CVE-2018-3862
A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.
Computerinsel Photoline 20.53 for OS X
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
Photoline is an image-processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a compressed tiled TIFF image. TIFF supports tiled images as part of the later extension and revision to the specification. Through this, images are able to have multiple tiles inside of a single image. The vulnerability arises in the processing and reading of these tiles. Each image is able to specify a specific bits per sample and by crafting a TIFF image an attacker can lead the code into a vulnerable path shown below.
user_int = user_data_func(v40, v16); [0]
width = calc_width(*(v40 + 20));
v5 = v41;
parsing_loop(v41, v39, (sample * width + user_int), 1, v42); [1]
The function that calls into the parsing of a tile is show above. Data taken from the TIFF image is shown at [0], and subsequently passed directly into the next call. The width parameter is also specified via the image, allowing an attacker to control the specified program path. Below is the relevant code for the parsing loop.
switch ( (bits_per_sample - 1) ) [2]
{
case 7u:
for ( ; im_width; arg_3 += (signed int)a5 ) [3]
{
--im_width;
v20 = *a2;
a2 += v5;
*arg_3 = v20; [4]
}
break;
At location [2], the variable has been taken from the provided tag inside of the image. This then allows the specific case to be selected where arg_3 [3] is passed in from the code shown above. This address is able to be influenced by the image, and can thus be taken out of bounds. This address is then written to at location [4]. This creates an arbitrary out-of-bounds write, leading to an exploitable condition.
Crashed thread log =
: Dispatch queue: com.apple.main-thread
0 de.pl32.photoline 0x000000010e2d31a1 0x10dab2000 + 8524193
1 de.pl32.photoline 0x000000010e2d03bf 0x10dab2000 + 8512447
2 de.pl32.photoline 0x000000010e2ced38 0x10dab2000 + 8506680
3 de.pl32.photoline 0x000000010e027d42 0x10dab2000 + 5725506
4 de.pl32.photoline 0x000000010dc64688 0x10dab2000 + 1779336
5 de.pl32.photoline 0x000000010dc643db 0x10dab2000 + 1778651
6 de.pl32.photoline 0x000000010dcc17c2 0x10dab2000 + 2160578
7 de.pl32.photoline 0x000000010e4ddc0a 0x10dab2000 + 10664970
8 de.pl32.photoline 0x000000010e4ddfb2 0x10dab2000 + 10665906
9 com.apple.AppKit 0x00007fffafccfdd7 -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
10 com.apple.AppKit 0x00007fffafccfcbc -[NSDocument initWithContentsOfURL:ofType:error:] + 231
11 com.apple.AppKit 0x00007fffafdad2b0 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 644
12 com.apple.AppKit 0x00007fffb0000470 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 83
13 com.apple.AppKit 0x00007fffb0000412 -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
14 com.apple.AppKit 0x00007fffafdac2e6 __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 613
15 com.apple.AppKit 0x00007fffaffff48b __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.922 + 180
16 com.apple.AppKit 0x00007fffaffff3a7 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.921 + 138
17 com.apple.AppKit 0x00007fffaffff269 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 267
18 com.apple.CoreFoundation 0x00007fffb1fd717c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
19 com.apple.CoreFoundation 0x00007fffb1fb7f84 __CFRunLoopDoBlocks + 356
20 com.apple.CoreFoundation 0x00007fffb1fb7705 __CFRunLoopRun + 917
21 com.apple.CoreFoundation 0x00007fffb1fb7114 CFRunLoopRunSpecific + 420
22 com.apple.HIToolbox 0x00007fffb1517ebc RunCurrentEventLoopInMode + 240
23 com.apple.HIToolbox 0x00007fffb1517bf9 ReceiveNextEventCommon + 184
24 com.apple.HIToolbox 0x00007fffb1517b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
25 com.apple.AppKit 0x00007fffafaaea54 _DPSNextEvent + 1120
26 com.apple.AppKit 0x00007fffb022a7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
27 com.apple.AppKit 0x00007fffafaa33db -[NSApplication run] + 926
28 de.pl32.photoline 0x000000010e4daa19 0x10dab2000 + 10652185
29 com.apple.AppKit 0x00007fffafa6de0e NSApplicationMain + 1237
30 de.pl32.photoline 0x000000010dab3d14 0x10dab2000 + 7444
log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %al,(%rdx):instruction_address=0x000000010e2d31a1:access_type=write:access_address=0x00007f8cededee01:
2018-03-27 - Vendor Disclosure
2018-04-11 - Public Release
Discovered by Tyler Bohan of Cisco Talos.