Headline
CVE-2018-3921: TALOS-2018-0585 || Cisco Talos Intelligence Group
A memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver a PSD image to trigger this vulnerability and gain code execution.
Summary
A memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver a PSD image to trigger this vulnerability and gain code execution.
Tested Versions
Computerinsel Photoline 20.54 for OS X
Product URLs
https://www.pl32.com/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-121: Stack-based Buffer Overflow
Details
Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerability arises in parsing the PSD image, specifically dealing with the blending channels inside of the image. The PSD format supports the ability to have multiple layers and masks per image, and the vulnerability is in how the software deals with the length of these layers. By looking at the vulnerable images Blending Layer Length value, we see that it is 0x40000000. Shown below is the code using this value causing the overflow.
LOWORD(v6) = memcpy_wrapper(sstack_buffer, &image_Data, blending_channel_1);
The blending channel value is read directly from the image and used to copy this data into a stack-based buffer. This causes a direct overflow of the stack, and an overwrite of arbitrary data. There is a stack cookie present, but this could be circumvented by other means. This vulnerability could be exploited to gain code execution.
Crash Information
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff53a10b6e __pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fff53bdb080 pthread_kill + 333
2 libsystem_c.dylib 0x00007fff5396c24d __abort + 144
3 libsystem_c.dylib 0x00007fff5396caf8 __stack_chk_fail + 205
4 de.pl32.photoline 0x0000000102090bae 0x101897000 + 8362926
5 ??? 0x8000c18000c18000 0 + 9223584792367431680
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae CONSTANT:instruction_address=0x00007fff53a10b6e:access_type=:access_address=0x0000000000000000:
The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' __stack_chk_fail '
Timeline
2018-05-01 - Vendor Disclosure
2018-07-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.