CVE-2018-3922
A memory corruption vulnerability exists in the ANI-parsing functionality of Computerinsel Photoline 20.54. A specially crafted ANI image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver an ANI image to trigger this vulnerability and gain code execution.
Computerinsel Photoline 20.54 for OS X
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow
Photoline is an image processing tool used to modify and edit images, as well as other graphics-editing tasks. This product has a large user base, and is popular in the graphic design field. The vulnerability arises in parsing the ANI image, specifically dealing with the size value in the header. Below is a small dump of the included proof of concept.
52 49 46 46 D6 E3 01 00 41 43 4F 4E 4C 49 53 54 4E 00 00 00 49 4E 46 4F 49 4E 41 4D FF 00 60 00 [0]
At [0], the last four bytes are interpreted as a length value for the image data. By supplying an overly large value, in this case 0x600000FF, the program will read beyond the bounds of the supplied buffer. The code causing the crash is shown below.
if ( v19 == 'INAM' ) [1]
{
v12 = 1;
if ( !v10 )
v12 = memcpy_wrapper(source, &dest, length) != 0; [2]
The code at [1] is doing a comparison on a header value, then subsequently calling in to memcpy. The length value passed in [2] is taken from the header shown above. This allows an attacker to supply an arbitrary length and overflow as much as desired. This creates an out-of-bounds write that could be exploited to gain code execution.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff53a10b6e __pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fff53bdb080 pthread_kill + 333
2 libsystem_c.dylib 0x00007fff5396c24d __abort + 144
3 libsystem_c.dylib 0x00007fff5396caf8 __stack_chk_fail + 205
4 de.pl32.photoline 0x0000000102090bae 0x101897000 + 8362926
5 ??? 0x8000c18000c18000 0 + 9223584792367431680
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae CONSTANT:instruction_address=0x00007fff53a10b6e:access_type=:access_address=0x0000000000000000:
The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' __stack_chk_fail '
2018-05-01 - Vendor Disclosure
2018-07-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.