CVE-2018-3980
An exploitable out-of-bounds write exists in the TIFF-parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.
ACDSystems Canvas Draw 5.0.0
https://www.canvasgfx.com/en/products/canvas-draw
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-Bounds Write
Canvas Draw 5 is a graphics-editing tool used to create and edit images, as well as other graphic design functions. This product has a sizable user base and is popular in the graphic design field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics-editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithm, but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table. Huffman coding is one of the two things that make up the deflate encoding scheme.
When using the deflate encoding scheme the application takes user data directly from the TIFF image without validation. The initial crash is shown below.
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffeefc00eac)
frame #0: 0x0000000102001245 ImageGear18`_DFL_huff_table_build + 364
ImageGear18`_DFL_huff_table_build:
0x102001245 <+364>: movzx edx, word ptr [rbp + 2*rcx - 0x100] [0]
0x10200124d <+372>: lea esi, [rdx + 0x1] [1]
0x102001250 <+375>: mov word ptr [rbp + 2*rcx - 0x100], si [2]
0x102001258 <+383>: mov word ptr [r12], dx
The value inside of RCX at [0] is controlled via the compressed data inside the TIFF image. It then uses the value given and loads it into ESI, [1]. The value is then used again at [2], where a user-controlled value is written, too. This leads to an exploitable out-of-bounds write condition. An attacker could gain code execution through this vulnerability by using specially crafted data.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 ImageGear18 0x000000010cd9a245 _DFL_huff_table_build + 364
1 ImageGear18 0x000000010cd9a8af _DFL_dynamic_huffman_get + 1437
2 ImageGear18 0x000000010cd9aaa6 DFL_uncompress + 281
3 ImageGear18 0x000000010cf0ac1d _TIF_read + 3642
4 ImageGear18 0x000000010cf09d85 TIF_read + 261
5 ImageGear18 0x000000010ce06dfd GPb_fltrm_READ_call_param + 178
6 ImageGear18 0x000000010ce06d45 GPb_fltrm_READ_call + 21
7 ImageGear18 0x000000010cdddbbf iIG_load_FD_CB_ex + 411
8 ImageGear18 0x000000010cf4f3b6 IG_load_FD_CB_ex + 91
9 com.acdsystem.canvastool.ImageIO 0x00000001766eeba1 CIGReadFile_CB_ext::readFile() + 651
10 com.acdsystem.canvastool.ImageIO 0x000000017671bc1b ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 915
11 com.acdsystem.canvastool.ImageIO 0x000000017671c104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
12 com.acdsystem.canvastool.ImageIO 0x000000017671997b 0x17669a000 + 522619
13 com.acdsystem.canvastool.ImageIO 0x000000017671b49d DoImportFile(ImportFileMsg*) + 1121
14 com.acdsystem.canvastool.ImageIO 0x00000001766ceab3 toolmain() + 970
15 com.acdsystem.canvastool.ImageIO 0x00000001766fa8d7 stdtool(TToolCallBlock*) + 119
16 com.acdsystem.canvastool.ImageIO 0x00000001766fa859 cvtool_main(TToolCallBlock*) + 9
17 com.canvasgfx.Canvas-Draw5 0x000000010af84138 0x10ae1b000 + 1478968
18 com.canvasgfx.Canvas-Draw5 0x000000010bb1ff9a 0x10ae1b000 + 13651866
19 com.canvasgfx.Canvas-Draw5 0x000000010bb1f748 0x10ae1b000 + 13649736
20 com.canvasgfx.Canvas-Draw5 0x000000010bc9e18d 0x10ae1b000 + 15217037
21 com.apple.AppKit 0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
22 com.apple.AppKit 0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
23 com.apple.AppKit 0x00007fff35ee4683 -[NSApplication run] + 250
24 com.apple.AppKit 0x00007fff35eb3a72 NSApplicationMain + 804
25 libdyld.dylib 0x00007fff60761015 start + 1
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable= yes:instruction_disassembly=movzwl %si,CONSTANT(%rbp,%rcx,2),:instruction_address=0x000000010cd9a245:access_type=write:access_address=0x00007ffee4dea15c:
Crash accessing invalid address.
2018-08-06 - Vendor Disclosure
2019-01-18 - Vendor Patched
2019-01-30 - Public Release
Discovered by Tyler Bohan of Cisco Talos.