CVE-2018-3860
An exploitable out-of-bounds write exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain the ability to execute code.
ACDSystems Canvas Draw 4.0.0
https://www.canvasgfx.com/en/products/canvas-draw
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-Bounds Write
Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data. The initial crash is shown below.
* thread #1: tid = 0xce123, 0x0000000101f68221 ImageGear18`DIB_resolution_set + 22, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fff00000008)
frame #0: 0x0000000101f68221 ImageGear18`DIB_resolution_set + 22
ImageGear18`DIB_resolution_set:
-> 0x101f68221 <+22>: mov qword ptr [rdi + 0x8], rdx
0x101f68225 <+26>: mov qword ptr [rdi + 0x10], rax
0x101f68229 <+30>: mov eax, dword ptr [rsi + 0x8]
0x101f6822c <+33>: mov qword ptr [rdi + 0x18], rax
[rdi: 0x00007fff00000000]
Following the backtrace, we can see that the value of RDI has been incorrectly calculated. The location which it is set is below.
__text:0000000114F26A13 lea rcx, [rbp+var_40] [0]
__text:0000000114F26A17 lea r8, [rbp+var_38]
__text:0000000114F26A1B lea rbx, [rbp+var_70]
__text:0000000114F26A1F mov edx, 1
__text:0000000114F26A24 mov r9, rbx
__text:0000000114F26A27 call _IG_info_get_FD_ex [1]
__text:0000000114F26A2C mov rdi, [rbx] ; th
The address in memory is loaded into RCX [0], and then passed into a get information function, [1]. Going a bit further, the vulnerability becomes apparent.
__text:0000000101E46E83 mov r14, [rbp+user_buffer]
__text:0000000101E46E8C mov dword ptr [r13+0], 0
__text:0000000101E46E99 mov dword ptr [r14], 0 [2]
The user-influenced address is loaded into the R14 register and the lower four bytes are then zeroed out in memory. When this value is then used later in DIB_resolution_set
above, it causes an out-of-bounds write and an exploitable condition to arise. By crafting a special TIFF image an attacker could exploit this situation to gain code execution.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 ImageGear18 0x0000000110f8b221 DIB_resolution_set + 22
1 ImageGear18 0x0000000110fd839e IG_DIB_resolution_set + 38
2 com.acdsystem.canvastool.ImageIO 0x000000016c006baa CIGReadFile_CB_ext::readFile() + 476
3 com.acdsystem.canvastool.ImageIO 0x000000016c033633 ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 722
4 com.acdsystem.canvastool.ImageIO 0x000000016c033bf2 ImageIORunAcquireProc(_ImageIOAcquireState*) + 750
5 com.acdsystem.canvastool.ImageIO 0x000000016c03178a 0x16bfb3000 + 518026
6 com.acdsystem.canvastool.ImageIO 0x000000016c032ef4 DoImportFile(ImportFileMsg*) + 817
7 com.acdsystem.canvastool.ImageIO 0x000000016bfe67c1 toolmain() + 917
8 com.acdsystem.canvastool.ImageIO 0x000000016c01290a stdtool(TToolCallBlock*) + 122
9 com.acdsystem.canvastool.ImageIO 0x000000016c012889 cvtool_main(TToolCallBlock*) + 9
10 com.acdsystems.Canvas-Draw4 0x000000010f1d45b0 0x10f09b000 + 1283504
11 com.acdsystems.Canvas-Draw4 0x000000010fca9b76 0x10f09b000 + 12643190
12 com.acdsystems.Canvas-Draw4 0x000000010fca9438 0x10f09b000 + 12641336
13 com.acdsystems.Canvas-Draw4 0x000000010fdd98a7 0x10f09b000 + 13887655
14 com.apple.AppKit 0x00007fffafee4bd3 -[NSApplication _doOpenFile:ok:tryTemp:] + 322
15 com.apple.AppKit 0x00007fffafaa3ba7 -[NSApplication finishLaunching] + 1624
16 com.apple.AppKit 0x00007fffafaa3148 -[NSApplication run] + 267
17 com.apple.AppKit 0x00007fffafa6de0e NSApplicationMain + 1237
18 libdyld.dylib 0x00007fffc7734235 start + 1
log name is: ./crashlogs/f.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movq %rdx,CONSTANT(%rdi):instruction_address=0x0000000110f8b221:access_type=write:access_address=0x00007fff00000030:
Crash accessing invalid address.
2018-03-20 - Vendor Disclosure
2018-04-18 - 30 day follow up
2018-04-19 - Vendor escalated to Canvas development team
2018-05-02 - 45 day follow up
2018-06-25 - Vendor confirmed fix scheduled for next update
2018-07-19 - Public Release
Discovered by Tyler Bohan of Cisco Talos.