Headline
CVE-2020-6076: TALOS-2020-0999 || Cisco Talos Intelligence Group
An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll ICO icoread parser of the Accusoft ImageGear 19.5.0 library. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Summary
An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll ICO icoread parser of the Accusoft ImageGear 19.5.0 library. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Tested Versions
Accusoft ImageGear 19.5.0
Product URLs
https://www.accusoft.com/products/imagegear/overview/
CVSSv3 Score
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-787: Out-of-bounds Write
Details
The ImageGear library is a document imaging developer toolkit providing all kinds of functionality related to image conversion, creation, editing, annotation, etc. It supports more than 100 formats, including many image formats, DICOM, PDF, Microsoft Office and others.
There is a vulnerability in the ICO raster image parser. A specially crafted ICO file can lead to an out-of-bounds write, resulting in remote code execution.
If we try to load a malformed ICO file via the IG_load_file
function we end up in the following situation:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fffc0060 ebx=0852ffe0 ecx=3fff0018 edx=00000000 esi=267c005c edi=26721000
eip=5b56df2c esp=00afefec ebp=00aff004 iopl=0 nv dn ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010602
MSVCR110!memcpy+0x3a4:
5b56df2c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Checking attributes related with the destination buffer we can see:
0:000> !heap -p -a edi
address 26720ffc found in
_DPH_HEAP_ROOT @ bf1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
b781af8: 13121000 13600000 - 13120000 13602000
5bbfab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
77378fcb ntdll!RtlDebugAllocateHeap+0x00000039
772cbb0d ntdll!RtlpAllocateHeap+0x000000ed
772cb02f ntdll!RtlpAllocateHeapInternal+0x0000022f
772cadee ntdll!RtlAllocateHeap+0x0000003e
5b56daff MSVCR110!malloc+0x00000049
5b8a289d igCore19d+0x0000289d
5b8d7736 igCore19d!IG_comm_is_comp_exist+0x000062c6
5b90f787 igCore19d!IG_mpi_page_set+0x000043f7
5b914b3e igCore19d!IG_mpi_page_set+0x000097ae
5b8bc8d2 igCore19d!GPb_image_associate+0x00000092
5b91c3e0 igCore19d!IG_mpi_page_set+0x00011050
5b8f84de igCore19d!IG_cpm_profiles_reset+0x0000dfae
5b9b4b37 igCore19d!IG_mpi_page_set+0x000a97a7
5b9b441a igCore19d!IG_mpi_page_set+0x000a908a
5b8e07c9 igCore19d!IG_image_savelist_get+0x00000b29
5b91fb97 igCore19d!IG_mpi_page_set+0x00014807
5b91f4f9 igCore19d!IG_mpi_page_set+0x00014169
5b8b6007 igCore19d!IG_load_file+0x00000047
00ef59ac simple_exe_141+0x000159ac
00ef61a7 simple_exe_141+0x000161a7
00ef6cbe simple_exe_141+0x00016cbe
00ef6b27 simple_exe_141+0x00016b27
00ef69bd simple_exe_141+0x000169bd
00ef6d38 simple_exe_141+0x00016d38
74f56359 KERNEL32!BaseThreadInitThunk+0x00000019
772f7b74 ntdll!__RtlUserThreadStart+0x0000002f
772f7b44 ntdll!_RtlUserThreadStart+0x0000001b
We see that the size
parameter of the memcpy function is huge: ecx=3fff0018
, which could lead to overflow.
Further analysis revealed that the memcpy size parameter depends on:
DWORD offset : 0x4
value 0xffff0018
WORD offset : 0xE
value : 0020
based on that value we chose a multiplication 2 or 4
if x > 8
multiplier = 4
else
multiplier = 2
so memcpy size : 0xfffc0060 = 0xffff0018 * 4
destination buffer is allocated based on :
DWORD offset : 8
value 00 00 12 0B
constant operation 0xb120000 >> 1 = 05890000
allocation based on : 0xfffc0060 * 05890000 = 13600000
As we can see, an attacker controls all presented variables just by proper file content manipulation.
An attacker can cause an out-of-bounds write leading to memory corruption, which can result in remote code execution.
Crash Information
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fffc0060 ebx=0852ffe0 ecx=3fff0018 edx=00000000 esi=267c005c edi=26721000
eip=5b56df2c esp=00afefec ebp=00aff004 iopl=0 nv dn ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010602
MSVCR110!memcpy+0x3a4:
5b56df2c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> kb
# ChildEBP RetAddr Args to Child
00 00afeff0 5b8afa86 26760fa0 00000000 fffc0060 MSVCR110!memcpy+0x3a4
WARNING: Stack unwind information not available. Following frames may be wrong.
01 00aff004 5b91c9ca 26760fa0 00000000 fffc0060 igCore19d+0xfa86
02 00aff024 5b8f94fe 00aff77c 00000000 0588ffff igCore19d!IG_mpi_page_set+0x1163a
03 00aff044 5b9b4e59 00aff608 00000000 0588ffff igCore19d!IG_cpm_profiles_reset+0xefce
04 00aff0b8 5b9b441a 00aff608 1000001b 0ac9eff8 igCore19d!IG_mpi_page_set+0xa9ac9
05 00aff580 5b8e07c9 00aff608 0ac9eff8 00000001 igCore19d!IG_mpi_page_set+0xa908a
06 00aff5b8 5b91fb97 00000000 0ac9eff8 00aff608 igCore19d!IG_image_savelist_get+0xb29
07 00aff834 5b91f4f9 00000000 09ff3f88 00000001 igCore19d!IG_mpi_page_set+0x14807
08 00aff854 5b8b6007 00000000 09ff3f88 00000001 igCore19d!IG_mpi_page_set+0x14169
09 00aff874 00ef59ac 09ff3f88 00aff960 00aff984 igCore19d!IG_load_file+0x47
0a 00aff974 00ef61a7 09ff3f88 00affaa8 00000021 simple_exe_141+0x159ac
0b 00affb40 00ef6cbe 00000004 09fa0f68 09e7bf20 simple_exe_141+0x161a7
0c 00affb54 00ef6b27 2f555bad 00ef15e1 00ef15e1 simple_exe_141+0x16cbe
0d 00affbb0 00ef69bd 00affbc0 00ef6d38 00affbd0 simple_exe_141+0x16b27
0e 00affbb8 00ef6d38 00affbd0 74f56359 00930000 simple_exe_141+0x169bd
0f 00affbc0 74f56359 00930000 74f56340 00affc2c simple_exe_141+0x16d38
10 00affbd0 772f7b74 00930000 25fbdd4a 00000000 KERNEL32!BaseThreadInitThunk+0x19
11 00affc2c 772f7b44 ffffffff 77318ef2 00000000 ntdll!__RtlUserThreadStart+0x2f
12 00affc3c 00000000 00ef15e1 00930000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> lmva eip
Browse full module list
start end module name
5b8a0000 5bbe9000 igCore19d (export symbols) d:\projects\ImageGear\current\Build\Bin\x86\igCore19d.dll
Loaded symbol image file: d:\projects\ImageGear\current\Build\Bin\x86\igCore19d.dll
Image path: d:\projects\ImageGear\current\Build\Bin\x86\igCore19d.dll
Image name: igCore19d.dll
Browse all global symbols functions data
Timestamp: Fri Nov 22 15:45:29 2019 (5DD7F489)
CheckSum: 00356062
ImageSize: 00349000
File version: 19.5.0.0
Product version: 19.5.0.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Accusoft Corporation
ProductName: Accusoft ImageGear
InternalName: igcore19d.dll
OriginalFilename: igcore19d.dll
ProductVersion: 19.5.0.0
FileVersion: 19.5.0.0
FileDescription: Accusoft ImageGear CORE DLL
LegalCopyright: Copyright 1996-2019 Accusoft Corporation. All rights reserved.
LegalTrademarks: ImageGearÆ and AccusoftÆ are registered trademarks of Accusoft Corporation
Timeline
2020-01-30 - Vendor Disclosure
2020-04-30 - Vendor Patched
2020-05-05 - Public Release
Discovered by a member of Cisco Talos.