ID CVE-2018-3921 Type cve Reporter cve@mitre.org Modified 2020-08-24T17:37:00
Description
A memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver a PSD image to trigger this vulnerability and gain code execution.
{"talos": [{"lastseen": "2019-05-29T19:19:55", "bulletinFamily": "info", "cvelist": ["CVE-2018-3921"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0585\n\n## Computerinsel Photoline PSD Blending Channel Code Execution Vulnerability\n\n##### July 11, 2018\n\n##### CVE Number\n\nCVE-2018-3921\n\n### Summary\n\nA memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver a PSD image to trigger this vulnerability and gain code execution.\n\n### Tested Versions\n\nComputerinsel Photoline 20.54 for OS X\n\n### Product URLs\n\n<https://www.pl32.com/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nPhotoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerability arises in parsing the PSD image, specifically dealing with the blending channels inside of the image. The PSD format supports the ability to have multiple layers and masks per image, and the vulnerability is in how the software deals with the length of these layers. By looking at the vulnerable images Blending Layer Length value, we see that it is 0x40000000. Shown below is the code using this value causing the overflow.\n \n \n LOWORD(v6) = memcpy_wrapper(sstack_buffer, &image_Data, blending_channel_1);\n \n\nThe blending channel value is read directly from the image and used to copy this data into a stack-based buffer. This causes a direct overflow of the stack, and an overwrite of arbitrary data. There is a stack cookie present, but this could be circumvented by other means. This vulnerability could be exploited to gain code execution.\n\n### Crash Information\n \n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 libsystem_kernel.dylib 0x00007fff53a10b6e __pthread_kill + 10\n 1 libsystem_pthread.dylib 0x00007fff53bdb080 pthread_kill + 333\n 2 libsystem_c.dylib 0x00007fff5396c24d __abort + 144\n 3 libsystem_c.dylib 0x00007fff5396caf8 __stack_chk_fail + 205\n 4 de.pl32.photoline 0x0000000102090bae 0x101897000 + 8362926\n 5 ??? 0x8000c18000c18000 0 + 9223584792367431680\n \n log name is: ./crashlogs/1.crashlog.txt\n ---\n exception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae CONSTANT:instruction_address=0x00007fff53a10b6e:access_type=:access_address=0x0000000000000000:\n The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' __stack_chk_fail '\n \n\n### Timeline\n\n2018-05-01 - Vendor Disclosure \n2018-07-11 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0586\n\nPrevious Report\n\nTALOS-2018-0596\n", "edition": 3, "modified": "2018-07-11T00:00:00", "published": "2018-07-11T00:00:00", "id": "TALOS-2018-0585", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0585", "title": "Computerinsel Photoline PSD Blending Channel Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2018-07-12T08:30:15", "bulletinFamily": "blog", "cvelist": ["CVE-2018-3921", "CVE-2018-3922", "CVE-2018-3923"], "description": "Vulnerabilities discovered by Tyler Bohan from Talos \n \n\n\n### Overview\n\n \nToday, Cisco Talos is disclosing several vulnerabilities in Computerinsel Photoline. Photoline is an image-processing tool used to modify and edit images, as well as other graphic-related material. This product has a sizable user base and is popular in the graphic design field. The vulnerabilities are present in the parsing functionality of the software. \n \n\n\n#### TALOS-2018-0585 - Computerinsel Photoline PSD-Blending Channel Code Execution Vulnerability (CVE-2018-3921)\n\n \nA memory corruption vulnerability exists in the Adobe Photoshop file (PSD)-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD document processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PSD document to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found [here](<http://www.talosintelligence.com/reports/TALOS-2018-0585>). \n \n\n\n#### TALOS-2018-0586 - Computerinsel Photoline ANI-Parsing Code Execution Vulnerability (CVE-2018-3922)\n\n \nA memory corruption vulnerability exists in the ANI-parsing functionality of Computerinsel Photoline 20.54. A specially crafted ANI image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver an ANI image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found [here](<http://www.talosintelligence.com/reports/TALOS-2018-0586>). \n \n\n\n#### TALOS-2018-0587 - Computerinsel Photoline PCX Run Length Encoding Code Execution Vulnerability (CVE-2018-3923)\n\n \nA memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found [here](<http://www.talosintelligence.com/reports/TALOS-2018-0587>). \n \n\n\n## Tested Versions:\n\n \nComputerinsel Photoline 20.54 for OS X \n \n[](<https://www.pl32.com/pages/rnote.php>) \n \nCoverage \n \nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: 46452-46453, 46455-46456, 46459-46460 \n \n\n\n", "modified": "2018-07-11T18:37:20", "published": "2018-07-11T11:00:00", "id": "TALOSBLOG:1203EB746173E95F3DB0DAB9F4129C59", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/OaCBCFgHvSc/vulnerability-spotlight-computerinsel-photoline.html", "type": "talosblog", "title": "Vulnerability Spotlight: Computerinsel Photoline Multiple Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}]}
