CVE-2018-3981
An exploitable out-of-bounds write exists in the TIFF-parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.
ACDSystems Canvas Draw 5.0.0
https://www.canvasgfx.com/en/products/canvas-draw
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-Bounds Write
Canvas Draw 5 is a graphics editing tool used to create and edit images, as well as other image-editing tasks. This product has a large user base and is popular in the graphic design field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics-editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data. The initial crash is shown below:
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffe00000030)
frame #0: 0x0000000102168221 ImageGear18`DIB_resolution_set + 22
ImageGear18`DIB_resolution_set:
-> 0x102168221 <+22>: mov qword ptr [rdi + 0x8], rdx
0x102168225 <+26>: mov qword ptr [rdi + 0x10], rax
0x102168229 <+30>: mov eax, dword ptr [rsi + 0x8]
0x10216822c <+33>: mov qword ptr [rdi + 0x18], rax
[rdi: 0x00007ffe00000028]
Following the backtrace, we can see that the value of RDI has been incorrectly calculated. The location which it is set is below.
__text:0000000114F26A13 lea rcx, [rbp+var_40] [0]
__text:0000000114F26A17 lea r8, [rbp+var_38]
__text:0000000114F26A1B lea rbx, [rbp+var_70]
__text:0000000114F26A1F mov edx, 1
__text:0000000114F26A24 mov r9, rbx
__text:0000000114F26A27 call _IG_info_get_FD_ex [1]
__text:0000000114F26A2C mov rdi, [rbx] ; th
The address in memory is loaded into RCX [0], and then passed into a get information function, [1]. Following a small bit further the vulnerability becomes apparent.
__text:0000000101E46E83 mov r14, [rbp+user_buffer]
__text:0000000101E46E8C mov dword ptr [r13+0], 0
__text:0000000101E46E99 mov dword ptr [r14], 0 [2]
The user influenced address is loaded into the R14 register and the lower four bytes are then zeroed out in memory. When this value is then used later in DIB_resolution_set
above, it causes an out-of-bounds write and an exploitable condition to arise. An attacker could exploit this situation to gain code execution by crafting a special TIFF image.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 ImageGear18 0x000000010fa59221 DIB_resolution_set + 22
1 ImageGear18 0x000000010faa639e IG_DIB_resolution_set + 38
2 com.acdsystem.canvastool.ImageIO 0x000000017da92ae7 CIGReadFile_CB_ext::readFile() + 465
3 com.acdsystem.canvastool.ImageIO 0x000000017dabfc1b ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 915
4 com.acdsystem.canvastool.ImageIO 0x000000017dac0104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
5 com.acdsystem.canvastool.ImageIO 0x000000017dabd97b 0x17da3e000 + 522619
6 com.acdsystem.canvastool.ImageIO 0x000000017dabf49d DoImportFile(ImportFileMsg*) + 1121
7 com.acdsystem.canvastool.ImageIO 0x000000017da72ab3 toolmain() + 970
8 com.acdsystem.canvastool.ImageIO 0x000000017da9e8d7 stdtool(TToolCallBlock*) + 119
9 com.acdsystem.canvastool.ImageIO 0x000000017da9e859 cvtool_main(TToolCallBlock*) + 9
10 com.canvasgfx.Canvas-Draw5 0x000000010dadf138 0x10d976000 + 1478968
11 com.canvasgfx.Canvas-Draw5 0x000000010e67af9a 0x10d976000 + 13651866
12 com.canvasgfx.Canvas-Draw5 0x000000010e67a748 0x10d976000 + 13649736
13 com.canvasgfx.Canvas-Draw5 0x000000010e7f918d 0x10d976000 + 15217037
14 com.apple.AppKit 0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
15 com.apple.AppKit 0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
16 com.apple.AppKit 0x00007fff35ee4683 -[NSApplication run] + 250
17 com.apple.AppKit 0x00007fff35eb3a72 NSApplicationMain + 804
18 libdyld.dylib 0x00007fff60761015 start + 1
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movq %rdx,CONSTANT(%rdi):instruction_address=0x000000010fa59221:access_type=write:access_address=0x00007ffe00000030:
Crash accessing invalid address.
2018-08-06 - Vendor Disclosure
2018-01-18 - Vendor Patched
2019-01-30 - Public Release
Discovered by Tyler Bohan of Cisco Talos.