Headline
CVE-2017-2880: TALOS-2017-0387 || Cisco Talos Intelligence Group
An memory corruption vulnerability exists in the .GIF parsing functionality of Computerinsel Photoline 20.02. A specially crafted .GIF file can cause a vulnerability resulting in potential code execution. An attacker can send specific .GIF file to trigger this vulnerability.
Summary
An memory corruption vulnerability exists in the .GIF parsing functionality of Computerinsel Photoline 20.02. A specially crafted .GIF file can cause a vulnerability resulting in potential code execution. An attacker can send specific .GIF file to trigger this vulnerability.
Tested Versions
Computerinsel GmbH Photoline 20.02
Product URLs
https://www.pl32.com/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE****Details
The code responsible for the vulnerability is provided below:
.text:007BE521 loc_7BE521: ; CODE XREF: buggy_proc+62j
.text:007BE521 mov cl, [esi+14h] ; [esi+14h] -> byte taken straight from GIF file
.text:007BE524 mov edx, 1
.text:007BE529 shl edx, cl
.text:007BE52B movzx cx, cl
.text:007BE52F lea eax, [edx+1]
.text:007BE532 mov [esi+1Ch], ax
.text:007BE536 lea eax, [edx+2]
.text:007BE539 mov [esi+401Eh], ax
.text:007BE540 mov eax, 1000h
.text:007BE545 mov [esi+4020h], ax
.text:007BE54C inc cx
.text:007BE54E mov eax, 1
.text:007BE553 shl eax, cl
.text:007BE555 mov [esi+16h], cx
.text:007BE559 xor ecx, ecx
.text:007BE55B mov [esi+1Ah], dx
.text:007BE55F dec eax
.text:007BE560 mov [esi+18h], ax
.text:007BE564 xor eax, eax
.text:007BE566 cmp cx, dx
.text:007BE569 jnb short loc_7BE58B
.text:007BE56B jmp short bug_write_loop
.text:007BE570 bug_write_loop: ; CODE XREF: buggy_proc+BBj
.text:007BE570 ; buggy_proc+D9j
.text:007BE570 movzx ecx, ax
.text:007BE573 mov edx, 1000h
.text:007BE578 mov [esi+ecx*2+1Eh], dx ; WRITE!
.text:007BE57D mov [ecx+esi+201Eh], al ; WRITE!
.text:007BE584 inc eax
.text:007BE585 cmp ax, [esi+1Ah] ; [esi+1Ah] is calculated from our data
.text:007BE589 jb short bug_write_loop
.text:007BE58B
In short the byte value is taken directly from the .GIF file (see address 0x007BE521). This value is later multiplied and used as a loop repeat number (see address 0x007BE585). This gives the attacker the opportunity to cause memory corruption and a memory overflow (instructions at 0x007BE578 and 0x007BE57D).
Crash Information
PhotoLine+0x3be578:
007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx ds:002b:001a0000=6341
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
PhotoLine+3be578
007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 007be578 (PhotoLine+0x003be578)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 001a0000
Attempt to write to address 001a0000
FAULTING_THREAD: 000015ec
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: PhotoLine.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 001a0000
FOLLOWUP_IP:
PhotoLine+3be578
007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx
WRITE_ADDRESS: 001a0000
WATSON_BKT_PROCSTAMP: 589ee44a
WATSON_BKT_PROCVER: 20.0.0.2
PROCESS_VER_PRODUCT: PhotoLine
WATSON_BKT_MODULE: PhotoLine.exe
WATSON_BKT_MODSTAMP: 589ee44a
WATSON_BKT_MODOFFSET: 3be578
WATSON_BKT_MODVER: 20.0.0.2
MODULE_VER_PRODUCT: PhotoLine
BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: f2c082d751a472df1a8a185b4416b966db139902
MODLIST_SHA1_HASH: 7429f67ba2c849f9234e8c4db6453a762d0885f1
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 07-04-2017 08:52:40.0767
ANALYSIS_VERSION: 10.0.15063.400 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x15ec]
Frame: [0] : PhotoLine
ID: [0n265]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x15ec]
Frame: [0] : PhotoLine
ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x302c]
TID: [0x15ec]
Frame: [0] : PhotoLine
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00000000 to 007be578
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 PhotoLine+0x3be578
THREAD_SHA1_HASH_MOD_FUNC: d8e26008eb6acc069d83c04d0ced24485d541252
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c6dcc5f486de8c186b5aa96f2e4c9b36115ffd5f
THREAD_SHA1_HASH_MOD: d8e26008eb6acc069d83c04d0ced24485d541252
FAULT_INSTR_CODE: 4e548966
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: PhotoLine+3be578
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PhotoLine
IMAGE_NAME: PhotoLine.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 589ee44a
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_PhotoLine.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_PhotoLine+3be578
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: PhotoLine.exe
BUCKET_ID_IMAGE_STR: PhotoLine.exe
FAILURE_MODULE_NAME: PhotoLine
BUCKET_ID_MODULE_STR: PhotoLine
FAILURE_FUNCTION_NAME: Unknown
BUCKET_ID_FUNCTION_STR: Unknown
BUCKET_ID_OFFSET: 3be578
BUCKET_ID_MODTIMEDATESTAMP: 589ee44a
BUCKET_ID_MODCHECKSUM: 103c5a2
BUCKET_ID_MODVER_STR: 20.0.0.2
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: PhotoLine.exe!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/PhotoLine.exe/20.0.0.2/589ee44a/PhotoLine.exe/20.0.0.2/589ee44a/c0000005/003be578.htm?Retriage=1
TARGET_TIME: 2017-07-04T06:52:49.000Z
OSBUILD: 15063
OSSERVICEPACK: 296
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.15063.296
ANALYSIS_SESSION_ELAPSED_TIME: 732b
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_photoline.exe!unknown
FAILURE_ID_HASH: {3391e579-c3a2-d370-e494-6a2226b83b1d}
Followup: MachineOwner
---------
Timeline
2017-08-02 - Vendor Disclosure
2017-10-04 - Public Release