Computerinsel Photoline GIF Parsing Code Execution Vulnerability(CVE-2017-2880)

2017-10-10T00:00:00
ID SSV:96632
Type seebug
Reporter Root
Modified 2017-10-10T00:00:00

Description

Summary

An memory corruption vulnerability exists in the .GIF parsing functionality of Computerinsel Photoline 20.02. A specially crafted .GIF file can cause a vulnerability resulting in potential code execution. An attacker can send specific .GIF file to trigger this vulnerability.

Tested Versions

Computerinsel GmbH Photoline 20.02

Product URLs

https://www.pl32.com/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

The code responsible for the vulnerability is provided below: ``` .text:007BE521 loc_7BE521: ; CODE XREF: buggy_proc+62j .text:007BE521 mov cl, [esi+14h] ; [esi+14h] -> byte taken straight from GIF file .text:007BE524 mov edx, 1 .text:007BE529 shl edx, cl .text:007BE52B movzx cx, cl .text:007BE52F lea eax, [edx+1] .text:007BE532 mov [esi+1Ch], ax .text:007BE536 lea eax, [edx+2] .text:007BE539 mov [esi+401Eh], ax .text:007BE540 mov eax, 1000h .text:007BE545 mov [esi+4020h], ax .text:007BE54C inc cx .text:007BE54E mov eax, 1 .text:007BE553 shl eax, cl .text:007BE555 mov [esi+16h], cx .text:007BE559 xor ecx, ecx .text:007BE55B mov [esi+1Ah], dx .text:007BE55F dec eax .text:007BE560 mov [esi+18h], ax .text:007BE564 xor eax, eax .text:007BE566 cmp cx, dx .text:007BE569 jnb short loc_7BE58B .text:007BE56B jmp short bug_write_loop

.text:007BE570 bug_write_loop: ; CODE XREF: buggy_proc+BBj .text:007BE570 ; buggy_proc+D9j .text:007BE570 movzx ecx, ax .text:007BE573 mov edx, 1000h .text:007BE578 mov [esi+ecx*2+1Eh], dx ; WRITE! .text:007BE57D mov [ecx+esi+201Eh], al ; WRITE! .text:007BE584 inc eax .text:007BE585 cmp ax, [esi+1Ah] ; [esi+1Ah] is calculated from our data .text:007BE589 jb short bug_write_loop .text:007BE58B ```

In short the byte value is taken directly from the .GIF file (see address 0x007BE521). This value is later multiplied and used as a loop repeat number (see address 0x007BE585). This gives the attacker the opportunity to cause memory corruption and a memory overflow (instructions at 0x007BE578 and 0x007BE57D).

Crash Information

``` PhotoLine+0x3be578: 007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx ds:002b:001a0000=6341 0:000:x86> !analyze -v


  • *
  • Exception Analysis *
  • *

GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: PhotoLine+3be578 007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx

EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 007be578 (PhotoLine+0x003be578) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000

FAULTING_THREAD: 000015ec

DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE

PROCESS_NAME: PhotoLine.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 001a0000

FOLLOWUP_IP: PhotoLine+3be578 007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx

WRITE_ADDRESS: 001a0000

WATSON_BKT_PROCSTAMP: 589ee44a

WATSON_BKT_PROCVER: 20.0.0.2

PROCESS_VER_PRODUCT: PhotoLine

WATSON_BKT_MODULE: PhotoLine.exe

WATSON_BKT_MODSTAMP: 589ee44a

WATSON_BKT_MODOFFSET: 3be578

WATSON_BKT_MODVER: 20.0.0.2

MODULE_VER_PRODUCT: PhotoLine

BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH: f2c082d751a472df1a8a185b4416b966db139902

MODLIST_SHA1_HASH: 7429f67ba2c849f9234e8c4db6453a762d0885f1

NTGLOBALFLAG: 70

APPLICATION_VERIFIER_FLAGS: 0

PRODUCT_TYPE: 1

SUITE_MASK: 272

DUMP_TYPE: fe

ANALYSIS_SESSION_HOST: CLAB

ANALYSIS_SESSION_TIME: 07-04-2017 08:52:40.0767

ANALYSIS_VERSION: 10.0.15063.400 amd64fre

THREAD_ATTRIBUTES: OS_LOCALE: PLK

PROBLEM_CLASSES:

ID:     [0n292]
Type:   [@ACCESS_VIOLATION]
Class:  Addendum
Scope:  BUCKET_ID
Name:   Omit
Data:   Omit
PID:    [Unspecified]
TID:    [0x15ec]
Frame:  [0] : PhotoLine

ID:     [0n265]
Type:   [INVALID_POINTER_WRITE]
Class:  Primary
Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
        BUCKET_ID
Name:   Add
Data:   Omit
PID:    [Unspecified]
TID:    [0x15ec]
Frame:  [0] : PhotoLine

ID:     [0n152]
Type:   [ZEROED_STACK]
Class:  Addendum
Scope:  BUCKET_ID
Name:   Add
Data:   Omit
PID:    [0x302c]
TID:    [0x15ec]
Frame:  [0] : PhotoLine

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE

PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT

LAST_CONTROL_TRANSFER: from 00000000 to 007be578

STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 PhotoLine+0x3be578

THREAD_SHA1_HASH_MOD_FUNC: d8e26008eb6acc069d83c04d0ced24485d541252

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c6dcc5f486de8c186b5aa96f2e4c9b36115ffd5f

THREAD_SHA1_HASH_MOD: d8e26008eb6acc069d83c04d0ced24485d541252

FAULT_INSTR_CODE: 4e548966

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: PhotoLine+3be578

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: PhotoLine

IMAGE_NAME: PhotoLine.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 589ee44a

STACK_COMMAND: ~0s ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_PhotoLine.exe!Unknown

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_PhotoLine+3be578

FAILURE_EXCEPTION_CODE: c0000005

FAILURE_IMAGE_NAME: PhotoLine.exe

BUCKET_ID_IMAGE_STR: PhotoLine.exe

FAILURE_MODULE_NAME: PhotoLine

BUCKET_ID_MODULE_STR: PhotoLine

FAILURE_FUNCTION_NAME: Unknown

BUCKET_ID_FUNCTION_STR: Unknown

BUCKET_ID_OFFSET: 3be578

BUCKET_ID_MODTIMEDATESTAMP: 589ee44a

BUCKET_ID_MODCHECKSUM: 103c5a2

BUCKET_ID_MODVER_STR: 20.0.0.2

BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_

FAILURE_PROBLEM_CLASS: APPLICATION_FAULT

FAILURE_SYMBOL_NAME: PhotoLine.exe!Unknown

WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/PhotoLine.exe/20.0.0.2/589ee44a/PhotoLine.exe/20.0.0.2/589ee44a/c0000005/003be578.htm?Retriage=1

TARGET_TIME: 2017-07-04T06:52:49.000Z

OSBUILD: 15063

OSSERVICEPACK: 296

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt SingleUserTS

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 160101.0800

BUILDLAB_STR: WinBuild

BUILDOSVER_STR: 10.0.15063.296

ANALYSIS_SESSION_ELAPSED_TIME: 732b

ANALYSIS_SOURCE: UM

FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_photoline.exe!unknown

FAILURE_ID_HASH: {3391e579-c3a2-d370-e494-6a2226b83b1d}

Followup: MachineOwner

```

Timeline

  • 2017-08-02 - Vendor Disclosure
  • 2017-10-04 - Public Release