Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-35535: Libraw "LibRaw::parseSonySRF()" Out-of-bounds Read Vulnerability · Issue #283 · LibRaw/LibRaw

In LibRaw, there is an out-of-bounds read vulnerability within the "LibRaw::parseSonySRF()" function (libraw\src\metadata\sony.cpp) when processing srf files.

CVE
Open in Source
#vulnerability#windows#google#microsoft#php#amd#sap

Description:

There is an out-of-bounds read vulnerability within the "LibRaw::parseSonySRF()" function (libraw\src\metadata\sony.cpp) when processing srf files.

Steps to Reproduce:

poc (password: 0xfoxone):
https://drive.google.com/open?id=1r0wig5pSGUFhP3mDycIUcKMvnHamYaGJ

cmd:
magick.exe convert poc.srf new.bmp

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft ® Windows Debugger Version 10.0.18362.1 AMD64
Copyright © Microsoft Corporation. All rights reserved.

CommandLine: C:\ImageMagick-7.0.10-7\VisualMagick\bin\magick.exe convert c:\poc.srf c:\new.bmp
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff779300000 00007ff779312000 magick.exe
ModLoad: 00007ffdb0d20000 00007ffdb0f10000 ntdll.dll
ModLoad: 00007ffd99d60000 00007ffd99dd1000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x1ED0: page heap enabled with flags 0x3.
ModLoad: 00007ffdaf870000 00007ffdaf922000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffdadd60000 00007ffdae004000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffd87cf0000 00007ffd87fe1000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ffd886a0000 00007ffd8886b000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ffdb01a0000 00007ffdb0334000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffdaea40000 00007ffdaea61000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffdaf270000 00007ffdaf296000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffdae010000 00007ffdae1a4000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffdaea70000 00007ffdaeb0e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffdaeb30000 00007ffdaec2a000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffdb04c0000 00007ffdb0563000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffdafdf0000 00007ffdafe8e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffdb0420000 00007ffdb04b7000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffdaf5b0000 00007ffdaf6d0000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffdafd80000 00007ffdafdef000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffda1d20000 00007ffda1d42000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ffd86800000 00007ffd869bb000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ffd8d900000 00007ffd8da1f000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ffd8e600000 00007ffd8e686000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ffda1b50000 00007ffda1b77000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ffd8e1c0000 00007ffd8e260000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ffd9dbe0000 00007ffd9dc03000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ffd9d610000 00007ffd9d63a000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ffd9a400000 00007ffd9a435000 C:\WINDOWS\SYSTEM32\VCOMP140D.DLL
ModLoad: 00007ffd85150000 00007ffd8548b000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ffdb05f0000 00007ffdb0cd4000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffdaed80000 00007ffdaedca000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffdafc70000 00007ffdafd19000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffdaf930000 00007ffdafc66000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffdae1b0000 00007ffdae230000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffdae260000 00007ffdae9dd000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffdadc80000 00007ffdadca3000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffdadbf0000 00007ffdadc3a000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffdadbe0000 00007ffdadbf0000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ffdb03c0000 00007ffdb0412000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffdadc40000 00007ffdadc51000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffdaeb10000 00007ffdaeb27000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ffdb0040000 00007ffdb0197000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffdad1b0000 00007ffdad27b000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffdaf370000 00007ffdaf378000 C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ffdad160000 00007ffdad19a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
(1ed0.1214): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffdb0df119c cc int 3 0:000> g ModLoad: 00007ffdaf4b0000 00007ffdaf4de000 C:\WINDOWS\System32\IMM32.DLL ModLoad: 00007ffda93a0000 00007ffda93af000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll ModLoad: 00007ffd86310000 00007ffd864bc000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll ModLoad: 00007ffd88e10000 00007ffd88f06000 C:\WINDOWS\SYSTEM32\MSVCP140D.dll (1ed0.1214): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll CORE_DB_libraw_!LibRaw::sget2+0x2c: 00007ffd86396d9c 0fb60401 movzx eax,byte ptr [rcx+rax] ds:0000019e5bb50000=?? 0:000> k Child-SP RetAddr Call Site 00 000000939ecee890 00007ffd8636bf5d CORE_DB_libraw_!LibRaw::sget2+0x2c [c:\imagemagick-7.0.10-7\libraw\src\utils\utils_dcraw.cpp @ 84] 01 000000939ecee8a0 00007ffd8636fe7a CORE_DB_libraw_!LibRaw::parseSonySRF+0x42d [c:\imagemagick-7.0.10-7\libraw\src\metadata\sony.cpp @ 1952] 02 000000939ecee950 00007ffd8638071a CORE_DB_libraw_!LibRaw::parse_exif+0x155a [c:\imagemagick-7.0.10-7\libraw\src\metadata\exif_gps.cpp @ 229] 03 000000939eceef50 00007ffd8637bebb CORE_DB_libraw_!LibRaw::parse_tiff_ifd+0x484a [c:\imagemagick-7.0.10-7\libraw\src\metadata\tiff.cpp @ 717] 04 000000939ecefdd0 00007ffd8632f89f CORE_DB_libraw_!LibRaw::parse_tiff+0x11b [c:\imagemagick-7.0.10-7\libraw\src\metadata\tiff.cpp @ 1468] 05 000000939ecefe30 00007ffd864079de CORE_DB_libraw_!LibRaw::identify+0xd2f [c:\imagemagick-7.0.10-7\libraw\src\metadata\identify.cpp @ 537] 06 000000939ecf3350 00007ffd8640b149 CORE_DB_libraw_!LibRaw::open_datastream+0x10e [c:\imagemagick-7.0.10-7\libraw\src\utils\open.cpp @ 377] 07 000000939ecf35f0 00007ffd8641dfc8 CORE_DB_libraw_!LibRaw::open_file+0x269 [c:\imagemagick-7.0.10-7\libraw\src\utils\open.cpp @ 99] *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll 08 000000939ecf3720 00007ffda93a191c CORE_DB_libraw_!libraw_open_wfile+0x58 [c:\imagemagick-7.0.10-7\libraw\src\libraw_c_api.cpp @ 113] *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll 09 000000939ecf3760 00007ffd87d671e7 IM_MOD_DB_DNG_!ReadDNGImage+0x2fc [c:\imagemagick-7.0.10-7\imagemagick\coders\dng.c @ 379] 0a 000000939ecf5870 00007ffd87d68963 CORE_DB_MagickCore_!ReadImage+0x5e7 [c:\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 553] *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll 0b 000000939ecfaa90 00007ffd886daac3 CORE_DB_MagickCore_!ReadImages+0x393 [c:\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 941] 0c 000000939ecfbb40 00007ffd887744ae CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [c:\imagemagick-7.0.10-7\imagemagick\magickwand\convert.c @ 606] *** WARNING: Unable to verify checksum for magick.exe 0d 000000939ecfd690 00007ff7793014ea CORE_DB_MagickWand_!MagickCommandGenesis+0x33e [c:\imagemagick-7.0.10-7\imagemagick\magickwand\mogrify.c @ 186] 0e 000000939ecfe800 00007ff779301693 magick!MagickMain+0x4ea [c:\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 149] 0f 000000939ecffa70 00007ff779301f24 magick!wmain+0x43 [c:\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 195] 10 000000939ecffab0 00007ff779301e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80] 11 000000939ecffaf0 00007ff779301cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253] 12 000000939ecffb50 00007ff779301f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296] 13 000000939ecffb80 00007ffdaf887bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17] 14 000000939ecffbb0 00007ffdb0d8ce51 KERNEL32!BaseThreadInitThunk+0x14 15 000000939ecffbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

System Configuration:

  • ImageMagick:
    Version: ImageMagick-7.0.10-Q16 https://imagemagick.org
    License: https://imagemagick.org/script/license.php
  • Environment (Operating system, version and so on):
    Distributor ID: Microsoft Windows
    Description: Windows 10

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE