CVE-2018-3923
A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.
Computerinsel Photoline 20.54 for OS X
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
Photoline is an image processing tool used to modify and edit images, as well as other graphics-editing tasks. This product has a large user base, and is popular in the graphic design field. The vulnerable component is in the handling of PCX images. PCX was a popular image format with early computers, and although it has been replaced by more sophisticated formats, it is still in use and fully supported inside of Canvas Draw.
The vulnerability arises in parsing the PCX image, specifically dealing with the run length encoding of the image. The run length is the way that PCX handles new image chunks. This value determines the size of the upcoming image chunk. By crafting an image with successive large encoding values, the program can be caused to write a null byte out of bounds, leading to an exploitable condition. The code is shown below.
if {
...
do {
*vuln_object++ = a2[1];
--v7;
}
while ( v7 );
vuln_object += run_length; [0]
}
a2 += 2;
++count;
}
else
{
++a2;
*vuln_object++ = v5; [1]
--a3;
}
++count;
}
while ( count < max ); [2]
The above code is a parsing loop designed to fill out the vulnerable object with the image data. The vulnerable object size is passed in and used as the max variable in the loop [2]. At location [0], it can be seen that the object is incremented based on the run length read in from the image. By crafting an image, an attacker can place a large run length toward the end of the image, causing the vulnerable object to be incremented beyond its bounds. Thus at location [1], the object is beyond its bounds and written to directly causing an out-of-bounds write and an exploitable condition to arise.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 de.pl32.photoline 0x000000010e8763d3 0x10de15000 + 10884051
1 de.pl32.photoline 0x000000010e876476 0x10de15000 + 10884214
2 de.pl32.photoline 0x000000010e877094 0x10de15000 + 10887316
3 de.pl32.photoline 0x000000010df574f7 0x10de15000 + 1320183
4 de.pl32.photoline 0x000000010df57378 0x10de15000 + 1319800
5 de.pl32.photoline 0x000000010df57069 0x10de15000 + 1319017
6 de.pl32.photoline 0x000000010e3a5b22 0x10de15000 + 5835554
7 de.pl32.photoline 0x000000010dfcb066 0x10de15000 + 1794150
8 de.pl32.photoline 0x000000010dfcadc7 0x10de15000 + 1793479
9 de.pl32.photoline 0x000000010e028a66 0x10de15000 + 2177638
10 de.pl32.photoline 0x000000010e8709d2 0x10de15000 + 10861010
11 de.pl32.photoline 0x000000010e870d7a 0x10de15000 + 10861946
12 com.apple.AppKit 0x00007fff28d4086d -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
13 com.apple.AppKit 0x00007fff28d40752 -[NSDocument initWithContentsOfURL:ofType:error:] + 231
14 com.apple.AppKit 0x00007fff28e162a5 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 628
15 com.apple.AppKit 0x00007fff290975e4 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 91
16 com.apple.AppKit 0x00007fff2909757e -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
17 com.apple.AppKit 0x00007fff28e1545b __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 880
18 com.apple.AppKit 0x00007fff29096225 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 31
19 com.apple.AppKit 0x00007fff290965ae __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.970 + 149
20 com.apple.AppKit 0x00007fff290964e9 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.969 + 138
21 com.apple.AppKit 0x00007fff290963ab __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.964 + 254
22 com.apple.CoreFoundation 0x00007fff2b5c48cc __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
23 com.apple.CoreFoundation 0x00007fff2b5a72a3 __CFRunLoopDoBlocks + 275
24 com.apple.CoreFoundation 0x00007fff2b5a692e __CFRunLoopRun + 1278
25 com.apple.CoreFoundation 0x00007fff2b5a61a3 CFRunLoopRunSpecific + 483
26 com.apple.HIToolbox 0x00007fff2a88ed96 RunCurrentEventLoopInMode + 286
27 com.apple.HIToolbox 0x00007fff2a88ea0f ReceiveNextEventCommon + 366
28 com.apple.HIToolbox 0x00007fff2a88e884 _BlockUntilNextEventMatchingListInModeWithFilter + 64
29 com.apple.AppKit 0x00007fff28b41a73 _DPSNextEvent + 2085
30 com.apple.AppKit 0x00007fff292d7e34 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
31 com.apple.AppKit 0x00007fff28b36885 -[NSApplication run] + 764
32 de.pl32.photoline 0x000000010e86d7b9 0x10de15000 + 10848185
33 com.apple.AppKit 0x00007fff28b05a72 NSApplicationMain + 804
34 de.pl32.photoline 0x000000010de170b4 0x10de15000 + 8372
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %r11b,(%rcx):instruction_address=0x000000010e8763d3:access_type=write:access_address=0x000000019ad18000:
Crash accessing invalid address.
2018-05-01 - Vendor Disclosure
2018-07-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.