CVE-2018-3859
An exploitable out-of-bounds write exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.
ACDSystems Canvas Draw 4.0.0
https://www.canvasgfx.com/en/products/canvas-draw
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-Bounds Write
Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of standard TIFF algorithms, but was added as an extension from Adobe, and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table. Huffman coding is one of the two things that make up the Deflate encoding scheme.
When using the Deflate encoding scheme, the application takes user data directly from the TIFF image without validation. The initial crash is shown below.
* thread #1: tid = 0x92a99, 0x0000000101e01273 ImageGear18`_DFL_huff_table_build + 410, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x39c5ec80)
frame #0: 0x0000000101e01273 ImageGear18`_DFL_huff_table_build + 410
ImageGear18`_DFL_huff_table_build:
-> 0x101e01273 <+410>: mov dword ptr [rax + 4*rsi], edx
0x101e01276 <+413>: add r12, 0x4
0x101e0127a <+417>: add r14, 0x2
0x101e0127e <+421>: dec r15d
The value inside of RSI has come directly from the TIFF data field. Below is the relevant code leading up to the out of bounds write.
movzx edx, [rbp+rcx*2+int_buffer] [0]
lea esi, [rdx+1] [1]
mov [rbp+rcx*2+int_buffer], si
mov [r12], dx
movzx edx, word ptr [r14]
movsxd rsi, [rbp+rcx*4+int_2]
lea edi, [rsi+1]
mov [rbp+rcx*4+int_2], edi
mov [rax+rsi*4], edx [2]
The value inside of RCX at [0] is controlled via the compressed data inside the TIFF image. It then uses the value given and loads it into ESI, [1]. After doing some data shuffling, we finally get to the use again at [2], where a user-controlled value is written, too. This leads to an exploitable out-of-bounds write condition. By using specially crafted data, an attacker could gain the ability to execute code through this vulnerability.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 ImageGear18 0x000000010f9c3273 _DFL_huff_table_build + 410
1 ImageGear18 0x000000010f9c38af _DFL_dynamic_huffman_get + 1437
2 ImageGear18 0x000000010f9c3aa6 DFL_uncompress + 281
3 ImageGear18 0x000000010fb33c1d _TIF_read + 3642
4 ImageGear18 0x000000010fb32d85 TIF_read + 261
5 ImageGear18 0x000000010fa2fdfd GPb_fltrm_READ_call_param + 178
6 ImageGear18 0x000000010fa2fd45 GPb_fltrm_READ_call + 21
7 ImageGear18 0x000000010fa06bbf iIG_load_FD_CB_ex + 411
8 ImageGear18 0x000000010fb783b6 IG_load_FD_CB_ex + 91
9 com.acdsystem.canvastool.ImageIO 0x000000016a77ed12 CIGReadFile_CB_ext::readFile() + 836
10 com.acdsystem.canvastool.ImageIO 0x000000016a7ab633 ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 722
11 com.acdsystem.canvastool.ImageIO 0x000000016a7abbf2 ImageIORunAcquireProc(_ImageIOAcquireState*) + 750
12 com.acdsystem.canvastool.ImageIO 0x000000016a7a978a 0x16a72b000 + 518026
13 com.acdsystem.canvastool.ImageIO 0x000000016a7aaef4 DoImportFile(ImportFileMsg*) + 817
14 com.acdsystem.canvastool.ImageIO 0x000000016a75e7c1 toolmain() + 917
15 com.acdsystem.canvastool.ImageIO 0x000000016a78a90a stdtool(TToolCallBlock*) + 122
16 com.acdsystem.canvastool.ImageIO 0x000000016a78a889 cvtool_main(TToolCallBlock*) + 9
17 com.acdsystems.Canvas-Draw4 0x000000010dd6f5b0 0x10dc36000 + 1283504
18 com.acdsystems.Canvas-Draw4 0x000000010e844b76 0x10dc36000 + 12643190
19 com.acdsystems.Canvas-Draw4 0x000000010e844438 0x10dc36000 + 12641336
20 com.acdsystems.Canvas-Draw4 0x000000010e9748a7 0x10dc36000 + 13887655
21 com.apple.AppKit 0x00007fffafee4bd3 -[NSApplication _doOpenFile:ok:tryTemp:] + 322
22 com.apple.AppKit 0x00007fffafaa3ba7 -[NSApplication finishLaunching] + 1624
23 com.apple.AppKit 0x00007fffafaa3148 -[NSApplication run] + 267
24 com.apple.AppKit 0x00007fffafa6de0e NSApplicationMain + 1237
25 libdyld.dylib 0x00007fffc7734235 start + 1
log name is: ./crashlogs/f.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movl %edx,(%rax,%rsi,4):instruction_address=0x000000010f9c3273:access_type=write:access_address=0x00000008bd5cbba0:
Crash accessing invalid address.
2018-03-20 - Vendor Disclosure
2018-04-18 - 30 day follow up
2018-04-19 - Vendor escalated to Canvas development team
2018-05-02 - 45 day follow up
2018-06-25 - Vendor confirmed fix scheduled for next update
2018-07-19 - Public Release
Discovered by Tyler Bohan of Cisco Talos.