Talos Vulnerability Report

TALOS-2018-0586

Computerinsel Photoline ANI Parsing Code Execution Vulnerability

July 11, 2018
CVE Number

CVE-2018-3922

Summary

A memory corruption vulnerability exists in the ANI-parsing functionality of Computerinsel Photoline 20.54. A specially crafted ANI image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver an ANI image to trigger this vulnerability and gain code execution.

Tested Versions

Computerinsel Photoline 20.54 for OS X

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-122: Heap-based Buffer Overflow

Details

Photoline is an image processing tool used to modify and edit images, as well as other graphics-editing tasks. This product has a large user base, and is popular in the graphic design field. The vulnerability arises in parsing the ANI image, specifically dealing with the size value in the header. Below is a small dump of the included proof of concept.

52 49 46 46 D6 E3 01 00 41 43 4F 4E 4C 49 53 54 4E 00 00 00 49 4E 46 4F 49 4E 41 4D FF 00 60 00  [0]

At [0], the last four bytes are interpreted as a length value for the image data. By supplying an overly large value, in this case 0x600000FF, the program will read beyond the bounds of the supplied buffer. The code causing the crash is shown below.

  if ( v19 == 'INAM' )                                    [1]
  {
    v12 = 1;
    if ( !v10 )
      v12 = memcpy_wrapper(source, &dest, length) != 0;    [2]

The code at [1] is doing a comparison on a header value, then subsequently calling in to memcpy. The length value passed in [2] is taken from the header shown above. This allows an attacker to supply an arbitrary length and overflow as much as desired. This creates an out-of-bounds write that could be exploited to gain code execution.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib          0x00007fff53a10b6e __pthread_kill + 10
1   libsystem_pthread.dylib         0x00007fff53bdb080 pthread_kill + 333
2   libsystem_c.dylib               0x00007fff5396c24d __abort + 144
3   libsystem_c.dylib               0x00007fff5396caf8 __stack_chk_fail + 205
4   de.pl32.photoline               0x0000000102090bae 0x101897000 + 8362926
5   ???                             0x8000c18000c18000 0 + 9223584792367431680

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae CONSTANT:instruction_address=0x00007fff53a10b6e:access_type=:access_address=0x0000000000000000:
The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' __stack_chk_fail '

Timeline

2018-05-01 - Vendor Disclosure
2018-07-11 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.