Talos Vulnerability Report

TALOS-2018-0547

Computerinsel Photoline TIFF Bits Per Pixel Parsing Code Execution Vulnerability

April 11, 2018
CVE Number

CVE-2018-3862

Summary

A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

Tested Versions

Computerinsel Photoline 20.53 for OS X

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

Photoline is an image-processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.

The vulnerability arises in the parsing of a compressed tiled TIFF image. TIFF supports tiled images as part of the later extension and revision to the specification. Through this, images are able to have multiple tiles inside of a single image. The vulnerability arises in the processing and reading of these tiles. Each image is able to specify a specific bits per sample and by crafting a TIFF image an attacker can lead the code into a vulnerable path shown below.

          user_int = user_data_func(v40, v16);                      [0]
          width = calc_width(*(v40 + 20));
          v5 = v41;
          parsing_loop(v41, v39, (sample * width + user_int), 1, v42);      [1]

The function that calls into the parsing of a tile is show above. Data taken from the TIFF image is shown at [0], and subsequently passed directly into the next call. The width parameter is also specified via the image, allowing an attacker to control the specified program path. Below is the relevant code for the parsing loop.

          switch ( (bits_per_sample - 1) )                     [2]
            {
             
              case 7u:
                for ( ; im_width; arg_3 += (signed int)a5 )         [3]
                {
                  --im_width;
                  v20 = *a2;
                  a2 += v5;
                  *arg_3 = v20;                               [4]
                }
                break;

At location [2], the variable has been taken from the provided tag inside of the image. This then allows the specific case to be selected where arg_3 [3] is passed in from the code shown above. This address is able to be influenced by the image, and can thus be taken out of bounds. This address is then written to at location [4]. This creates an arbitrary out-of-bounds write, leading to an exploitable condition.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   de.pl32.photoline               0x000000010e2d31a1 0x10dab2000 + 8524193
1   de.pl32.photoline               0x000000010e2d03bf 0x10dab2000 + 8512447
2   de.pl32.photoline               0x000000010e2ced38 0x10dab2000 + 8506680
3   de.pl32.photoline               0x000000010e027d42 0x10dab2000 + 5725506
4   de.pl32.photoline               0x000000010dc64688 0x10dab2000 + 1779336
5   de.pl32.photoline               0x000000010dc643db 0x10dab2000 + 1778651
6   de.pl32.photoline               0x000000010dcc17c2 0x10dab2000 + 2160578
7   de.pl32.photoline               0x000000010e4ddc0a 0x10dab2000 + 10664970
8   de.pl32.photoline               0x000000010e4ddfb2 0x10dab2000 + 10665906
9   com.apple.AppKit                0x00007fffafccfdd7 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
10  com.apple.AppKit                0x00007fffafccfcbc -[NSDocument initWithContentsOfURL:ofType:error:] + 231
11  com.apple.AppKit                0x00007fffafdad2b0 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 644
12  com.apple.AppKit                0x00007fffb0000470 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 83
13  com.apple.AppKit                0x00007fffb0000412 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
14  com.apple.AppKit                0x00007fffafdac2e6 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 613
15  com.apple.AppKit                0x00007fffaffff48b __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.922 + 180
16  com.apple.AppKit                0x00007fffaffff3a7 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.921 + 138
17  com.apple.AppKit                0x00007fffaffff269 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 267
18  com.apple.CoreFoundation        0x00007fffb1fd717c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
19  com.apple.CoreFoundation        0x00007fffb1fb7f84 __CFRunLoopDoBlocks + 356
20  com.apple.CoreFoundation        0x00007fffb1fb7705 __CFRunLoopRun + 917
21  com.apple.CoreFoundation        0x00007fffb1fb7114 CFRunLoopRunSpecific + 420
22  com.apple.HIToolbox             0x00007fffb1517ebc RunCurrentEventLoopInMode + 240
23  com.apple.HIToolbox             0x00007fffb1517bf9 ReceiveNextEventCommon + 184
24  com.apple.HIToolbox             0x00007fffb1517b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
25  com.apple.AppKit                0x00007fffafaaea54 _DPSNextEvent + 1120
26  com.apple.AppKit                0x00007fffb022a7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
27  com.apple.AppKit                0x00007fffafaa33db -[NSApplication run] + 926
28  de.pl32.photoline               0x000000010e4daa19 0x10dab2000 + 10652185
29  com.apple.AppKit                0x00007fffafa6de0e NSApplicationMain + 1237
30  de.pl32.photoline               0x000000010dab3d14 0x10dab2000 + 7444

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb  %al,(%rdx):instruction_address=0x000000010e2d31a1:access_type=write:access_address=0x00007f8cededee01:

Timeline

2018-03-27 - Vendor Disclosure
2018-04-11 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.