Talos Vulnerability Report

TALOS-2017-0387

Computerinsel Photoline GIF Parsing Code Execution Vulnerability

October 4, 2017
CVE Number

CVE-2017-2880

Summary

An memory corruption vulnerability exists in the .GIF parsing functionality of Computerinsel Photoline 20.02. A specially crafted .GIF file can cause a vulnerability resulting in potential code execution. An attacker can send specific .GIF file to trigger this vulnerability.

Tested Versions

Computerinsel GmbH Photoline 20.02

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Details

The code responsible for the vulnerability is provided below:

.text:007BE521 loc_7BE521:                             ; CODE XREF: buggy_proc+62j
.text:007BE521                 mov     cl, [esi+14h]   ; [esi+14h] -> byte taken straight from GIF file
.text:007BE524                 mov     edx, 1
.text:007BE529                 shl     edx, cl
.text:007BE52B                 movzx   cx, cl
.text:007BE52F                 lea     eax, [edx+1]
.text:007BE532                 mov     [esi+1Ch], ax
.text:007BE536                 lea     eax, [edx+2]
.text:007BE539                 mov     [esi+401Eh], ax
.text:007BE540                 mov     eax, 1000h
.text:007BE545                 mov     [esi+4020h], ax
.text:007BE54C                 inc     cx
.text:007BE54E                 mov     eax, 1
.text:007BE553                 shl     eax, cl
.text:007BE555                 mov     [esi+16h], cx
.text:007BE559                 xor     ecx, ecx
.text:007BE55B                 mov     [esi+1Ah], dx
.text:007BE55F                 dec     eax
.text:007BE560                 mov     [esi+18h], ax
.text:007BE564                 xor     eax, eax
.text:007BE566                 cmp     cx, dx
.text:007BE569                 jnb     short loc_7BE58B
.text:007BE56B                 jmp     short bug_write_loop

.text:007BE570 bug_write_loop:                         ; CODE XREF: buggy_proc+BBj
.text:007BE570                                         ; buggy_proc+D9j
.text:007BE570                 movzx   ecx, ax
.text:007BE573                 mov     edx, 1000h
.text:007BE578                 mov     [esi+ecx*2+1Eh], dx      ; WRITE!
.text:007BE57D                 mov     [ecx+esi+201Eh], al      ; WRITE!
.text:007BE584                 inc     eax
.text:007BE585                 cmp     ax, [esi+1Ah]            ; [esi+1Ah] is calculated from our data
.text:007BE589                 jb      short bug_write_loop
.text:007BE58B

In short the byte value is taken directly from the .GIF file (see address 0x007BE521). This value is later multiplied and used as a loop repeat number (see address 0x007BE585). This gives the attacker the opportunity to cause memory corruption and a memory overflow (instructions at 0x007BE578 and 0x007BE57D).

Crash Information

PhotoLine+0x3be578:
007be578 6689544e1e      mov     word ptr [esi+ecx*2+1Eh],dx ds:002b:001a0000=6341
0:000:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
PhotoLine+3be578
007be578 6689544e1e      mov     word ptr [esi+ecx*2+1Eh],dx

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 007be578 (PhotoLine+0x003be578)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 001a0000
Attempt to write to address 001a0000

FAULTING_THREAD:  000015ec

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

PROCESS_NAME:  PhotoLine.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  001a0000

FOLLOWUP_IP: 
PhotoLine+3be578
007be578 6689544e1e      mov     word ptr [esi+ecx*2+1Eh],dx

WRITE_ADDRESS:  001a0000 

WATSON_BKT_PROCSTAMP:  589ee44a

WATSON_BKT_PROCVER:  20.0.0.2

PROCESS_VER_PRODUCT:  PhotoLine

WATSON_BKT_MODULE:  PhotoLine.exe

WATSON_BKT_MODSTAMP:  589ee44a

WATSON_BKT_MODOFFSET:  3be578

WATSON_BKT_MODVER:  20.0.0.2

MODULE_VER_PRODUCT:  PhotoLine

BUILD_VERSION_STRING:  10.0.15063.296 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH:  f2c082d751a472df1a8a185b4416b966db139902

MODLIST_SHA1_HASH:  7429f67ba2c849f9234e8c4db6453a762d0885f1

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

ANALYSIS_SESSION_HOST:  CLAB

ANALYSIS_SESSION_TIME:  07-04-2017 08:52:40.0767

ANALYSIS_VERSION: 10.0.15063.400 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  PLK

PROBLEM_CLASSES: 

    ID:     [0n292]
    Type:   [@ACCESS_VIOLATION]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Omit
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x15ec]
    Frame:  [0] : PhotoLine

    ID:     [0n265]
    Type:   [INVALID_POINTER_WRITE]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x15ec]
    Frame:  [0] : PhotoLine

    ID:     [0n152]
    Type:   [ZEROED_STACK]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [0x302c]
    TID:    [0x15ec]
    Frame:  [0] : PhotoLine

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 00000000 to 007be578

STACK_TEXT:  
00000000 00000000 00000000 00000000 00000000 PhotoLine+0x3be578


THREAD_SHA1_HASH_MOD_FUNC:  d8e26008eb6acc069d83c04d0ced24485d541252

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  c6dcc5f486de8c186b5aa96f2e4c9b36115ffd5f

THREAD_SHA1_HASH_MOD:  d8e26008eb6acc069d83c04d0ced24485d541252

FAULT_INSTR_CODE:  4e548966

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  PhotoLine+3be578

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PhotoLine

IMAGE_NAME:  PhotoLine.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  589ee44a

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PhotoLine.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_PhotoLine+3be578

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  PhotoLine.exe

BUCKET_ID_IMAGE_STR:  PhotoLine.exe

FAILURE_MODULE_NAME:  PhotoLine

BUCKET_ID_MODULE_STR:  PhotoLine

FAILURE_FUNCTION_NAME:  Unknown

BUCKET_ID_FUNCTION_STR:  Unknown

BUCKET_ID_OFFSET:  3be578

BUCKET_ID_MODTIMEDATESTAMP:  589ee44a

BUCKET_ID_MODCHECKSUM:  103c5a2

BUCKET_ID_MODVER_STR:  20.0.0.2

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  PhotoLine.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/PhotoLine.exe/20.0.0.2/589ee44a/PhotoLine.exe/20.0.0.2/589ee44a/c0000005/003be578.htm?Retriage=1

TARGET_TIME:  2017-07-04T06:52:49.000Z

OSBUILD:  15063

OSSERVICEPACK:  296

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  160101.0800

BUILDLAB_STR:  WinBuild

BUILDOSVER_STR:  10.0.15063.296

ANALYSIS_SESSION_ELAPSED_TIME:  732b

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_photoline.exe!unknown

FAILURE_ID_HASH:  {3391e579-c3a2-d370-e494-6a2226b83b1d}

Followup:     MachineOwner
---------

Timeline

2017-08-02 - Vendor Disclosure
2017-10-04 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos