CVE-2018-3868
A memory corruption vulnerability exists in the PSD parsing functionality of Computerinsel Photoline 20.53. A specially crafted PSD document processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PSD document to trigger this vulnerability and gain code execution.
Computerinsel Photoline 20.53 for OS X
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
Photoline is an image processing tool used to modify and edit images as well as other graphic related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PSD documents. PSD is a document format used by Adobe Photoshop and supported by many third party applications throughout the industry.
The vulnerability arises in parsing the PSD document. The application takes data directly from the document without verification and uses it to calculate an address. The document has a specially crafted blending channel value leading to this miscalculation. Below is the are of the crash.
decrement = 0LL;
counter = 0LL;
do
{
ob_buffer[counter] = *(index + counter - 2); [0]
ob_buffer[counter + 1] = *(index + counter - 1);
ob_buffer[counter + 2] = *(index + counter);
counter += 3LL;
decrement -= 3LL; [1]
}
while ( (unsigned int)decrement + blending_channel > 2 ); [2]
The buffer is written to at location 0, using the counter to maintain position. At location 1 it is shown that the loop is actually controlled by a decrementing variable. By crafting a document the blending_channel value can be set to an excessively large number causing this loop to go out of bounds. Furthermore, decrement will get converted to an unsigned int causing an overflow and allowing this loop to write out of bounds with multiple scenarios, 2. This will lead to an out of bounds write and can be used to gain code execution.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 de.pl32.photoline 0x000000010def7c17 0x10d2ce000 + 12753943
1 de.pl32.photoline 0x000000010def8e80 0x10d2ce000 + 12758656
2 de.pl32.photoline 0x000000010d7cdabd 0x10d2ce000 + 5241533
3 de.pl32.photoline 0x000000010d7cd44a 0x10d2ce000 + 5239882
4 de.pl32.photoline 0x000000010dab7053 0x10d2ce000 + 8294483
5 de.pl32.photoline 0x000000010dab78f3 0x10d2ce000 + 8296691
6 de.pl32.photoline 0x000000010dab7c7b 0x10d2ce000 + 8297595
7 de.pl32.photoline 0x000000010dab969f 0x10d2ce000 + 8304287
8 de.pl32.photoline 0x000000010d843d42 0x10d2ce000 + 5725506
9 de.pl32.photoline 0x000000010d480688 0x10d2ce000 + 1779336
10 de.pl32.photoline 0x000000010d4803db 0x10d2ce000 + 1778651
11 de.pl32.photoline 0x000000010d4dd7c2 0x10d2ce000 + 2160578
12 de.pl32.photoline 0x000000010dcf9c0a 0x10d2ce000 + 10664970
13 de.pl32.photoline 0x000000010dcf9fb2 0x10d2ce000 + 10665906
14 com.apple.AppKit 0x00007fffafccfdd7 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
15 com.apple.AppKit 0x00007fffafccfcbc -[NSDocument initWithContentsOfURL:ofType:error:] + 231
16 com.apple.AppKit 0x00007fffafdad2b0 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 644
17 com.apple.AppKit 0x00007fffb0000470 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 83
18 com.apple.AppKit 0x00007fffb0000412 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
19 com.apple.AppKit 0x00007fffafdac2e6 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 613
20 com.apple.AppKit 0x00007fffaffff48b __144-[NSDocumentController
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.922 + 180
21 com.apple.AppKit 0x00007fffaffff3a7 __144-[NSDocumentController
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.921 + 138
22 com.apple.AppKit 0x00007fffaffff269 __144-[NSDocumentController
_coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 267
23 com.apple.CoreFoundation 0x00007fffb1fd717c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
24 com.apple.CoreFoundation 0x00007fffb1fb7f84 __CFRunLoopDoBlocks + 356
25 com.apple.CoreFoundation 0x00007fffb1fb7705 __CFRunLoopRun + 917
26 com.apple.CoreFoundation 0x00007fffb1fb7114 CFRunLoopRunSpecific + 420
27 com.apple.HIToolbox 0x00007fffb1517ebc RunCurrentEventLoopInMode + 240
28 com.apple.HIToolbox 0x00007fffb1517bf9 ReceiveNextEventCommon + 184
29 com.apple.HIToolbox 0x00007fffb1517b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
30 com.apple.AppKit 0x00007fffafaaea54 _DPSNextEvent + 1120
31 com.apple.AppKit 0x00007fffb022a7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
32 com.apple.AppKit 0x00007fffafaa33db -[NSApplication run] + 926
33 de.pl32.photoline 0x000000010dcf6a19 0x10d2ce000 + 10652185
34 com.apple.AppKit 0x00007fffafa6de0e NSApplicationMain + 1237
35 de.pl32.photoline 0x000000010d2cfd14 0x10d2ce000 + 7444
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb
%cl,CONSTANT(%r15,%rdx):instruction_address=0x000000010def7c17:access_type=write:access_address=0x00000001a6f9d000:
Crash accessing invalid address.
2018-03-29 - Vendor Disclosure
2018-04-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.