CVE-2018-3841
A denial-of-service vulnerability exists in the Pixar Renderman IT Display Service 21.6. The vulnerability is present in the parsing of a network packet without proper validation of the packet. The data read-in is not validated, and its use can lead to a null pointer dereference. The IT application is opened by a user and then listens for a connection on port 4001. An attacker can deliver an attack once the application has been opened.
Renderman 21.6
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-476: Null Pointer Dereference
Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. The application takes a custom file format known as a RIB, parses it, and then passes it along to one of various servers. An application included with Renderman is called the “IT Display Service”. This application accepts connections and receives a packet containing information about where to find the image for rendering. The application listens on port 4001 for connections from any host. An example of the communications is below.
00000000: 69dd dd h..
The first byte is parsed in a command loop, and functionality is called depending on the value. The vulnerability arises because validation is not checked after a direct socket read in the 0x69 command. The relevant code is shown below.
push r12
push r13
push r14
sub rsp, 20h
mov r14, rdi
lea rdi, [rsp+38h+var_30] ; this
lea rsi, [r14+68h] ; std::string *
call std::string::string(std::string const&) ; [1]
lea rdi, [rsp+38h+var_30] ; this
A socket read takes place, directing the code to the 0x69 command. At this point, a standard library call is made with no validation if the string passed in is not null. This leads to offset 0x68 of a null pointer to be dereferenced, and results in a denial-of-service condition.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
* thread #1: tid = 0x30628ba, 0x00007fffd3cba045 libstdc++.6.dylib`std::string::(std::string const&) + 9, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x68)
* frame #0: 0x00007fffd3cba045 libstdc++.6.dylib`std::string::(std::string const&) + 9
frame #1: 0x000000010003454b it`___lldb_unnamed_symbol411$$it + 27
frame #2: 0x00000001000271d3 it`___lldb_unnamed_symbol308$$it + 179
frame #3: 0x0000000100096c44 it`___lldb_unnamed_symbol1069$$it + 2964
frame #4: 0x0000000104e9409e libQtCore.dylib`QMetaObject::activate(QObject*, QMetaObject const*, int, void**) + 1566
2018-02-07 - Vendor Disclosure
2018-06-14 - Public Release
Discovered by Tyler Bohan of Cisco Talos