CVE-2017-2886
A memory corruption vulnerability exists in the .PSD parsing functionality of ACDSee Ultimate 10.0.0.292. A specially crafted .PSD file can cause an out of bounds write vulnerability resulting in potential code execution. An attacker can send a specific .PSD file to trigger this vulnerability.
ACDSee Ultimate 10,0,0,292 (IDE_PSD 5,7,690,1)
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
Code responsible for the vulnerability is provided below:
.text:00000000000D8756 movsxd rdx, dword ptr [rcx+64h] ; zero
.text:00000000000D875A mov rax, [rcx+80h] ; rcx+0x80 = points to location in PSD file
.text:00000000000D8761 movzx eax, word ptr [rax+rdx*2] ; 16-bit value from the file
.text:00000000000D8765 mov rdx, [rcx+88h]
.text:00000000000D876C rol ax, 8 ; rol the value
.text:00000000000D8770 movzx esi, ax
.text:00000000000D8773 mov r8d, esi ; size argument for memmove = from the PSD file
.text:00000000000D8776 call before_memmove
And this is how it looks in action (before & after actual memmove):
0:006> g
Breakpoint 0 hit
IDE_PSD+0xc83df:
00000000`027983df e84c0b0500 call IDE_PSD!IEP_ShowPlugInDialog+0x4d090 (00000000`027e8f30)
0:006> r
rax=0000000000002201 rbx=0000000000002201 rcx=000000000266eb50
rdx=0000000003e86a73 rsi=000000000266eb50 rdi=00000000026365e0
rip=00000000027983df rsp=0000000003e7fbe0 rbp=0000000003e7fd48
r8=0000000000002201 r9=00000000025bfc0c r10=0000000000000000
r11=0000000000000246 r12=0000000003e7fed0 r13=00000000025bfc0c
r14=0000000003e7fd60 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
IDE_PSD+0xc83df:
00000000`027983df e84c0b0500 call IDE_PSD!IEP_ShowPlugInDialog+0x4d090 (00000000`027e8f30)
0:006> !heap -triage
**********************************************************
** !heap: Searching all heaps for errors...
**********************************************************
** !heap: Analyzing heap at 00000000004c0000...
** !heap: Analyzing heap at 0000000000010000...
** !heap: Analyzing heap at 00000000001d0000...
** !heap: Analyzing heap at 0000000000450000...
** !heap: The extension did not find any heap errors.
...
0:006> p
(11538.f0a8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
IDE_PSD!IEP_ShowPlugInDialog+0x4d0e7:
00000000`027e8f87 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
0:006> !heap -triage
**********************************************************
** !heap: Searching all heaps for errors...
**********************************************************
** !heap: Analyzing heap at 00000000004c0000...
** !heap: Analyzing heap at 0000000000010000...
** !heap: Analyzing heap at 00000000001d0000...
** !heap: Analyzing heap at 0000000000450000...
** !heap: The following heaps have invalid free lists. This means
that the neighbors of one element in the list did not point
back to the element: either Element->Flink->Blink != Element,
or Element->Blink->Flink != Element.
** !heap: Corrupt free lists are quite common. They almost always result
from use-after-free errors in the application.
** !heap: To view the erroneous entry and its neighbors in the list:
dt ntdll!_LIST_ENTRY <element>
Heap address Erroneous element Element flink Element blink
----------------------------------------------------------------------------
4c0000 4c0150 2637080 266fa50
** !heap: The following heap entries have a block size that does not
match the previous block size field of the next block. This
is sometimes the result of user corruption, but occasionally
it can be detected if an unrelated exception occurs while
executing heap code.
** !heap: To view the state of the invalid blocks:
!heap -i <heap address>
!heap -i <entry address>
Next block's
Heap address Entry address Entry size (B) prev. size (B)
----------------------------------------------------------------------------
4c0000 266eb40 2f0 1b380
In short byte value is taken directly from the .PSD file (see address 0x007BE521). This value is later used as a size argument to memmove function. This gives the attacker the opportunity to cause a memory corruption, potentially resulting in code execution.
0:006> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Module load completed but symbols could not be loaded for ACDSeeQVUltimate10.exe
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
IDE_PSD!IEP_ShowPlugInDialog+4d0e7
00000000`02568f87 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0000000002568f87 (IDE_PSD!IEP_ShowPlugInDialog+0x000000000004d0e7)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000002411000
Attempt to write to address 0000000002411000
FAULTING_THREAD: 000105d0
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: ACDSeeQVUltimate10.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000000002411000
FOLLOWUP_IP:
IDE_PSD!IEP_ShowPlugInDialog+4d0e7
00000000`02568f87 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
WRITE_ADDRESS: 0000000002411000
WATSON_BKT_PROCSTAMP: 582f5f4b
WATSON_BKT_PROCVER: 10.0.0.292
PROCESS_VER_PRODUCT: ACDSee Quick View
WATSON_BKT_MODULE: IDE_PSD.apl
WATSON_BKT_MODSTAMP: 58218de5
WATSON_BKT_MODOFFSET: 118f87
WATSON_BKT_MODVER: 5.7.690.1
MODULE_VER_PRODUCT: ACD Systems IDE_PSD
BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: 449bbde9d140f90322f58e961035076a2b0f0991
MODLIST_SHA1_HASH: 7a77586ab89477d2f40e21cc3f068770c76d961c
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 07-25-2017 07:26:45.0873
ANALYSIS_VERSION: 10.0.15063.400 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x105d0]
Frame: [0] : IDE_PSD!IEP_ShowPlugInDialog
ID: [0n265]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x105d0]
Frame: [0] : IDE_PSD!IEP_ShowPlugInDialog
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00000000025183e4 to 0000000002568f87
STACK_TEXT:
00000000`03d3fbd8 00000000`025183e4 : 00000000`023d8b50 00000001`40238da9 00000000`023d8b58 00000000`023d84b8 : IDE_PSD!
IEP_ShowPlugInDialog+0x4d0e7
00000000`03d3fbe0 00000000`0251877b : 00000000`023d7520 00000000`00002201 00000000`00000001 ffffffff`fffffffe : IDE_PSD+0xc83e4
00000000`03d3fc10 00000000`02515def : 00000000`023d7520 00000000`03d3fd48 00000000`03d3fd48 00000000`00000000 :
IDE_PSD+0xc877b
00000000`03d3fc50 00000000`02518213 : 00000000`00000000 00000000`023d7520 00000000`0064c5f0 00000001`401bd008 :
IDE_PSD+0xc5def
00000000`03d3fc90 00000001`401acdbf : 00000000`0064c5f0 00000000`03d3fd71 00000000`03d3fd48 00000001`401b0000 :
IDE_PSD+0xc8213
00000000`03d3fcd0 00000001`401c9745 : 00000000`0064c5f0 00000000`023d7520 00000000`00000000 00000000`023d7fd0 :
ACDSeeQVUltimate10+0x1acdbf
00000000`03d3fd10 00000001`401bc1bd : 00000000`00000000 00000000`0235ea30 00000000`00000000 00000000`00000000 :
ACDSeeQVUltimate10+0x1c9745
00000000`03d3fdd0 00000001`401c0945 : 00000000`0235fc20 00000000`0235fc20 00000000`03d3fe69 00000000`00000000 :
ACDSeeQVUltimate10+0x1bc1bd
00000000`03d3fe20 00000001`401c01e3 : 00000000`000003e8 00000000`00000064 00000000`00000000 00000000`00000000 :
ACDSeeQVUltimate10+0x1c0945
00000000`03d3fed0 00007ffd`9fe80369 : 00000000`0064cd00 00000000`00000000 00000000`00000000 00000000`00000000 :
ACDSeeQVUltimate10+0x1c01e3
00000000`03d3ff30 00007ffd`a0e12774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ucrtbase!
o__strtoui64+0x59
00000000`03d3ff60 00007ffd`a3000d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!
BaseThreadInitThunk+0x14
00000000`03d3ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!
RtlUserThreadStart+0x21
THREAD_SHA1_HASH_MOD_FUNC: ea01bd33229d66a5f1d22bb545fdac8802f7cf90
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2f0e27bb3643b0d9059835fad340f4d638abbbe1
THREAD_SHA1_HASH_MOD: 3ddf4d56361b571b2ae71e9ce081ed7be9782865
FAULT_INSTR_CODE: 8b49a4f3
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: IDE_PSD!IEP_ShowPlugInDialog+4d0e7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: IDE_PSD
IMAGE_NAME: IDE_PSD.apl
DEBUG_FLR_IMAGE_TIMESTAMP: 58218de5
STACK_COMMAND: ~6s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_IDE_PSD.apl!IEP_ShowPlugInDialog
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_IDE_PSD!IEP_ShowPlugInDialog+4d0e7
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: IDE_PSD.apl
BUCKET_ID_IMAGE_STR: IDE_PSD.apl
FAILURE_MODULE_NAME: IDE_PSD
BUCKET_ID_MODULE_STR: IDE_PSD
FAILURE_FUNCTION_NAME: IEP_ShowPlugInDialog
BUCKET_ID_FUNCTION_STR: IEP_ShowPlugInDialog
BUCKET_ID_OFFSET: 4d0e7
BUCKET_ID_MODTIMEDATESTAMP: 58218de5
BUCKET_ID_MODCHECKSUM: 29f466
BUCKET_ID_MODVER_STR: 5.7.690.1
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: IDE_PSD.apl!IEP_ShowPlugInDialog
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/ACDSeeQVUltimate10.exe/10.0.0.292/582f5f4b/IDE_PSD.apl/
5.7.690.1/58218de5/c0000005/00118f87.htm?Retriage=1
TARGET_TIME: 2017-07-25T05:26:52.000Z
OSBUILD: 15063
OSSERVICEPACK: 296
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.15063.296
ANALYSIS_SESSION_ELAPSED_TIME: 6c05
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_ide_psd.apl!iep_showplugindialog
FAILURE_ID_HASH: {ca7d345a-b6e4-ca4d-3ae4-d7874c5593c1}
Followup: MachineOwner
---------
2017-08-08 - Vendor Disclosure
2018-12-08 - Public Release
Discovered by Piotr Bania of Cisco Talos