Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-12122: TALOS-2017-0488 || Cisco Talos Intelligence Group

An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

CVE
#vulnerability#cisco#intel#buffer_overflow

Summary

An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Tested Versions

Simple DirectMedia Layer SDL2_image 2.0.2

Product URLs

https://www.libsdl.org/projects/SDL_image/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-122: Heap-based Buffer Overflow

Details

LibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.

When LibSDL2_Image reads in an image, if the image contains the “FORM” string at offset 0x4, and the “PBM” or “ILBM” strings at offset 0x8, then the file is considered a ILBM (Interleaved Bitmap) file, and parsed accordingly. LIBSDL2_Image first looks for the Bitmap Headers of the file, and then reads the values into a BMHD structure. This looks like such:

00000000 46 4F 52 4D 00 02 6E 98 49 4C 42 4D 42 4D 48 44 00 00 00 14 FORM..n.ILBMBMHD....
00000014 02 00 02 00 00 00 00 00 15 00 01 00 00 00 0A 0A 02 00 02 00 

The above 0x28 bytes of a ILBM file will result in a bmhd structure (size 0x14) as such: type = struct { Uint16 w; Uint16 h; Sint16 x; Sint16 y; Uint8 planes; Uint8 mask; Uint8 tcomp; Uint8 pad1; Uint16 tcolor; Uint8 xAspect; Uint8 yAspect; Sint16 Lpage; Sint16 Hpage;

<(^_^)> print bmhd
$1 = {
    Uint16 w = 0x200, 
    Uint16 h = 0x200, 
    Sint16 x = 0x0, 
    Sint16 y = 0x0, 
    Uint8 planes = 0x15, 
    Uint8 mask = 0x0, 
    Uint8 tcomp = 0x1, 
    Uint8 pad1 = 0x0, 
    Uint16 tcolor = 0x0, 
    Uint8 xAspect = 0xa, 
    Uint8 yAspect = 0xa, 
    Sint16 Lpage = 0x200, 
    Sint16 Hpage = 0x200
}

With the input essentially being a direct read from the file into the structure. After this read has been performed, LibSDL2_Image will create an RGBSurface to store the data. This RGBSurface is the universal object for storing image data from any given image format. It is during the IMG_Load_RW functions that the data is converted correctly from the given to the RGBSurface type, which is given as follows:

type = struct SDL_Surface {
Uint32 flags;
SDL_PixelFormat *format;
int w;
int h;
int pitch;
void *pixels;
void *userdata;
int locked;
void *lock_data;
SDL_Rect clip_rect;
struct SDL_BlitMap *map;
int refcount;
} *

Which is created by the following line of code, converting from bmhd to SDL_Surface:

if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )

During runtime of the crash, this ends up looking like:

SDL_CreateRGBSurface_REAL(flags=0x0, width=0x200, height=0x200, depth=0x8, Rmask=0x0, Gmask=0x0, Bmask=0x0, Amask=0x0)

The SDL_Pixelformat member of the SDL_Surface is what contains the actual RGB data, and this is stored inside of the SDL_Palette *palette member of the SDL_Surface, which is defined as such:

type = struct SDL_Palette {
    int ncolors;
    SDL_Color *colors;
    Uint32 version;
    int refcount;
} *

The SDL_Color *color array contains the raw bit data, and is allocated by the following line:

palette->colors =
    (SDL_Color *) SDL_malloc(ncolors * sizeof(*palette->colors));

The size of a given SDL_Color struct is 0x4, and ncolors is passed as a parameter to the SDL_AllocPalette function, and is given by (1«0x8 == 0x100):

//SDL_AllocPalette(int ncolors) 
SDL_AllocPalette((1 << surface->format->BitsPerPixel));

The BitsPerPixel field is taken from the depth parameter passed into SDL_CreateRGBSurface, so the resulting SDL_malloc is (0x4 * (1«0x8)), or 0x400.

Interestingly, when the data is actually taken from the file and thrown into the heap data of size 0x400, the following loop occurs:

for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ ){
    Image->format->palette->colors[i].r = Image->format->palette->colors[i%nbcolors].r;
    Image->format->palette->colors[i].g = Image->format->palette->colors[i%nbcolors].g;
Image->format->palette->colors[i].b = Image->format->palette->colors[i%nbcolors].b;
}

The nbrcolorsfinal variable is populated with the following code:

int nbrcolorsfinal = 1 << (nbplanes + stencil);
[...]
if ( nbrcolorsfinal > (1<<bmhd.planes) ) {
    nbrcolorsfinal = (1<<bmhd.planes);
}
[...]

The assumption is that the bmhd.planes (which is 0x15 in our structure) corresponds exactly with the depth parameter passed to SDL_CreateRGBSurface_REAL, such that the structure has enough space allocated to store the raw rgb data, however this assumption is not true for all bhmd.plane values:

if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )

It is only true if the Uint8 planes field is equal to 24 or is less than 8 (assuming the flagHAM flag is not set), providing another value results in a constrained heap overflow of user controlled data during the color population loop that was previously listed.

Crash Information

Program received signal SIGSEGV, Segmentation fault.
0x00007f666bcc642a in IMG_LoadLBM_RW (src=0x16cfa30) at IMG_lbm.c:294
294                 Image->format->palette->colors[i].r = Image->format->palette->colors[i%nbcolors].r;
--------------------------------------------------------------------------[ registers ]----
$rax   : 0x000000000000009a -> 0x000000000000009a
$rbx   : 0x0000000000000000 -> 0x0000000000000000
$rcx   : 0x000000000177f000 -> 0x000000000177f000
$rdx   : 0x0000000000000010 -> 0x0000000000000010
$rsp   : 0x00007ffd79443ab0 -> 0x0000000200000000 -> 0x0000000200000000
$rbp   : 0x00007ffd79443e90 -> 0x00007ffd79443ed0 -> 0x00007ffd79443f00 -> 0x00007ffd79443f40 -> 0x0000000000000000 ->           
0x0000000000000000
$rsi   : 0x00000000016f6fc0 -> 0xff5d69dbff96b6eb
$rdi   : 0x00007f666c26d540 -> 0x0000000000000030 -> 0x0000000000000030
$rip   : 0x00007f666bcc642a -> <IMG_LoadLBM_RW+2336> mov BYTE PTR [rcx], al
$r8    : 0x00000000016e98c0 -> 0x0000000000000000 -> 0x0000000000000000
$r9    : 0x00007ffd79443978 -> 0x00007f666bf95c7d -> 0x4855c3c9f8458b48 -> 0x4855c3c9f8458b48
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
------------------------------------------------------------------------------[ stack ]----
0x00007ffd79443ab0|+0x00: 0x0000000200000000 -> 0x0000000200000000      <-$rsp
0x00007ffd79443ab8|+0x08: 0x00000000016cfa30 -> 0x00007f666bf45e48 -> 0x20ec8348e5894855 -> 0x20ec8348e5894855
0x00007ffd79443ac0|+0x10: 0x0000000000000000 -> 0x0000000000000000
0x00007ffd79443ac8|+0x18: 0x000000000171e658 -> 0x007171be665549ae -> 0x007171be665549ae
0x00007ffd79443ad0|+0x20: 0x0000000002000200 -> 0x0000000002000200
0x00007ffd79443ad8|+0x28: 0x0a0a000000010015 -> 0x0a0a000000010015
0x00007ffd79443ae0|+0x30: 0x3300000002000200 -> 0x3300000002000200
0x00007ffd79443ae8|+0x38: 0x00007ffd00026e08 -> 0x00007ffd00026e08
-------------------------------------------------------------------[ code:i386:x86-64 ]----
0x7f666bcc641c <IMG_LoadLBM_RW+2322> mov    eax, edx
0x7f666bcc641e <IMG_LoadLBM_RW+2324> mov    eax, eax
0x7f666bcc6420 <IMG_LoadLBM_RW+2326> shl    rax, 0x2
0x7f666bcc6424 <IMG_LoadLBM_RW+2330> add    rax, rsi
0x7f666bcc6427 <IMG_LoadLBM_RW+2333> movzx  eax, BYTE PTR [rax]
 ->0x7f666bcc642a <IMG_LoadLBM_RW+2336> mov    BYTE PTR [rcx], al
0x7f666bcc642c <IMG_LoadLBM_RW+2338> mov    rax, QWORD PTR [rbp-0x8]
0x7f666bcc6430 <IMG_LoadLBM_RW+2342> mov    rax, QWORD PTR [rax+0x8]
0x7f666bcc6434 <IMG_LoadLBM_RW+2346> mov    rax, QWORD PTR [rax+0x8]
0x7f666bcc6438 <IMG_LoadLBM_RW+2350> mov    rax, QWORD PTR [rax+0x8]
0x7f666bcc643c <IMG_LoadLBM_RW+2354> mov    edx, DWORD PTR [rbp-0x30]
---------------------------------------------------------------[ source:IMG_lbm.c+294 ]----
 290              nbrcolorsfinal = (1<<bmhd.planes);
 291          }
 292          for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ )
 293          {
            // Image=0x00007ffd79443e88 -> [...] -> 0x0000000000000000
-> 294               Image->format->palette->colors[i].r = Image->format->palette->colors[i%nbcolors].r;
 295              Image->format->palette->colors[i].g = Image->format->palette->colors[i%nbcolors].g;
 296              Image->format->palette->colors[i].b = Image->format->palette->colors[i%nbcolors].b;
 297          }
 298          if ( !pbm )
----------------------------------------------------------------------------[ threads ]----
[#0] Id 1, Name: "", stopped, reason: SIGSEGV
------------------------------------------------------------------------------[ trace ]----
[#0] 0x7f666bcc642a->Name: IMG_LoadLBM_RW(src=0x16cfa30)
[#1] 0x7f666bcc17ef->Name: IMG_LoadTyped_RW(src=0x16cfa30, freesrc=0x1, type=0x7ffd79444441 "<(-_-)>/asdf")
[#2] 0x7f666bcc15e0->Name: IMG_Load(file=0x7ffd79444440 "<(-_-)>/asdf")
[#3] 0x400b85->Name: main(argc=0x2, argv=0x7ffd79444028)

Timeline

2017-11-28 - Vendor Disclosure
2018-03-01 - Public Release

Discovered by Lilith <(x_x)> of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907