CVE-2017-2880
An memory corruption vulnerability exists in the .GIF parsing functionality of Computerinsel Photoline 20.02. A specially crafted .GIF file can cause a vulnerability resulting in potential code execution. An attacker can send specific .GIF file to trigger this vulnerability.
Computerinsel GmbH Photoline 20.02
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
The code responsible for the vulnerability is provided below:
.text:007BE521 loc_7BE521: ; CODE XREF: buggy_proc+62j
.text:007BE521 mov cl, [esi+14h] ; [esi+14h] -> byte taken straight from GIF file
.text:007BE524 mov edx, 1
.text:007BE529 shl edx, cl
.text:007BE52B movzx cx, cl
.text:007BE52F lea eax, [edx+1]
.text:007BE532 mov [esi+1Ch], ax
.text:007BE536 lea eax, [edx+2]
.text:007BE539 mov [esi+401Eh], ax
.text:007BE540 mov eax, 1000h
.text:007BE545 mov [esi+4020h], ax
.text:007BE54C inc cx
.text:007BE54E mov eax, 1
.text:007BE553 shl eax, cl
.text:007BE555 mov [esi+16h], cx
.text:007BE559 xor ecx, ecx
.text:007BE55B mov [esi+1Ah], dx
.text:007BE55F dec eax
.text:007BE560 mov [esi+18h], ax
.text:007BE564 xor eax, eax
.text:007BE566 cmp cx, dx
.text:007BE569 jnb short loc_7BE58B
.text:007BE56B jmp short bug_write_loop
.text:007BE570 bug_write_loop: ; CODE XREF: buggy_proc+BBj
.text:007BE570 ; buggy_proc+D9j
.text:007BE570 movzx ecx, ax
.text:007BE573 mov edx, 1000h
.text:007BE578 mov [esi+ecx*2+1Eh], dx ; WRITE!
.text:007BE57D mov [ecx+esi+201Eh], al ; WRITE!
.text:007BE584 inc eax
.text:007BE585 cmp ax, [esi+1Ah] ; [esi+1Ah] is calculated from our data
.text:007BE589 jb short bug_write_loop
.text:007BE58B
In short the byte value is taken directly from the .GIF file (see address 0x007BE521). This value is later multiplied and used as a loop repeat number (see address 0x007BE585). This gives the attacker the opportunity to cause memory corruption and a memory overflow (instructions at 0x007BE578 and 0x007BE57D).
PhotoLine+0x3be578:
007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx ds:002b:001a0000=6341
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
PhotoLine+3be578
007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 007be578 (PhotoLine+0x003be578)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 001a0000
Attempt to write to address 001a0000
FAULTING_THREAD: 000015ec
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: PhotoLine.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 001a0000
FOLLOWUP_IP:
PhotoLine+3be578
007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx
WRITE_ADDRESS: 001a0000
WATSON_BKT_PROCSTAMP: 589ee44a
WATSON_BKT_PROCVER: 20.0.0.2
PROCESS_VER_PRODUCT: PhotoLine
WATSON_BKT_MODULE: PhotoLine.exe
WATSON_BKT_MODSTAMP: 589ee44a
WATSON_BKT_MODOFFSET: 3be578
WATSON_BKT_MODVER: 20.0.0.2
MODULE_VER_PRODUCT: PhotoLine
BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: f2c082d751a472df1a8a185b4416b966db139902
MODLIST_SHA1_HASH: 7429f67ba2c849f9234e8c4db6453a762d0885f1
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 07-04-2017 08:52:40.0767
ANALYSIS_VERSION: 10.0.15063.400 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: PLK
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x15ec]
Frame: [0] : PhotoLine
ID: [0n265]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x15ec]
Frame: [0] : PhotoLine
ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x302c]
TID: [0x15ec]
Frame: [0] : PhotoLine
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00000000 to 007be578
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 PhotoLine+0x3be578
THREAD_SHA1_HASH_MOD_FUNC: d8e26008eb6acc069d83c04d0ced24485d541252
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c6dcc5f486de8c186b5aa96f2e4c9b36115ffd5f
THREAD_SHA1_HASH_MOD: d8e26008eb6acc069d83c04d0ced24485d541252
FAULT_INSTR_CODE: 4e548966
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: PhotoLine+3be578
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PhotoLine
IMAGE_NAME: PhotoLine.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 589ee44a
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_PhotoLine.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_PhotoLine+3be578
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: PhotoLine.exe
BUCKET_ID_IMAGE_STR: PhotoLine.exe
FAILURE_MODULE_NAME: PhotoLine
BUCKET_ID_MODULE_STR: PhotoLine
FAILURE_FUNCTION_NAME: Unknown
BUCKET_ID_FUNCTION_STR: Unknown
BUCKET_ID_OFFSET: 3be578
BUCKET_ID_MODTIMEDATESTAMP: 589ee44a
BUCKET_ID_MODCHECKSUM: 103c5a2
BUCKET_ID_MODVER_STR: 20.0.0.2
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: PhotoLine.exe!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/PhotoLine.exe/20.0.0.2/589ee44a/PhotoLine.exe/20.0.0.2/589ee44a/c0000005/003be578.htm?Retriage=1
TARGET_TIME: 2017-07-04T06:52:49.000Z
OSBUILD: 15063
OSSERVICEPACK: 296
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.15063.296
ANALYSIS_SESSION_ELAPSED_TIME: 732b
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_photoline.exe!unknown
FAILURE_ID_HASH: {3391e579-c3a2-d370-e494-6a2226b83b1d}
Followup: MachineOwner
---------
2017-08-02 - Vendor Disclosure
2017-10-04 - Public Release
Discovered by Piotr Bania of Cisco Talos