Talos Vulnerability Report

TALOS-2018-0642

ACD Systems Canvas Draw 5 IO metadata out-of-bounds write code execution vulnerability

January 30, 2019
CVE Number

CVE-2018-3976

Summary

An exploitable out-of-bounds write exists in the CALS Raster file format-parsing functionality of Canvas Draw version 5.0.0.28. A specially crafted CAL image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a CAL image to trigger this vulnerability and gain code execution.

Tested Versions

ACDSystems Canvas Draw 5.0.0.28

Product URLs

https://www.canvasgfx.com/en/products/canvas-draw

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

Canvas Draw 5 is a graphics editing tool used to create and edit images, as well as other graphics-related tasks. This product has a sizable user base and is popular in its specific field.

The vulnerability arises in the parsing of the CALS Raster file format, specifically dealing with the column and row sizes of an image. Inside of the CALS header, values are set to determine the location of image data and the size of the image itself. By passing in incorrect values, the application will write out of bounds attempting to access the image data. The crash is shown below:

->  0x114e2290d <+71>: not    dword ptr [rcx]               [1]
    0x114e2290f <+73>: add    rcx, 0x4
    0x114e22913 <+77>: dec    ebx
    0x114e22915 <+79>: jne    0x114e2290d               ; <+71>

At location 1, RCX is user-controlled, determined by the sizes processed in the file header. This creates an exploitable condition and could be used to gain code execution.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   com.acdsystem.canvastool.ImageIO    0x000000017765b156 invert_map(int, int, unsigned char*, int) + 71
1   com.acdsystem.canvastool.ImageIO    0x000000017765bc1c MySetRasterData(void*, unsigned char*, long long, unsigned int) + 1295
2   ImageGear18                     0x000000010f5296af LoadG4_ProGold + 1916
3   ImageGear18                     0x000000010f64b630 CAL_read + 338
4   ImageGear18                     0x000000010f59bdfd GPb_fltrm_READ_call_param + 178
5   ImageGear18                     0x000000010f59bd45 GPb_fltrm_READ_call + 21
6   ImageGear18                     0x000000010f572923 iIG_load_FD_CB + 400
7   ImageGear18                     0x000000010f6e42db IG_load_FD_CB + 91
8   com.acdsystem.canvastool.ImageIO    0x00000001776cbd79 0x177648000 + 540025
9   com.acdsystem.canvastool.ImageIO    0x00000001776c9c5a ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 978
10  com.acdsystem.canvastool.ImageIO    0x00000001776ca104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
11  com.acdsystem.canvastool.ImageIO    0x00000001776c797b 0x177648000 + 522619
12  com.acdsystem.canvastool.ImageIO    0x00000001776c949d DoImportFile(ImportFileMsg*) + 1121
13  com.acdsystem.canvastool.ImageIO    0x000000017767cab3 toolmain() + 970
14  com.acdsystem.canvastool.ImageIO    0x00000001776a88d7 stdtool(TToolCallBlock*) + 119
15  com.acdsystem.canvastool.ImageIO    0x00000001776a8859 cvtool_main(TToolCallBlock*) + 9
16  com.canvasgfx.Canvas-Draw5      0x000000010d722138 0x10d5b9000 + 1478968
17  com.canvasgfx.Canvas-Draw5      0x000000010e2bdf9a 0x10d5b9000 + 13651866
18  com.canvasgfx.Canvas-Draw5      0x000000010e2bd748 0x10d5b9000 + 13649736
19  com.canvasgfx.Canvas-Draw5      0x000000010e43c18d 0x10d5b9000 + 15217037
20  com.apple.AppKit                0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
21  com.apple.AppKit                0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
22  com.apple.AppKit                0x00007fff35ee4683 -[NSApplication run] + 250
23  com.apple.AppKit                0x00007fff35eb3a72 NSApplicationMain + 804
24  libdyld.dylib                   0x00007fff60761015 start + 1

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=notl  (%rcx):instruction_address=0x000000017765b156:access_type=unknown:access_address=0x00000003c8272000:
Crash accessing invalid address.  Consider running it again with libgmalloc(3) to see if the log changes.

Timeline

2018-08-06 - Vendor Disclosure
2019-01-18 - Vendor Patched
2019-01-30 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.