Talos Vulnerability Report

TALOS-2018-0649

ACD Systems Canvas Draw 5 Resolution_Set out-of-bounds write code execution vulnerability

January 30, 2019
CVE Number

CVE-2018-3981

Summary

An exploitable out-of-bounds write exists in the TIFF-parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

Tested Versions

ACDSystems Canvas Draw 5.0.0

Product URLs

https://www.canvasgfx.com/en/products/canvas-draw

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-Bounds Write

Details

Canvas Draw 5 is a graphics editing tool used to create and edit images, as well as other image-editing tasks. This product has a large user base and is popular in the graphic design field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics-editing projects, thus making it a very common file format for such an application.

The vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data. The initial crash is shown below:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffe00000030)
    frame #0: 0x0000000102168221 ImageGear18`DIB_resolution_set + 22
ImageGear18`DIB_resolution_set:
->  0x102168221 <+22>: mov    qword ptr [rdi + 0x8], rdx
    0x102168225 <+26>: mov    qword ptr [rdi + 0x10], rax
    0x102168229 <+30>: mov    eax, dword ptr [rsi + 0x8]
    0x10216822c <+33>: mov    qword ptr [rdi + 0x18], rax

     [rdi: 0x00007ffe00000028]

Following the backtrace, we can see that the value of RDI has been incorrectly calculated. The location which it is set is below.

__text:0000000114F26A13                 lea     rcx, [rbp+var_40]                 [0]
__text:0000000114F26A17                 lea     r8, [rbp+var_38]
__text:0000000114F26A1B                 lea     rbx, [rbp+var_70]
__text:0000000114F26A1F                 mov     edx, 1
__text:0000000114F26A24                 mov     r9, rbx
__text:0000000114F26A27                 call    _IG_info_get_FD_ex                 [1]
__text:0000000114F26A2C                 mov     rdi, [rbx]      ; th

The address in memory is loaded into RCX [0], and then passed into a get information function, [1]. Following a small bit further the vulnerability becomes apparent.

__text:0000000101E46E83                  mov     r14, [rbp+user_buffer]
__text:0000000101E46E8C                  mov     dword ptr [r13+0], 0
__text:0000000101E46E99                  mov     dword ptr [r14], 0             [2]

The user influenced address is loaded into the R14 register and the lower four bytes are then zeroed out in memory. When this value is then used later in DIB_resolution_set above, it causes an out-of-bounds write and an exploitable condition to arise. An attacker could exploit this situation to gain code execution by crafting a special TIFF image.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   ImageGear18                     0x000000010fa59221 DIB_resolution_set + 22
1   ImageGear18                     0x000000010faa639e IG_DIB_resolution_set + 38
2   com.acdsystem.canvastool.ImageIO    0x000000017da92ae7 CIGReadFile_CB_ext::readFile() + 465
3   com.acdsystem.canvastool.ImageIO    0x000000017dabfc1b ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 915
4   com.acdsystem.canvastool.ImageIO    0x000000017dac0104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
5   com.acdsystem.canvastool.ImageIO    0x000000017dabd97b 0x17da3e000 + 522619
6   com.acdsystem.canvastool.ImageIO    0x000000017dabf49d DoImportFile(ImportFileMsg*) + 1121
7   com.acdsystem.canvastool.ImageIO    0x000000017da72ab3 toolmain() + 970
8   com.acdsystem.canvastool.ImageIO    0x000000017da9e8d7 stdtool(TToolCallBlock*) + 119
9   com.acdsystem.canvastool.ImageIO    0x000000017da9e859 cvtool_main(TToolCallBlock*) + 9
10  com.canvasgfx.Canvas-Draw5      0x000000010dadf138 0x10d976000 + 1478968
11  com.canvasgfx.Canvas-Draw5      0x000000010e67af9a 0x10d976000 + 13651866
12  com.canvasgfx.Canvas-Draw5      0x000000010e67a748 0x10d976000 + 13649736
13  com.canvasgfx.Canvas-Draw5      0x000000010e7f918d 0x10d976000 + 15217037
14  com.apple.AppKit                0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
15  com.apple.AppKit                0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
16  com.apple.AppKit                0x00007fff35ee4683 -[NSApplication run] + 250
17  com.apple.AppKit                0x00007fff35eb3a72 NSApplicationMain + 804
18  libdyld.dylib                   0x00007fff60761015 start + 1

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movq  %rdx,CONSTANT(%rdi):instruction_address=0x000000010fa59221:access_type=write:access_address=0x00007ffe00000030:
Crash accessing invalid address.

Timeline

2018-08-06 - Vendor Disclosure
2018-01-18 - Vendor Patched
2019-01-30 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.