CVE-2018-3976
An exploitable out-of-bounds write exists in the CALS Raster file format-parsing functionality of Canvas Draw version 5.0.0.28. A specially crafted CAL image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a CAL image to trigger this vulnerability and gain code execution.
ACDSystems Canvas Draw 5.0.0.28
https://www.canvasgfx.com/en/products/canvas-draw
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
Canvas Draw 5 is a graphics editing tool used to create and edit images, as well as other graphics-related tasks. This product has a sizable user base and is popular in its specific field.
The vulnerability arises in the parsing of the CALS Raster file format, specifically dealing with the column and row sizes of an image. Inside of the CALS header, values are set to determine the location of image data and the size of the image itself. By passing in incorrect values, the application will write out of bounds attempting to access the image data. The crash is shown below:
-> 0x114e2290d <+71>: not dword ptr [rcx] [1]
0x114e2290f <+73>: add rcx, 0x4
0x114e22913 <+77>: dec ebx
0x114e22915 <+79>: jne 0x114e2290d ; <+71>
At location 1, RCX is user-controlled, determined by the sizes processed in the file header. This creates an exploitable condition and could be used to gain code execution.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 com.acdsystem.canvastool.ImageIO 0x000000017765b156 invert_map(int, int, unsigned char*, int) + 71
1 com.acdsystem.canvastool.ImageIO 0x000000017765bc1c MySetRasterData(void*, unsigned char*, long long, unsigned int) + 1295
2 ImageGear18 0x000000010f5296af LoadG4_ProGold + 1916
3 ImageGear18 0x000000010f64b630 CAL_read + 338
4 ImageGear18 0x000000010f59bdfd GPb_fltrm_READ_call_param + 178
5 ImageGear18 0x000000010f59bd45 GPb_fltrm_READ_call + 21
6 ImageGear18 0x000000010f572923 iIG_load_FD_CB + 400
7 ImageGear18 0x000000010f6e42db IG_load_FD_CB + 91
8 com.acdsystem.canvastool.ImageIO 0x00000001776cbd79 0x177648000 + 540025
9 com.acdsystem.canvastool.ImageIO 0x00000001776c9c5a ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 978
10 com.acdsystem.canvastool.ImageIO 0x00000001776ca104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
11 com.acdsystem.canvastool.ImageIO 0x00000001776c797b 0x177648000 + 522619
12 com.acdsystem.canvastool.ImageIO 0x00000001776c949d DoImportFile(ImportFileMsg*) + 1121
13 com.acdsystem.canvastool.ImageIO 0x000000017767cab3 toolmain() + 970
14 com.acdsystem.canvastool.ImageIO 0x00000001776a88d7 stdtool(TToolCallBlock*) + 119
15 com.acdsystem.canvastool.ImageIO 0x00000001776a8859 cvtool_main(TToolCallBlock*) + 9
16 com.canvasgfx.Canvas-Draw5 0x000000010d722138 0x10d5b9000 + 1478968
17 com.canvasgfx.Canvas-Draw5 0x000000010e2bdf9a 0x10d5b9000 + 13651866
18 com.canvasgfx.Canvas-Draw5 0x000000010e2bd748 0x10d5b9000 + 13649736
19 com.canvasgfx.Canvas-Draw5 0x000000010e43c18d 0x10d5b9000 + 15217037
20 com.apple.AppKit 0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
21 com.apple.AppKit 0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
22 com.apple.AppKit 0x00007fff35ee4683 -[NSApplication run] + 250
23 com.apple.AppKit 0x00007fff35eb3a72 NSApplicationMain + 804
24 libdyld.dylib 0x00007fff60761015 start + 1
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=notl (%rcx):instruction_address=0x000000017765b156:access_type=unknown:access_address=0x00000003c8272000:
Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.
2018-08-06 - Vendor Disclosure
2019-01-18 - Vendor Patched
2019-01-30 - Public Release
Discovered by Tyler Bohan of Cisco Talos.