Headline
CVE-2018-3888: TALOS-2018-0563 || Cisco Talos Intelligence Group
A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.
Summary
A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.
Tested Versions
Computerinsel Photoline 20.53 for OS X
Product URLs
https://www.pl32.com/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-787: Out-of-bounds Write
Details
Photoline is an image processing tool used to modify and edit images, as well as other graphic-editing functions. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PCX images. PCX was a popular image format with early computers, and although it has been replaced by more sophisticated formats, it is still in use and is fully supported inside of Canvas Draw.
The vulnerability arises in the parsing of the PCX image, specifically dealing with decompressing the color map of the image. The compression scheme is determined via the file header and by choosing “run length encoding” as the compression, the program writes out of bounds using user-controlled data. The error comes in due to the incorrect calculation of the size of the compressed data. The relevant code is shown below.
if ( arg_5 > 0 )
{
count_1 = 0LL;
do
{
*colormap_ptr = packet_ptr[count_1]; [0]
colormap_ptr += 3; [1]
++count_1;
}
while ( (count_1 < arg_5 );
The image data is read at location [0] and written into memory. The memory is then incremented by three [1] and the loop continues. This appears to be a means of extracting information about the PCX colormap stored in sets of three. However, with a crafted image, the arg_5 variable may be an overly large value. This causes the loop to write out of bounds and an exploitable condition is created. This vulnerability could be leveraged to gain code execution.
Crash Information
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 de.pl32.photoline 0x00000001031bbfd0 0x10278a000 + 10690512
1 de.pl32.photoline 0x00000001031bc396 0x10278a000 + 10691478
2 de.pl32.photoline 0x00000001028ca481 0x10278a000 + 1311873
3 de.pl32.photoline 0x00000001028ca302 0x10278a000 + 1311490
4 de.pl32.photoline 0x00000001028c9ff4 0x10278a000 + 1310708
5 de.pl32.photoline 0x0000000102cffd42 0x10278a000 + 5725506
6 de.pl32.photoline 0x000000010293c688 0x10278a000 + 1779336
7 de.pl32.photoline 0x000000010293c3db 0x10278a000 + 1778651
8 de.pl32.photoline 0x00000001029997c2 0x10278a000 + 2160578
9 de.pl32.photoline 0x00000001031b5c0a 0x10278a000 + 10664970
10 de.pl32.photoline 0x00000001031b5fb2 0x10278a000 + 10665906
11 com.apple.AppKit 0x00007fffafccfdd7 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
12 com.apple.AppKit 0x00007fffafccfcbc -[NSDocument initWithContentsOfURL:ofType:error:] + 231
13 com.apple.AppKit 0x00007fffafdad2b0 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 644
14 com.apple.AppKit 0x00007fffb0000470 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 83
15 com.apple.AppKit 0x00007fffb0000412 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
16 com.apple.AppKit 0x00007fffafdac2e6 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 613
17 com.apple.AppKit 0x00007fffaffff48b __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.922 + 180
18 com.apple.AppKit 0x00007fffaffff3a7 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.921 + 138
19 com.apple.AppKit 0x00007fffaffff269 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 267
20 com.apple.CoreFoundation 0x00007fffb1fd717c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
21 com.apple.CoreFoundation 0x00007fffb1fb7f84 __CFRunLoopDoBlocks + 356
22 com.apple.CoreFoundation 0x00007fffb1fb7705 __CFRunLoopRun + 917
23 com.apple.CoreFoundation 0x00007fffb1fb7114 CFRunLoopRunSpecific + 420
24 com.apple.HIToolbox 0x00007fffb1517ebc RunCurrentEventLoopInMode + 240
25 com.apple.HIToolbox 0x00007fffb1517bf9 ReceiveNextEventCommon + 184
26 com.apple.HIToolbox 0x00007fffb1517b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
27 com.apple.AppKit 0x00007fffafaaea54 _DPSNextEvent + 1120
28 com.apple.AppKit 0x00007fffb022a7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
29 com.apple.AppKit 0x00007fffafaa33db -[NSApplication run] + 926
30 de.pl32.photoline 0x00000001031b2a19 0x10278a000 + 10652185
31 com.apple.AppKit 0x00007fffafa6de0e NSApplicationMain + 1237
32 de.pl32.photoline 0x000000010278bd14 0x10278a000 + 7444
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %bl,(%rdx):instruction_address=0x00000001031bbfd0:access_type=write:access_address=0x000000019d144001:
Crash accessing invalid address.
Timeline
2018-04-09 - Vendor Disclosure
2018-04-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.