Talos Vulnerability Report

TALOS-2018-0546

Computerinsel Photoline TIFF Samples Per Pixel Parsing Code Execution Vulnerability

April 11, 2018
CVE Number

CVE-2018-3861

Summary

A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

Tested Versions

Computerinsel Photoline 20.53 for OS X

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

Photoline is an image-processing tool used to modify and edit images, as well as other graphics-related material. This product has a large user base, and is popular in its field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.

The vulnerability arises in the parsing of a compressed tiled TIFF image. TIFF supports tiled images as part of the later extension and revision to the specification. Through this, images are able to have multiple tiles inside of a single image. The vulnerability arises in the processing and reading of these tiles.

The code responsible for reading the tiles is shown below.

          read_length = tile_length;
          read_width = tile_width;                                   [0]

          if ( read_length > 0 )
          {
            current_bit = bits_sample_shift * x_coord;
            counter = 0;
            do
            {
              user_int = get_tiff_data(v25, counter + y_coord);          [1]
              ob_addr = samples_per_pixel * current_bit + user_int;      
              if ( read_width * samples_per_pixel > 0 )                
              {

                  *ob_addr = *data_pointer;                              [2]
                  ...

              }
              data_buf_pointer += tile_width * bits_sample_shift * samps_per_pixel;
              ++counter;
            }
            while ( counter < read_length );

The tile information is calculated at [0], and a read loop is entered. The address to read data from is directly calculated from the TIFF image with no validation. Therefore at location [1], this value return is fully controlled by the attacker. This allows an arbitrary integer to be specified and leads to an erroneous value to be calculated. At location [2], this out-of-bounds space is written with other data taken from the image, thus creating an arbitrary out-of-bounds write. This could be exploited to gain code execution.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   de.pl32.photoline               0x0000000110590a76 0x10fd71000 + 8518262
1   de.pl32.photoline               0x000000011058eeee 0x10fd71000 + 8511214
2   de.pl32.photoline               0x000000011058dd14 0x10fd71000 + 8506644
3   de.pl32.photoline               0x00000001102e6d42 0x10fd71000 + 5725506
4   de.pl32.photoline               0x000000010ff23688 0x10fd71000 + 1779336
5   de.pl32.photoline               0x000000010ff233db 0x10fd71000 + 1778651
6   de.pl32.photoline               0x000000010ff807c2 0x10fd71000 + 2160578
7   de.pl32.photoline               0x000000011079cc0a 0x10fd71000 + 10664970
8   de.pl32.photoline               0x000000011079cfb2 0x10fd71000 + 10665906
9   com.apple.AppKit                0x00007fffafccfdd7 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
10  com.apple.AppKit                0x00007fffafccfcbc -[NSDocument initWithContentsOfURL:ofType:error:] + 231
11  com.apple.AppKit                0x00007fffafdad2b0 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 644
12  com.apple.AppKit                0x00007fffb0000470 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 83
13  com.apple.AppKit                0x00007fffb0000412 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
14  com.apple.AppKit                0x00007fffafdac2e6 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 613
15  com.apple.AppKit                0x00007fffaffff48b __144-[NSDocumentController     
 _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.922 + 180
16  com.apple.AppKit                0x00007fffaffff3a7 __144-[NSDocumentController        
 _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.921 + 138
17  com.apple.AppKit                0x00007fffaffff269 __144-[NSDocumentController 
 _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 267
18  com.apple.CoreFoundation        0x00007fffb1fd717c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
19  com.apple.CoreFoundation        0x00007fffb1fb7f84 __CFRunLoopDoBlocks + 356
20  com.apple.CoreFoundation        0x00007fffb1fb7705 __CFRunLoopRun + 917
21  com.apple.CoreFoundation        0x00007fffb1fb7114 CFRunLoopRunSpecific + 420
22  com.apple.HIToolbox             0x00007fffb1517ebc RunCurrentEventLoopInMode + 240
23  com.apple.HIToolbox             0x00007fffb1517bf9 ReceiveNextEventCommon + 184
24  com.apple.HIToolbox             0x00007fffb1517b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
25  com.apple.AppKit                0x00007fffafaaea54 _DPSNextEvent + 1120
26  com.apple.AppKit                0x00007fffb022a7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
27  com.apple.AppKit                0x00007fffafaa33db -[NSApplication run] + 926
28  de.pl32.photoline               0x0000000110799a19 0x10fd71000 + 10652185
29  com.apple.AppKit                0x00007fffafa6de0e NSApplicationMain + 1237
30  de.pl32.photoline               0x000000010fd72d14 0x10fd71000 + 7444

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb  %dl,  
(%rbx):instruction_address=0x0000000110590a76:access_type=write:access_address=0x0808008008080808:

Timeline

2018-03-27 - Vendor Disclosure
2018-04-11 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.