Talos Vulnerability Report

TALOS-2018-0544

ACD Systems Canvas Draw 4 Resolution_Set Out of Bounds Write Code Execution Vulnerability

July 19, 2018
CVE Number

CVE-2018-3860

Summary

An exploitable out-of-bounds write exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain the ability to execute code.

Tested Versions

ACDSystems Canvas Draw 4.0.0

Product URLs

https://www.canvasgfx.com/en/products/canvas-draw

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-Bounds Write

Details

Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.

The vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data. The initial crash is shown below.

* thread #1: tid = 0xce123, 0x0000000101f68221 ImageGear18`DIB_resolution_set + 22, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fff00000008)
    frame #0: 0x0000000101f68221 ImageGear18`DIB_resolution_set + 22
ImageGear18`DIB_resolution_set:
->  0x101f68221 <+22>: mov    qword ptr [rdi + 0x8], rdx
    0x101f68225 <+26>: mov    qword ptr [rdi + 0x10], rax
    0x101f68229 <+30>: mov    eax, dword ptr [rsi + 0x8]
    0x101f6822c <+33>: mov    qword ptr [rdi + 0x18], rax

     [rdi: 0x00007fff00000000]

Following the backtrace, we can see that the value of RDI has been incorrectly calculated. The location which it is set is below.

__text:0000000114F26A13                 lea     rcx, [rbp+var_40]                 [0]
__text:0000000114F26A17                 lea     r8, [rbp+var_38]
__text:0000000114F26A1B                 lea     rbx, [rbp+var_70]
__text:0000000114F26A1F                 mov     edx, 1
__text:0000000114F26A24                 mov     r9, rbx
__text:0000000114F26A27                 call    _IG_info_get_FD_ex                 [1]
__text:0000000114F26A2C                 mov     rdi, [rbx]      ; th

The address in memory is loaded into RCX [0], and then passed into a get information function, [1]. Going a bit further, the vulnerability becomes apparent.

__text:0000000101E46E83                  mov     r14, [rbp+user_buffer]
__text:0000000101E46E8C                  mov     dword ptr [r13+0], 0
__text:0000000101E46E99                  mov     dword ptr [r14], 0             [2]

The user-influenced address is loaded into the R14 register and the lower four bytes are then zeroed out in memory. When this value is then used later in DIB_resolution_set above, it causes an out-of-bounds write and an exploitable condition to arise. By crafting a special TIFF image an attacker could exploit this situation to gain code execution.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   ImageGear18                     0x0000000110f8b221 DIB_resolution_set + 22
1   ImageGear18                     0x0000000110fd839e IG_DIB_resolution_set + 38
2   com.acdsystem.canvastool.ImageIO    0x000000016c006baa CIGReadFile_CB_ext::readFile() + 476
3   com.acdsystem.canvastool.ImageIO    0x000000016c033633 ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 722
4   com.acdsystem.canvastool.ImageIO    0x000000016c033bf2 ImageIORunAcquireProc(_ImageIOAcquireState*) + 750
5   com.acdsystem.canvastool.ImageIO    0x000000016c03178a 0x16bfb3000 + 518026
6   com.acdsystem.canvastool.ImageIO    0x000000016c032ef4 DoImportFile(ImportFileMsg*) + 817
7   com.acdsystem.canvastool.ImageIO    0x000000016bfe67c1 toolmain() + 917
8   com.acdsystem.canvastool.ImageIO    0x000000016c01290a stdtool(TToolCallBlock*) + 122
9   com.acdsystem.canvastool.ImageIO    0x000000016c012889 cvtool_main(TToolCallBlock*) + 9
10  com.acdsystems.Canvas-Draw4     0x000000010f1d45b0 0x10f09b000 + 1283504
11  com.acdsystems.Canvas-Draw4     0x000000010fca9b76 0x10f09b000 + 12643190
12  com.acdsystems.Canvas-Draw4     0x000000010fca9438 0x10f09b000 + 12641336
13  com.acdsystems.Canvas-Draw4     0x000000010fdd98a7 0x10f09b000 + 13887655
14  com.apple.AppKit                0x00007fffafee4bd3 -[NSApplication _doOpenFile:ok:tryTemp:] + 322
15  com.apple.AppKit                0x00007fffafaa3ba7 -[NSApplication finishLaunching] + 1624
16  com.apple.AppKit                0x00007fffafaa3148 -[NSApplication run] + 267
17  com.apple.AppKit                0x00007fffafa6de0e NSApplicationMain + 1237
18  libdyld.dylib                   0x00007fffc7734235 start + 1

log name is: ./crashlogs/f.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movq  %rdx,CONSTANT(%rdi):instruction_address=0x0000000110f8b221:access_type=write:access_address=0x00007fff00000030:
Crash accessing invalid address.

Timeline

2018-03-20 - Vendor Disclosure
2018-04-18 - 30 day follow up
2018-04-19 - Vendor escalated to Canvas development team
2018-05-02 - 45 day follow up
2018-06-25 - Vendor confirmed fix scheduled for next update
2018-07-19 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.