CVE-2018-3861
A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.
Computerinsel Photoline 20.53 for OS X
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
Photoline is an image-processing tool used to modify and edit images, as well as other graphics-related material. This product has a large user base, and is popular in its field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a compressed tiled TIFF image. TIFF supports tiled images as part of the later extension and revision to the specification. Through this, images are able to have multiple tiles inside of a single image. The vulnerability arises in the processing and reading of these tiles.
The code responsible for reading the tiles is shown below.
read_length = tile_length;
read_width = tile_width; [0]
if ( read_length > 0 )
{
current_bit = bits_sample_shift * x_coord;
counter = 0;
do
{
user_int = get_tiff_data(v25, counter + y_coord); [1]
ob_addr = samples_per_pixel * current_bit + user_int;
if ( read_width * samples_per_pixel > 0 )
{
*ob_addr = *data_pointer; [2]
...
}
data_buf_pointer += tile_width * bits_sample_shift * samps_per_pixel;
++counter;
}
while ( counter < read_length );
The tile information is calculated at [0], and a read loop is entered. The address to read data from is directly calculated from the TIFF image with no validation. Therefore at location [1], this value return is fully controlled by the attacker. This allows an arbitrary integer to be specified and leads to an erroneous value to be calculated. At location [2], this out-of-bounds space is written with other data taken from the image, thus creating an arbitrary out-of-bounds write. This could be exploited to gain code execution.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 de.pl32.photoline 0x0000000110590a76 0x10fd71000 + 8518262
1 de.pl32.photoline 0x000000011058eeee 0x10fd71000 + 8511214
2 de.pl32.photoline 0x000000011058dd14 0x10fd71000 + 8506644
3 de.pl32.photoline 0x00000001102e6d42 0x10fd71000 + 5725506
4 de.pl32.photoline 0x000000010ff23688 0x10fd71000 + 1779336
5 de.pl32.photoline 0x000000010ff233db 0x10fd71000 + 1778651
6 de.pl32.photoline 0x000000010ff807c2 0x10fd71000 + 2160578
7 de.pl32.photoline 0x000000011079cc0a 0x10fd71000 + 10664970
8 de.pl32.photoline 0x000000011079cfb2 0x10fd71000 + 10665906
9 com.apple.AppKit 0x00007fffafccfdd7 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
10 com.apple.AppKit 0x00007fffafccfcbc -[NSDocument initWithContentsOfURL:ofType:error:] + 231
11 com.apple.AppKit 0x00007fffafdad2b0 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 644
12 com.apple.AppKit 0x00007fffb0000470 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 83
13 com.apple.AppKit 0x00007fffb0000412 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
14 com.apple.AppKit 0x00007fffafdac2e6 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 613
15 com.apple.AppKit 0x00007fffaffff48b __144-[NSDocumentController
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.922 + 180
16 com.apple.AppKit 0x00007fffaffff3a7 __144-[NSDocumentController
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.921 + 138
17 com.apple.AppKit 0x00007fffaffff269 __144-[NSDocumentController
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 267
18 com.apple.CoreFoundation 0x00007fffb1fd717c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
19 com.apple.CoreFoundation 0x00007fffb1fb7f84 __CFRunLoopDoBlocks + 356
20 com.apple.CoreFoundation 0x00007fffb1fb7705 __CFRunLoopRun + 917
21 com.apple.CoreFoundation 0x00007fffb1fb7114 CFRunLoopRunSpecific + 420
22 com.apple.HIToolbox 0x00007fffb1517ebc RunCurrentEventLoopInMode + 240
23 com.apple.HIToolbox 0x00007fffb1517bf9 ReceiveNextEventCommon + 184
24 com.apple.HIToolbox 0x00007fffb1517b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
25 com.apple.AppKit 0x00007fffafaaea54 _DPSNextEvent + 1120
26 com.apple.AppKit 0x00007fffb022a7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
27 com.apple.AppKit 0x00007fffafaa33db -[NSApplication run] + 926
28 de.pl32.photoline 0x0000000110799a19 0x10fd71000 + 10652185
29 com.apple.AppKit 0x00007fffafa6de0e NSApplicationMain + 1237
30 de.pl32.photoline 0x000000010fd72d14 0x10fd71000 + 7444
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %dl,
(%rbx):instruction_address=0x0000000110590a76:access_type=write:access_address=0x0808008008080808:
2018-03-27 - Vendor Disclosure
2018-04-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.