Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-3868: TALOS-2018-0550 || Cisco Talos Intelligence Group

A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

CVE
#vulnerability#ios#apple#cisco#intel#sap

Summary

A memory corruption vulnerability exists in the PSD parsing functionality of Computerinsel Photoline 20.53. A specially crafted PSD document processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PSD document to trigger this vulnerability and gain code execution.

Tested Versions

Computerinsel Photoline 20.53 for OS X

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

Photoline is an image processing tool used to modify and edit images as well as other graphic related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PSD documents. PSD is a document format used by Adobe Photoshop and supported by many third party applications throughout the industry.

The vulnerability arises in parsing the PSD document. The application takes data directly from the document without verification and uses it to calculate an address. The document has a specially crafted blending channel value leading to this miscalculation. Below is the are of the crash.

decrement = 0LL;
counter = 0LL;
do
{
  ob_buffer[counter] = *(index + counter - 2);             [0]
  ob_buffer[counter + 1] = *(index + counter - 1);
  ob_buffer[counter + 2] = *(index + counter);
  counter += 3LL;             
  decrement -= 3LL;                                        [1]
}
while ( (unsigned int)decrement + blending_channel > 2 );                [2]

The buffer is written to at location 0, using the counter to maintain position. At location 1 it is shown that the loop is actually controlled by a decrementing variable. By crafting a document the blending_channel value can be set to an excessively large number causing this loop to go out of bounds. Furthermore, decrement will get converted to an unsigned int causing an overflow and allowing this loop to write out of bounds with multiple scenarios, 2. This will lead to an out of bounds write and can be used to gain code execution.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   de.pl32.photoline               0x000000010def7c17 0x10d2ce000 + 12753943
1   de.pl32.photoline               0x000000010def8e80 0x10d2ce000 + 12758656
2   de.pl32.photoline               0x000000010d7cdabd 0x10d2ce000 + 5241533
3   de.pl32.photoline               0x000000010d7cd44a 0x10d2ce000 + 5239882
4   de.pl32.photoline               0x000000010dab7053 0x10d2ce000 + 8294483
5   de.pl32.photoline               0x000000010dab78f3 0x10d2ce000 + 8296691
6   de.pl32.photoline               0x000000010dab7c7b 0x10d2ce000 + 8297595
7   de.pl32.photoline               0x000000010dab969f 0x10d2ce000 + 8304287
8   de.pl32.photoline               0x000000010d843d42 0x10d2ce000 + 5725506
9   de.pl32.photoline               0x000000010d480688 0x10d2ce000 + 1779336
10  de.pl32.photoline               0x000000010d4803db 0x10d2ce000 + 1778651
11  de.pl32.photoline               0x000000010d4dd7c2 0x10d2ce000 + 2160578
12  de.pl32.photoline               0x000000010dcf9c0a 0x10d2ce000 + 10664970
13  de.pl32.photoline               0x000000010dcf9fb2 0x10d2ce000 + 10665906
14  com.apple.AppKit                0x00007fffafccfdd7 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
15  com.apple.AppKit                0x00007fffafccfcbc -[NSDocument initWithContentsOfURL:ofType:error:] + 231
16  com.apple.AppKit                0x00007fffafdad2b0 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 644
17  com.apple.AppKit                0x00007fffb0000470 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 83
18  com.apple.AppKit                0x00007fffb0000412 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
19  com.apple.AppKit                0x00007fffafdac2e6 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 613
20  com.apple.AppKit                0x00007fffaffff48b __144-[NSDocumentController 
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.922 + 180
21  com.apple.AppKit                0x00007fffaffff3a7 __144-[NSDocumentController 
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.921 + 138
22  com.apple.AppKit                0x00007fffaffff269 __144-[NSDocumentController 
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 267
23  com.apple.CoreFoundation        0x00007fffb1fd717c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
24  com.apple.CoreFoundation        0x00007fffb1fb7f84 __CFRunLoopDoBlocks + 356
25  com.apple.CoreFoundation        0x00007fffb1fb7705 __CFRunLoopRun + 917
26  com.apple.CoreFoundation        0x00007fffb1fb7114 CFRunLoopRunSpecific + 420
27  com.apple.HIToolbox             0x00007fffb1517ebc RunCurrentEventLoopInMode + 240
28  com.apple.HIToolbox             0x00007fffb1517bf9 ReceiveNextEventCommon + 184
29  com.apple.HIToolbox             0x00007fffb1517b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
30  com.apple.AppKit                0x00007fffafaaea54 _DPSNextEvent + 1120
31  com.apple.AppKit                0x00007fffb022a7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
32  com.apple.AppKit                0x00007fffafaa33db -[NSApplication run] + 926
33  de.pl32.photoline               0x000000010dcf6a19 0x10d2ce000 + 10652185
34  com.apple.AppKit                0x00007fffafa6de0e NSApplicationMain + 1237
35  de.pl32.photoline               0x000000010d2cfd14 0x10d2ce000 + 7444

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb  
 %cl,CONSTANT(%r15,%rdx):instruction_address=0x000000010def7c17:access_type=write:access_address=0x00000001a6f9d000:
Crash accessing invalid address.

Timeline

2018-03-29 - Vendor Disclosure
2018-04-11 - Public Release

Discovered by Tyler Bohan of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907