Talos Vulnerability Report

TALOS-2018-0524

Pixar Renderman IT Display Service 0x69 Command Denial-of-Service Vulnerability

June 14, 2018
CVE Number

CVE-2018-3841

Summary

A denial-of-service vulnerability exists in the Pixar Renderman IT Display Service 21.6. The vulnerability is present in the parsing of a network packet without proper validation of the packet. The data read-in is not validated, and its use can lead to a null pointer dereference. The IT application is opened by a user and then listens for a connection on port 4001. An attacker can deliver an attack once the application has been opened.

Tested Versions

Renderman 21.6

Product URLs

https://renderman.pixar.com

CVSSv3 Score

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-476: Null Pointer Dereference

Details

Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. The application takes a custom file format known as a RIB, parses it, and then passes it along to one of various servers. An application included with Renderman is called the "IT Display Service". This application accepts connections and receives a packet containing information about where to find the image for rendering. The application listens on port 4001 for connections from any host. An example of the communications is below.

00000000: 69dd dd                                  h..

The first byte is parsed in a command loop, and functionality is called depending on the value. The vulnerability arises because validation is not checked after a direct socket read in the 0x69 command. The relevant code is shown below.

push    r12
push    r13
push    r14
sub     rsp, 20h
mov     r14, rdi
lea     rdi, [rsp+38h+var_30] ; this
lea     rsi, [r14+68h]  ; std::string *
call    std::string::string(std::string const&) ; [1]
lea     rdi, [rsp+38h+var_30] ; this

A socket read takes place, directing the code to the 0x69 command. At this point, a standard library call is made with no validation if the string passed in is not null. This leads to offset 0x68 of a null pointer to be dereferenced, and results in a denial-of-service condition.

Crash Information

Crashed thread log =
: Dispatch queue: com.apple.main-thread
* thread #1: tid = 0x30628ba, 0x00007fffd3cba045 libstdc++.6.dylib`std::string::(std::string const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x68)
  * frame #0: 0x00007fffd3cba045 libstdc++.6.dylib`std::string::(std::string const&) + 9
    frame #1: 0x000000010003454b it`___lldb_unnamed_symbol411$$it + 27
    frame #2: 0x00000001000271d3 it`___lldb_unnamed_symbol308$$it + 179
    frame #3: 0x0000000100096c44 it`___lldb_unnamed_symbol1069$$it + 2964
    frame #4: 0x0000000104e9409e libQtCore.dylib`QMetaObject::activate(QObject*, QMetaObject const*, int, void**) + 1566

Timeline

2018-02-07 - Vendor Disclosure
2018-06-14 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos