Headline
CVE-2018-3973: TALOS-2018-0638 || Cisco Talos Intelligence Group
An exploitable out of bounds write exists in the CAL parsing functionality of Canvas Draw version 5.0.0. A specially crafted CAL image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.
Summary
An exploitable out of bounds write exists in the CAL parsing functionality of Canvas Draw version 5.0.0. A specially crafted CAL image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.
Tested Versions
ACDSystems Canvas Draw 5.0.0
Product URLs
https://www.pl32.com/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-787: Out-of-bounds Write
Details
Canvas Draw 4 is a graphics editing tool used to create and edit images as well as other graphic related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PCX images. PCX was a popular image format with early computers and although has been replaced by more sophisticated formats, it is still in use and fully supported inside of Canvas Draw.
The vulnerability arises in parsing a malformed CAL image. Data from the image is passed directly into realloc allowing the attacker to control the size of an allocation. By passing in incorrect values the application will write out of bounds attempting to access the image data. A look at the crashing call is shown below.
len = (v3 >> 3) - 1;
v4 = memset(buff, 255, len + 1LL);
buff += len + 1;
The buffer size is user controlled here so if the length value is greater than the supplied buffer size a buffer overflow occurs. This creates an exploitable situation that could be leveraged by an attacker to gain code execution.
Crash Information
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x00007fff60a73c75 _platform_bzero$VARIANT$Haswell + 53
1 ImageGear18 0x0000000110abb9c5 IGRaster::FillSpan(unsigned char*, unsigned long long, unsigned long long) + 125
2 ImageGear18 0x0000000110abb91e IGRaster::RunEndsToPacked(long long const*, unsigned char*, unsigned long long, long long, unsigned long long) + 150
3 ImageGear18 0x0000000110ae5269 GPr_raster_set_CB + 356
4 ImageGear18 0x00000001109556af LoadG4_ProGold + 1916
5 ImageGear18 0x0000000110a77630 CAL_read + 338
6 ImageGear18 0x00000001109c7dfd GPb_fltrm_READ_call_param + 178
7 ImageGear18 0x00000001109c7d45 GPb_fltrm_READ_call + 21
8 ImageGear18 0x000000011099e923 iIG_load_FD_CB + 400
9 ImageGear18 0x0000000110b102db IG_load_FD_CB + 91
10 com.acdsystem.canvastool.ImageIO 0x000000017c83cf59 0x17c7b9000 + 540505
11 com.acdsystem.canvastool.ImageIO 0x000000017c83ae39 ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 978
12 com.acdsystem.canvastool.ImageIO 0x000000017c83b2e4 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
13 com.acdsystem.canvastool.ImageIO 0x000000017c838f5b 0x17c7b9000 + 524123
14 com.acdsystem.canvastool.ImageIO 0x000000017c83a67c DoImportFile(ImportFileMsg*) + 1077
15 com.acdsystem.canvastool.ImageIO 0x000000017c7ee093 toolmain() + 970
16 com.acdsystem.canvastool.ImageIO 0x000000017c819eb7 stdtool(TToolCallBlock*) + 119
17 com.acdsystem.canvastool.ImageIO 0x000000017c819e39 cvtool_main(TToolCallBlock*) + 9
18 com.canvasgfx.Canvas-Draw5 0x000000010eb4fc98 0x10e9e6000 + 1481880
19 com.canvasgfx.Canvas-Draw5 0x000000010f6eb16a 0x10e9e6000 + 13652330
20 com.canvasgfx.Canvas-Draw5 0x000000010f6ea918 0x10e9e6000 + 13650200
21 com.canvasgfx.Canvas-Draw5 0x000000010f86928d 0x10e9e6000 + 15217293
22 com.apple.AppKit 0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
23 com.apple.AppKit 0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
24 com.apple.AppKit 0x00007fff35ee4683 -[NSApplication run] + 250
25 com.apple.AppKit 0x00007fff35eb3a72 NSApplicationMain + 804
26 libdyld.dylib 0x00007fff60761015 start + 1
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=.byte 0xc5 #bad opcode:instruction_address=0x00007fff60a73c75:access_type=unknown:access_address=0x000000049a92c000:
Crash accessing invalid address.
Timeline
2018-07-25 - Vendor Disclosure
2018-08-21 - Vendor Patched
2019-01-30 - Public Release
Discovered by Tyler Bohan of Cisco Talos.