Talos Vulnerability Report

TALOS-2018-0543

ACD Systems Canvas Draw 4 Huff Table Out-of-bounds Write Code Execution Vulnerability

July 19, 2018
CVE Number

CVE-2018-3859

Summary

An exploitable out-of-bounds write exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

Tested Versions

ACDSystems Canvas Draw 4.0.0

Product URLs

https://www.canvasgfx.com/en/products/canvas-draw

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-Bounds Write

Details

Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.

The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of standard TIFF algorithms, but was added as an extension from Adobe, and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table. Huffman coding is one of the two things that make up the Deflate encoding scheme.

When using the Deflate encoding scheme, the application takes user data directly from the TIFF image without validation. The initial crash is shown below.

* thread #1: tid = 0x92a99, 0x0000000101e01273 ImageGear18`_DFL_huff_table_build + 410, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x39c5ec80)
frame #0: 0x0000000101e01273 ImageGear18`_DFL_huff_table_build + 410
ImageGear18`_DFL_huff_table_build:
->  0x101e01273 <+410>: mov    dword ptr [rax + 4*rsi], edx
    0x101e01276 <+413>: add    r12, 0x4
    0x101e0127a <+417>: add    r14, 0x2
    0x101e0127e <+421>: dec    r15d

The value inside of RSI has come directly from the TIFF data field. Below is the relevant code leading up to the out of bounds write.

movzx   edx, [rbp+rcx*2+int_buffer]           [0]
lea     esi, [rdx+1]                          [1]
mov     [rbp+rcx*2+int_buffer], si      
mov     [r12], dx
movzx   edx, word ptr [r14]
movsxd  rsi, [rbp+rcx*4+int_2]
lea     edi, [rsi+1]
mov     [rbp+rcx*4+int_2], edi              
mov     [rax+rsi*4], edx                      [2]

The value inside of RCX at [0] is controlled via the compressed data inside the TIFF image. It then uses the value given and loads it into ESI, [1]. After doing some data shuffling, we finally get to the use again at [2], where a user-controlled value is written, too. This leads to an exploitable out-of-bounds write condition. By using specially crafted data, an attacker could gain the ability to execute code through this vulnerability.

Crash Information

Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   ImageGear18                     0x000000010f9c3273 _DFL_huff_table_build + 410
1   ImageGear18                     0x000000010f9c38af _DFL_dynamic_huffman_get + 1437
2   ImageGear18                     0x000000010f9c3aa6 DFL_uncompress + 281
3   ImageGear18                     0x000000010fb33c1d _TIF_read + 3642
4   ImageGear18                     0x000000010fb32d85 TIF_read + 261
5   ImageGear18                     0x000000010fa2fdfd GPb_fltrm_READ_call_param + 178
6   ImageGear18                     0x000000010fa2fd45 GPb_fltrm_READ_call + 21
7   ImageGear18                     0x000000010fa06bbf iIG_load_FD_CB_ex + 411
8   ImageGear18                     0x000000010fb783b6 IG_load_FD_CB_ex + 91
9   com.acdsystem.canvastool.ImageIO    0x000000016a77ed12 CIGReadFile_CB_ext::readFile() + 836
10  com.acdsystem.canvastool.ImageIO    0x000000016a7ab633 ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 722
11  com.acdsystem.canvastool.ImageIO    0x000000016a7abbf2 ImageIORunAcquireProc(_ImageIOAcquireState*) + 750
12  com.acdsystem.canvastool.ImageIO    0x000000016a7a978a 0x16a72b000 + 518026
13  com.acdsystem.canvastool.ImageIO    0x000000016a7aaef4 DoImportFile(ImportFileMsg*) + 817
14  com.acdsystem.canvastool.ImageIO    0x000000016a75e7c1 toolmain() + 917
15  com.acdsystem.canvastool.ImageIO    0x000000016a78a90a stdtool(TToolCallBlock*) + 122
16  com.acdsystem.canvastool.ImageIO    0x000000016a78a889 cvtool_main(TToolCallBlock*) + 9
17  com.acdsystems.Canvas-Draw4     0x000000010dd6f5b0 0x10dc36000 + 1283504
18  com.acdsystems.Canvas-Draw4     0x000000010e844b76 0x10dc36000 + 12643190
19  com.acdsystems.Canvas-Draw4     0x000000010e844438 0x10dc36000 + 12641336
20  com.acdsystems.Canvas-Draw4     0x000000010e9748a7 0x10dc36000 + 13887655
21  com.apple.AppKit                0x00007fffafee4bd3 -[NSApplication _doOpenFile:ok:tryTemp:] + 322
22  com.apple.AppKit                0x00007fffafaa3ba7 -[NSApplication finishLaunching] + 1624
23  com.apple.AppKit                0x00007fffafaa3148 -[NSApplication run] + 267
24  com.apple.AppKit                0x00007fffafa6de0e NSApplicationMain + 1237
25  libdyld.dylib                   0x00007fffc7734235 start + 1

log name is: ./crashlogs/f.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movl  %edx,(%rax,%rsi,4):instruction_address=0x000000010f9c3273:access_type=write:access_address=0x00000008bd5cbba0:
Crash accessing invalid address.

Timeline

2018-03-20 - Vendor Disclosure
2018-04-18 - 30 day follow up
2018-04-19 - Vendor escalated to Canvas development team
2018-05-02 - 45 day follow up
2018-06-25 - Vendor confirmed fix scheduled for next update
2018-07-19 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.