Talos Vulnerability Report

TALOS-2018-0585

Computerinsel Photoline PSD Blending Channel Code Execution Vulnerability

July 11, 2018
CVE Number

CVE-2018-3921

Summary

A memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver a PSD image to trigger this vulnerability and gain code execution.

Tested Versions

Computerinsel Photoline 20.54 for OS X

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-121: Stack-based Buffer Overflow

Details

Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerability arises in parsing the PSD image, specifically dealing with the blending channels inside of the image. The PSD format supports the ability to have multiple layers and masks per image, and the vulnerability is in how the software deals with the length of these layers. By looking at the vulnerable images Blending Layer Length value, we see that it is 0x40000000. Shown below is the code using this value causing the overflow.

LOWORD(v6) = memcpy_wrapper(sstack_buffer, &image_Data, blending_channel_1);

The blending channel value is read directly from the image and used to copy this data into a stack-based buffer. This causes a direct overflow of the stack, and an overwrite of arbitrary data. There is a stack cookie present, but this could be circumvented by other means. This vulnerability could be exploited to gain code execution.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib          0x00007fff53a10b6e __pthread_kill + 10
1   libsystem_pthread.dylib         0x00007fff53bdb080 pthread_kill + 333
2   libsystem_c.dylib               0x00007fff5396c24d __abort + 144
3   libsystem_c.dylib               0x00007fff5396caf8 __stack_chk_fail + 205
4   de.pl32.photoline               0x0000000102090bae 0x101897000 + 8362926
5   ???                             0x8000c18000c18000 0 + 9223584792367431680

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae CONSTANT:instruction_address=0x00007fff53a10b6e:access_type=:access_address=0x0000000000000000:
The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' __stack_chk_fail '

Timeline

2018-05-01 - Vendor Disclosure
2018-07-11 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.