Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-3973: TALOS-2018-0638 || Cisco Talos Intelligence Group

An exploitable out of bounds write exists in the CAL parsing functionality of Canvas Draw version 5.0.0. A specially crafted CAL image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.

CVE
#vulnerability#apple#cisco#intel#buffer_overflow#sap

Summary

An exploitable out of bounds write exists in the CAL parsing functionality of Canvas Draw version 5.0.0. A specially crafted CAL image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.

Tested Versions

ACDSystems Canvas Draw 5.0.0

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

Canvas Draw 4 is a graphics editing tool used to create and edit images as well as other graphic related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PCX images. PCX was a popular image format with early computers and although has been replaced by more sophisticated formats, it is still in use and fully supported inside of Canvas Draw.

The vulnerability arises in parsing a malformed CAL image. Data from the image is passed directly into realloc allowing the attacker to control the size of an allocation. By passing in incorrect values the application will write out of bounds attempting to access the image data. A look at the crashing call is shown below.

len = (v3 >> 3) - 1;
v4 = memset(buff, 255, len + 1LL);
buff += len + 1;

The buffer size is user controlled here so if the length value is greater than the supplied buffer size a buffer overflow occurs. This creates an exploitable situation that could be leveraged by an attacker to gain code execution.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   libsystem_platform.dylib        0x00007fff60a73c75 _platform_bzero$VARIANT$Haswell + 53
1   ImageGear18                     0x0000000110abb9c5 IGRaster::FillSpan(unsigned char*, unsigned long long, unsigned long long) + 125
2   ImageGear18                     0x0000000110abb91e IGRaster::RunEndsToPacked(long long const*, unsigned char*, unsigned long long, long long, unsigned long long) + 150
3   ImageGear18                     0x0000000110ae5269 GPr_raster_set_CB + 356
4   ImageGear18                     0x00000001109556af LoadG4_ProGold + 1916
5   ImageGear18                     0x0000000110a77630 CAL_read + 338
6   ImageGear18                     0x00000001109c7dfd GPb_fltrm_READ_call_param + 178
7   ImageGear18                     0x00000001109c7d45 GPb_fltrm_READ_call + 21
8   ImageGear18                     0x000000011099e923 iIG_load_FD_CB + 400
9   ImageGear18                     0x0000000110b102db IG_load_FD_CB + 91
10  com.acdsystem.canvastool.ImageIO    0x000000017c83cf59 0x17c7b9000 + 540505
11  com.acdsystem.canvastool.ImageIO    0x000000017c83ae39 ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 978
12  com.acdsystem.canvastool.ImageIO    0x000000017c83b2e4 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
13  com.acdsystem.canvastool.ImageIO    0x000000017c838f5b 0x17c7b9000 + 524123
14  com.acdsystem.canvastool.ImageIO    0x000000017c83a67c DoImportFile(ImportFileMsg*) + 1077
15  com.acdsystem.canvastool.ImageIO    0x000000017c7ee093 toolmain() + 970
16  com.acdsystem.canvastool.ImageIO    0x000000017c819eb7 stdtool(TToolCallBlock*) + 119
17  com.acdsystem.canvastool.ImageIO    0x000000017c819e39 cvtool_main(TToolCallBlock*) + 9
18  com.canvasgfx.Canvas-Draw5      0x000000010eb4fc98 0x10e9e6000 + 1481880
19  com.canvasgfx.Canvas-Draw5      0x000000010f6eb16a 0x10e9e6000 + 13652330
20  com.canvasgfx.Canvas-Draw5      0x000000010f6ea918 0x10e9e6000 + 13650200
21  com.canvasgfx.Canvas-Draw5      0x000000010f86928d 0x10e9e6000 + 15217293
22  com.apple.AppKit                0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
23  com.apple.AppKit                0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
24  com.apple.AppKit                0x00007fff35ee4683 -[NSApplication run] + 250
25  com.apple.AppKit                0x00007fff35eb3a72 NSApplicationMain + 804
26  libdyld.dylib                   0x00007fff60761015 start + 1

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=.byte 0xc5 #bad opcode:instruction_address=0x00007fff60a73c75:access_type=unknown:access_address=0x000000049a92c000:
Crash accessing invalid address. 

Timeline

2018-07-25 - Vendor Disclosure
2018-08-21 - Vendor Patched
2019-01-30 - Public Release

Discovered by Tyler Bohan of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907