VER_PRODUCT:  ACDSee Quick View

    WATSON_BKT_MODULE:  IDE_PSD.apl

    WATSON_BKT_MODSTAMP:  58218de5

    WATSON_BKT_MODOFFSET:  118f87

    WATSON_BKT_MODVER:  5.7.690.1

    MODULE_VER_PRODUCT:  ACD Systems IDE_PSD

    BUILD_VERSION_STRING:  10.0.15063.296 (WinBuild.160101.0800)

    MODLIST_WITH_TSCHKSUM_HASH:  449bbde9d140f90322f58e961035076a2b0f0991

    MODLIST_SHA1_HASH:  7a77586ab89477d2f40e21cc3f068770c76d961c

    NTGLOBALFLAG:  70

    APPLICATION_VERIFIER_FLAGS:  0

    PRODUCT_TYPE:  1

    SUITE_MASK:  272

    DUMP_TYPE:  fe

    ANALYSIS_SESSION_HOST:  CLAB

    ANALYSIS_SESSION_TIME:  07-25-2017 07:26:45.0873

    ANALYSIS_VERSION: 10.0.15063.400 amd64fre

    THREAD_ATTRIBUTES: 
    OS_LOCALE:  PLK

    PROBLEM_CLASSES: 

        ID:     [0n292]
        Type:   [@ACCESS_VIOLATION]
        Class:  Addendum
        Scope:  BUCKET_ID
        Name:   Omit
        Data:   Omit
        PID:    [Unspecified]
        TID:    [0x105d0]
        Frame:  [0] : IDE_PSD!IEP_ShowPlugInDialog

        ID:     [0n265]
        Type:   [INVALID_POINTER_WRITE]
        Class:  Primary
        Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
                BUCKET_ID
        Name:   Add
        Data:   Omit
        PID:    [Unspecified]
        TID:    [0x105d0]
        Frame:  [0] : IDE_PSD!IEP_ShowPlugInDialog

    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

    PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

    LAST_CONTROL_TRANSFER:  from 00000000025183e4 to 0000000002568f87

    STACK_TEXT:  
    00000000`03d3fbd8 00000000`025183e4 : 00000000`023d8b50 00000001`40238da9 00000000`023d8b58 00000000`023d84b8 : IDE_PSD! 
IEP_ShowPlugInDialog+0x4d0e7
    00000000`03d3fbe0 00000000`0251877b : 00000000`023d7520 00000000`00002201 00000000`00000001 ffffffff`fffffffe : IDE_PSD+0xc83e4
    00000000`03d3fc10 00000000`02515def : 00000000`023d7520 00000000`03d3fd48 00000000`03d3fd48 00000000`00000000 : 
IDE_PSD+0xc877b
    00000000`03d3fc50 00000000`02518213 : 00000000`00000000 00000000`023d7520 00000000`0064c5f0 00000001`401bd008 : 
IDE_PSD+0xc5def
    00000000`03d3fc90 00000001`401acdbf : 00000000`0064c5f0 00000000`03d3fd71 00000000`03d3fd48 00000001`401b0000 : 
IDE_PSD+0xc8213
    00000000`03d3fcd0 00000001`401c9745 : 00000000`0064c5f0 00000000`023d7520 00000000`00000000 00000000`023d7fd0 : 
ACDSeeQVUltimate10+0x1acdbf
    00000000`03d3fd10 00000001`401bc1bd : 00000000`00000000 00000000`0235ea30 00000000`00000000 00000000`00000000 : 
ACDSeeQVUltimate10+0x1c9745
    00000000`03d3fdd0 00000001`401c0945 : 00000000`0235fc20 00000000`0235fc20 00000000`03d3fe69 00000000`00000000 : 
ACDSeeQVUltimate10+0x1bc1bd
    00000000`03d3fe20 00000001`401c01e3 : 00000000`000003e8 00000000`00000064 00000000`00000000 00000000`00000000 : 
ACDSeeQVUltimate10+0x1c0945
    00000000`03d3fed0 00007ffd`9fe80369 : 00000000`0064cd00 00000000`00000000 00000000`00000000 00000000`00000000 : 
ACDSeeQVUltimate10+0x1c01e3
    00000000`03d3ff30 00007ffd`a0e12774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ucrtbase!
o__strtoui64+0x59
    00000000`03d3ff60 00007ffd`a3000d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!
BaseThreadInitThunk+0x14
    00000000`03d3ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!
RtlUserThreadStart+0x21


    THREAD_SHA1_HASH_MOD_FUNC:  ea01bd33229d66a5f1d22bb545fdac8802f7cf90

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2f0e27bb3643b0d9059835fad340f4d638abbbe1

    THREAD_SHA1_HASH_MOD:  3ddf4d56361b571b2ae71e9ce081ed7be9782865

    FAULT_INSTR_CODE:  8b49a4f3

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  IDE_PSD!IEP_ShowPlugInDialog+4d0e7

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: IDE_PSD

    IMAGE_NAME:  IDE_PSD.apl

    DEBUG_FLR_IMAGE_TIMESTAMP:  58218de5

    STACK_COMMAND:  ~6s ; kb

    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_IDE_PSD.apl!IEP_ShowPlugInDialog

    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_IDE_PSD!IEP_ShowPlugInDialog+4d0e7

    FAILURE_EXCEPTION_CODE:  c0000005

    FAILURE_IMAGE_NAME:  IDE_PSD.apl

    BUCKET_ID_IMAGE_STR:  IDE_PSD.apl

    FAILURE_MODULE_NAME:  IDE_PSD

    BUCKET_ID_MODULE_STR:  IDE_PSD

    FAILURE_FUNCTION_NAME:  IEP_ShowPlugInDialog

    BUCKET_ID_FUNCTION_STR:  IEP_ShowPlugInDialog

    BUCKET_ID_OFFSET:  4d0e7

    BUCKET_ID_MODTIMEDATESTAMP:  58218de5

    BUCKET_ID_MODCHECKSUM:  29f466

    BUCKET_ID_MODVER_STR:  5.7.690.1

    BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_

    FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

    FAILURE_SYMBOL_NAME:  IDE_PSD.apl!IEP_ShowPlugInDialog

    WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/ACDSeeQVUltimate10.exe/10.0.0.292/582f5f4b/IDE_PSD.apl/
     5.7.690.1/58218de5/c0000005/00118f87.htm?Retriage=1

    TARGET_TIME:  2017-07-25T05:26:52.000Z

    OSBUILD:  15063

    OSSERVICEPACK:  296

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 WinNt SingleUserTS

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  unknown_date

    BUILDDATESTAMP_STR:  160101.0800

    BUILDLAB_STR:  WinBuild

    BUILDOSVER_STR:  10.0.15063.296

    ANALYSIS_SESSION_ELAPSED_TIME:  6c05

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_ide_psd.apl!iep_showplugindialog

    FAILURE_ID_HASH:  {ca7d345a-b6e4-ca4d-3ae4-d7874c5593c1}

    Followup:     MachineOwner
    ---------

Timeline

2017-08-08 - Vendor Disclosure
2018-12-08 - Public Release

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907