Talos Vulnerability Report

TALOS-2018-0648

ACD Systems Canvas Draw 5 huff table out-of-bounds write code execution vulnerability

January 30, 2019
CVE Number

CVE-2018-3980

Summary

An exploitable out-of-bounds write exists in the TIFF-parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

Tested Versions

ACDSystems Canvas Draw 5.0.0

Product URLs

https://www.canvasgfx.com/en/products/canvas-draw

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-Bounds Write

Details

Canvas Draw 5 is a graphics-editing tool used to create and edit images, as well as other graphic design functions. This product has a sizable user base and is popular in the graphic design field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics-editing projects, thus making it a very common file format for such an application.

The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithm, but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table. Huffman coding is one of the two things that make up the deflate encoding scheme.

When using the deflate encoding scheme the application takes user data directly from the TIFF image without validation. The initial crash is shown below.

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffeefc00eac)
frame #0: 0x0000000102001245 ImageGear18`_DFL_huff_table_build + 364
ImageGear18`_DFL_huff_table_build:
    0x102001245 <+364>: movzx  edx, word ptr [rbp + 2*rcx - 0x100]   [0]
    0x10200124d <+372>: lea    esi, [rdx + 0x1]                      [1]
    0x102001250 <+375>: mov    word ptr [rbp + 2*rcx - 0x100], si    [2]
    0x102001258 <+383>: mov    word ptr [r12], dx

The value inside of RCX at [0] is controlled via the compressed data inside the TIFF image. It then uses the value given and loads it into ESI, [1]. The value is then used again at [2], where a user-controlled value is written, too. This leads to an exploitable out-of-bounds write condition. An attacker could gain code execution through this vulnerability by using specially crafted data.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   ImageGear18                     0x000000010cd9a245 _DFL_huff_table_build + 364
1   ImageGear18                     0x000000010cd9a8af _DFL_dynamic_huffman_get + 1437
2   ImageGear18                     0x000000010cd9aaa6 DFL_uncompress + 281
3   ImageGear18                     0x000000010cf0ac1d _TIF_read + 3642
4   ImageGear18                     0x000000010cf09d85 TIF_read + 261
5   ImageGear18                     0x000000010ce06dfd GPb_fltrm_READ_call_param + 178
6   ImageGear18                     0x000000010ce06d45 GPb_fltrm_READ_call + 21
7   ImageGear18                     0x000000010cdddbbf iIG_load_FD_CB_ex + 411
8   ImageGear18                     0x000000010cf4f3b6 IG_load_FD_CB_ex + 91
9   com.acdsystem.canvastool.ImageIO    0x00000001766eeba1 CIGReadFile_CB_ext::readFile() + 651
10  com.acdsystem.canvastool.ImageIO    0x000000017671bc1b ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 915
11  com.acdsystem.canvastool.ImageIO    0x000000017671c104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
12  com.acdsystem.canvastool.ImageIO    0x000000017671997b 0x17669a000 + 522619
13  com.acdsystem.canvastool.ImageIO    0x000000017671b49d DoImportFile(ImportFileMsg*) + 1121
14  com.acdsystem.canvastool.ImageIO    0x00000001766ceab3 toolmain() + 970
15  com.acdsystem.canvastool.ImageIO    0x00000001766fa8d7 stdtool(TToolCallBlock*) + 119
16  com.acdsystem.canvastool.ImageIO    0x00000001766fa859 cvtool_main(TToolCallBlock*) + 9
17  com.canvasgfx.Canvas-Draw5      0x000000010af84138 0x10ae1b000 + 1478968
18  com.canvasgfx.Canvas-Draw5      0x000000010bb1ff9a 0x10ae1b000 + 13651866
19  com.canvasgfx.Canvas-Draw5      0x000000010bb1f748 0x10ae1b000 + 13649736
20  com.canvasgfx.Canvas-Draw5      0x000000010bc9e18d 0x10ae1b000 + 15217037
21  com.apple.AppKit                0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
22  com.apple.AppKit                0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
23  com.apple.AppKit                0x00007fff35ee4683 -[NSApplication run] + 250
24  com.apple.AppKit                0x00007fff35eb3a72 NSApplicationMain + 804
25  libdyld.dylib                   0x00007fff60761015 start + 1

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable= yes:instruction_disassembly=movzwl    %si,CONSTANT(%rbp,%rcx,2),:instruction_address=0x000000010cd9a245:access_type=write:access_address=0x00007ffee4dea15c:
Crash accessing invalid address.

Timeline

2018-08-06 - Vendor Disclosure
2019-01-18 - Vendor Patched
2019-01-30 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.