CVE-2020-35534: Libraw "crxFreeSubbandData()" Memory Corruption Vulnerability · Issue #279 · LibRaw/LibRaw

Description:

There is a memory corruption vulnerability within the "crxFreeSubbandData()" function (libraw\src\decoders\crx.cpp) when processing cr3 files.

Steps to Reproduce:

poc (password: 0xfoxone):
https://drive.google.com/open?id=10pjqVx6mItzmvovgqF-8IHi3jnnKQ6fD

cmd:
magick.exe convert poc.cr3 new.bmp

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft ® Windows Debugger Version 10.0.18362.1 X86
Copyright © Microsoft Corporation. All rights reserved.

CommandLine: C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\magick.exe convert c:\poc.cr3 c:\new.bmp

Symbol search path is: srv*
Executable search path is:
ModLoad: 00e90000 00ea0000 magick.exe
ModLoad: 776c0000 7785a000 ntdll.dll
Page heap: pid 0x125C: page heap enabled with flags 0x3.
ModLoad: 6c050000 6c0b3000 C:\WINDOWS\SysWOW64\verifier.dll
Page heap: pid 0x125C: page heap enabled with flags 0x3.
ModLoad: 75260000 75340000 C:\WINDOWS\SysWOW64\KERNEL32.DLL
ModLoad: 76570000 7676e000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
ModLoad: 6bdf0000 6c049000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 75530000 756c7000 C:\WINDOWS\SysWOW64\USER32.dll
ModLoad: 756d0000 756e7000 C:\WINDOWS\SysWOW64\win32u.dll
ModLoad: 76470000 76491000 C:\WINDOWS\SysWOW64\GDI32.dll
ModLoad: 75340000 7549a000 C:\WINDOWS\SysWOW64\gdi32full.dll
ModLoad: 75dd0000 75e4c000 C:\WINDOWS\SysWOW64\msvcp_win.dll
ModLoad: 76ab0000 76bcf000 C:\WINDOWS\SysWOW64\ucrtbase.dll
ModLoad: 754b0000 75529000 C:\WINDOWS\SysWOW64\ADVAPI32.dll
ModLoad: 775f0000 776af000 C:\WINDOWS\SysWOW64\msvcrt.dll
ModLoad: 76a30000 76aa6000 C:\WINDOWS\SysWOW64\sechost.dll
ModLoad: 75720000 757db000 C:\WINDOWS\SysWOW64\RPCRT4.dll
ModLoad: 74e90000 74eb0000 C:\WINDOWS\SysWOW64\SspiCli.dll
ModLoad: 74e80000 74e8a000 C:\WINDOWS\SysWOW64\CRYPTBASE.dll
ModLoad: 750f0000 7514f000 C:\WINDOWS\SysWOW64\bcryptPrimitives.dll
ModLoad: 76510000 7656e000 C:\WINDOWS\SysWOW64\WS2_32.dll
ModLoad: 6bc80000 6bde2000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 6bc60000 6bc7c000 C:\WINDOWS\SysWOW64\VCRUNTIME140D.dll
ModLoad: 6bae0000 6bc53000 C:\WINDOWS\SysWOW64\ucrtbased.dll
ModLoad: 6bac0000 6bade000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 6b9f0000 6bac0000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 6b980000 6b9e6000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 6b900000 6b97c000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 6b8e0000 6b8fa000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 6b8b0000 6b8d1000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 6b880000 6b8a8000 C:\WINDOWS\SysWOW64\VCOMP140D.DLL
ModLoad: 6b5f0000 6b87e000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 76cd0000 77246000 C:\WINDOWS\SysWOW64\SHELL32.dll
ModLoad: 769f0000 76a2b000 C:\WINDOWS\SysWOW64\cfgmgr32.dll
ModLoad: 75d40000 75dc4000 C:\WINDOWS\SysWOW64\shcore.dll
ModLoad: 77370000 775e5000 C:\WINDOWS\SysWOW64\combase.dll
ModLoad: 75ea0000 76464000 C:\WINDOWS\SysWOW64\windows.storage.dll
ModLoad: 75d20000 75d3b000 C:\WINDOWS\SysWOW64\profapi.dll
ModLoad: 75cd0000 75d13000 C:\WINDOWS\SysWOW64\powrprof.dll
ModLoad: 76770000 7677d000 C:\WINDOWS\SysWOW64\UMPDC.dll
ModLoad: 764c0000 76504000 C:\WINDOWS\SysWOW64\shlwapi.dll
ModLoad: 756f0000 756ff000 C:\WINDOWS\SysWOW64\kernel.appcore.dll
ModLoad: 76780000 76793000 C:\WINDOWS\SysWOW64\cryptsp.dll
ModLoad: 76bd0000 76cc7000 C:\WINDOWS\SysWOW64\ole32.dll
ModLoad: 747c0000 747f2000 C:\WINDOWS\SysWOW64\IPHLPAPI.DLL
ModLoad: 74720000 747b3000 C:\WINDOWS\SysWOW64\DNSAPI.dll
ModLoad: 75700000 75707000 C:\WINDOWS\SysWOW64\NSI.dll
(125c.fa8): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=011be000 ecx=366a0000 edx=00000000 esi=04b1a7c8 edi=776c688c
eip=7776eaa2 esp=00f9f7d0 ebp=00f9f7fc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrInitShimEngineDynamic+0x6e2:
7776eaa2 cc int 3
0:000> g
ModLoad: 77340000 77365000 C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 6b390000 6b39e000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 6b230000 6b384000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 6b170000 6b229000 C:\WINDOWS\SysWOW64\MSVCP140D.dll
ModLoad: 73db0000 73ddf000 C:\WINDOWS\SysWOW64\rsaenh.dll
ModLoad: 764a0000 764b9000 C:\WINDOWS\SysWOW64\bcrypt.dll
(125c.fa8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_libraw_.dll
eax=cdcdcdcd ebx=00000000 ecx=cdcdcdcd edx=0a2465b8 esi=00f9414c edi=00f941a4
eip=6b2e0e5f esp=00f94114 ebp=00f9411c iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
CORE_DB_libraw_!crxFreeSubbandData+0xf:
6b2e0e5f 833800 cmp dword ptr [eax],0 ds:002b:cdcdcdcd=???
0:000> k
ChildEBP RetAddr
00 00f9411c 6b2e0de7 CORE_DB_libraw_!crxFreeSubbandData+0xf [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\crx.cpp @ 1633]
01 00f94140 6b2e3100 CORE_DB_libraw_!crxFreeImageData+0xa7 [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\crx.cpp @ 2341]
02 00f941f8 6b2f86f5 CORE_DB_libraw_!LibRaw::crxLoadRaw+0x210 [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\crx.cpp @ 2440]
03 00f94374 6b300abc CORE_DB_libraw_!LibRaw::unpack+0xa25 [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\unpack.cpp @ 282]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\IM_MOD_DB_DNG_.dll
04 00f94380 6b391be6 CORE_DB_libraw_!libraw_unpack+0x2c [c:\imagemagick-7.0.10-7-x86\libraw\src\libraw_c_api.cpp @ 136]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickCore_.dll
05 00f963d8 6be552e3 IM_MOD_DB_DNG_!ReadDNGImage+0x466 [c:\imagemagick-7.0.10-7-x86\imagemagick\coders\dng.c @ 408]
06 00f9b4f0 6be568ac CORE_DB_MagickCore_!ReadImage+0x543 [c:\imagemagick-7.0.10-7-x86\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickWand_.dll
07 00f9c534 6bcad449 CORE_DB_MagickCore_!ReadImages+0x2fc [c:\imagemagick-7.0.10-7-x86\imagemagick\magickcore\constitute.c @ 941]
08 00f9da94 6bd1912d CORE_DB_MagickWand_!ConvertImageCommand+0xd29 [c:\imagemagick-7.0.10-7-x86\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
09 00f9eb50 00e913de CORE_DB_MagickWand_!MagickCommandGenesis+0x2cd [c:\imagemagick-7.0.10-7-x86\imagemagick\magickwand\mogrify.c @ 186]
0a 00f9fc84 00e91626 magick!MagickMain+0x3de [c:\imagemagick-7.0.10-7-x86\imagemagick\utilities\magick.c @ 149]
0b 00f9fca4 00e91d2e magick!wmain+0x46 [c:\imagemagick-7.0.10-7-x86\imagemagick\utilities\magick.c @ 195]
0c 00f9fcb8 00e91c10 magick!invoke_main+0x1e [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 79]
0d 00f9fd10 00e91abd magick!__scrt_common_main_seh+0x150 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
0e 00f9fd18 00e91d48 magick!__scrt_common_main+0xd [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
0f 00f9fd20 75276359 magick!wmainCRTStartup+0x8 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
WARNING: Stack unwind information not available. Following frames may be wrong.
10 00f9fd30 77727c24 KERNEL32!BaseThreadInitThunk+0x19
11 00f9fd8c 77727bf4 ntdll!RtlGetAppContainerNamedObjectPath+0xe4
12 00f9fd9c 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xb4

System Configuration:

• ImageMagick:
  Version: ImageMagick-7.0.10-Q16 https://imagemagick.org
  License: https://imagemagick.org/script/license.php
• Environment (Operating system, version and so on):
  Distributor ID: Microsoft Windows
  Description: Windows 10