Talos Vulnerability Report

TALOS-2017-0458

Computerinsel Photoline TGA Parsing Code Execution Vulnerability

October 4, 2017
CVE Number

CVE-2017-12106

Summary

A memory corruption vulnerability exists in the .TGA parsing functionality of Computerinsel Photoline 20.02. A specially crafted .TGA file can cause an out of bounds write resulting in potential code execution. An attacker can send a specific .TGA file to trigger this vulnerability.

Tested Versions

Computerinsel Photoline 20.02

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

The code responsible for the vulnerability is provided below:

    .text:0073AC45                 mov     ecx, [esi+20h]
    .text:0073AC48                 lea     edx, [esp+34h+v16_LOOP_COUNTER]
    .text:0073AC4C                 push    edx
    .text:0073AC4D                 call    read_data
    .text:0073AC52                 test    ax, ax
    .text:0073AC55                 jnz     short loc_73AC79
 
    ...
   
    .text:0073AC7E                 cmp     [esp+34h+v16_LOOP_COUNTER], 0
    .text:0073AC83                 mov     [esp+34h+var_14], 0
    .text:0073AC8B                 jz      short end_loop
    .text:0073AC8D                 lea     ecx, [ecx+0]
    
    ...
    
    .text:0073ACCB loc_73ACCB:                             ; CODE XREF: sub_73AB90+124j
    .text:0073ACCB                 movzx   eax, ax
    .text:0073ACCE                 lea     edx, [esp+34h+var_14]
    .text:0073ACD2                 push    edx             ; void *
    .text:0073ACD3                 mov     ecx, esi
    .text:0073ACD5                 movzx   edi, ax
    .text:0073ACD8                 call    memcpy_caller_prolog
    .text:0073ACDD                 cmp     [esp+34h+v16_LOOP_COUNTER], 0
    .text:0073ACE2                 jnz     short continue_loop

In short a dword value is taken directly from the .TGA file. This value is later used as a loop repeat number. Which each loop iteration a memcpy operation is performed. This gives the attacker the opportunity to cause memory corruption and a buffer overflow. The data that is copied from the source for the memcpy function is based on attackers data

Crash Information

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************

    Failed calling InternetOpenUrl, GLE=12029

    FAULTING_IP: 
    image00400000+b44e34
    00f44e34 89448ff8        mov     dword ptr [edi+ecx*4-8],eax

    EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 00f44e34 (image00400000+0x00b44e34)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 05156000
    Attempt to write to address 05156000

    FAULTING_THREAD:  00007ce4

    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

    PROCESS_NAME:  image00400000

    ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

    EXCEPTION_PARAMETER1:  00000001

    EXCEPTION_PARAMETER2:  05156000

    WRITE_ADDRESS:  05156000 

    FOLLOWUP_IP: 
    image00400000+b44e34
    00f44e34 89448ff8        mov     dword ptr [edi+ecx*4-8],eax

    DETOURED_IMAGE: 1

    MOD_LIST: <ANALYSIS/>

    NTGLOBALFLAG:  470

    APPLICATION_VERIFIER_FLAGS:  0

    PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

    LAST_CONTROL_TRANSFER:  from 0067f66f to 00f44e34

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018f1a4 0067f66f 05156000 0018f200 00000008 image00400000+0xb44e34
    00000000 00000000 00000000 00000000 00000000 image00400000+0x27f66f


    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  image00400000+b44e34

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: image00400000

    DEBUG_FLR_IMAGE_TIMESTAMP:  589ee44a

    STACK_COMMAND:  ~0s ; kb

    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_DETOURED_image00400000+b44e34

    IMAGE_NAME:  E:\photoline\PhotoLine.exe

    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_E:photoline_PhotoLine.exe!Unknown

    WATSON_STAGEONE_URL:    
http://watson.microsoft.com/StageOne/image00400000/20_0_0_2/589ee44a/image00400000/20_0_0_2/589ee44a/c0000005/00b44e34.htm?    
Retriage=1

    Followup: MachineOwner
    ---------
    
    0:000> db @edi-50
    05155fb0  00 00 00 00 41 41 41 41-00 00 00 00 41 41 41 41  ....AAAA....AAAA
    05155fc0  00 00 00 00 41 41 41 41-00 00 00 00 41 41 41 41  ....AAAA....AAAA
    05155fd0  00 00 00 00 41 41 41 41-00 00 00 00 41 41 41 41  ....AAAA....AAAA
    05155fe0  00 00 00 00 41 41 41 41-00 00 00 00 41 41 41 41  ....AAAA....AAAA
    05155ff0  00 00 00 00 41 41 41 41-00 00 00 00 41 41 41 41  ....AAAA....AAAA
    05156000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    05156010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    05156020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

Timeline

2017-09-26 - Vendor Disclosure
2017-10-04 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos