An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain the ability to execute code.
Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a tiled TIFF image with the PlanarConfiguration tag set. TIFF has two distinct ways for dealing with PlanarConfiguration, and by setting this tag to the default chunky version, i.e. stored contiguously with a tiled image, the application is thrown into a special parsing loop. Running the application with the vulnerable TIFF image and Guard Malloc, we get the crash below.
Process 43138 stopped
* thread #1: tid = 0x814c5, 0x0000000101f6cbe8 ImageGear18`IGRaster::PlanarPackedToStd(long long, long long, long long, long long, unsigned char const*, void*, long long) + 248, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x3d05d0000)
frame #0: 0x0000000101f6cbe8 ImageGear18`IGRaster::PlanarPackedToStd(long long, long long, long long, long long, unsigned char const*, void*, long long) + 248
ImageGear18`IGRaster::PlanarPackedToStd:
-> 0x101f6cbe8 <+248>: mov byte ptr [r10], r8b
0x101f6cbeb <+251>: add ecx, eax
0x101f6cbed <+253>: add r10, rdi
0x101f6cbf0 <+256>: dec r9
As can be seen above, the application is processing the planar packed information. If we look to where the buffer in R10 comes from, we can see the size being used for allocation. The malloc log for R10 is below.
The raster size of this image is returned, then passed into a malloc wrapper, returning a properly allocated buffer. The problem arises when using the buffer inside of PlanarPackedToStd, the counter for the loop is miscalculated, and the overflow occurs. The relevant code is shown below.
The above code calculates the loop counter for how many planars to unpack. At [0], eight is set as the value used for the size of the planar. Then, R15 is directly passed in and is too large a value. This causes the loop counter to be written as four, and causes the buffer to be overflowed. Below is the use of the counter variable and the vulnerable buffer to cause the overflow.
do
{
...
do
{
*vuln_buffer = data & (mem >> data_calc);
vuln_buffer = &vuln_buffer[inc_1]; [1]
--v22;
++inc_1;
}
while ( v22 );
}
++count;
}
while ( count != vuln_counter ); [2]
At [1], the buffer is being accessed in the loop with the counter of proper size. Then, at [2], we see the problem with the counter show up, and the buffer is overwritten, causing a vulnerable condition to arise. An attacker could craft arbitrary data to overwrite with and gain code execution through this vulnerability.
2018-03-20 - Vendor Disclosure
2018-04-18 - 30 day follow up
2018-04-19 - Vendor escalated to Canvas development team
2018-05-02 - 45 day follow up
2018-06-25 - Vendor confirmed fix scheduled for next update
2018-07-19 - Public Release
Credit
Discovered by Tyler Bohan of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2018-0544
Previous Report
TALOS-2018-0541
{"id": "TALOS-2018-0542", "bulletinFamily": "info", "title": "ACD Systems Canvas Draw 4 PlanarConfiguration Heap Overflow Code Execution Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0542\n\n## ACD Systems Canvas Draw 4 PlanarConfiguration Heap Overflow Code Execution Vulnerability\n\n##### July 19, 2018\n\n##### CVE Number\n\nCVE-2018-3858\n\n### Summary\n\nAn exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain the ability to execute code.\n\n### Tested Versions\n\nACDSystems Canvas Draw 4.0.0\n\n### Product URLs\n\n<https://www.canvasgfx.com/en/products/canvas-draw>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-122: Heap-Based Buffer Overflow\n\n### Details\n\nCanvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.\n\nThe vulnerability arises in the parsing of a tiled TIFF image with the PlanarConfiguration tag set. TIFF has two distinct ways for dealing with PlanarConfiguration, and by setting this tag to the default chunky version, i.e. stored contiguously with a tiled image, the application is thrown into a special parsing loop. Running the application with the vulnerable TIFF image and Guard Malloc, we get the crash below.\n \n \n Process 43138 stopped\n * thread #1: tid = 0x814c5, 0x0000000101f6cbe8 ImageGear18`IGRaster::PlanarPackedToStd(long long, long long, long long, long long, unsigned char const*, void*, long long) + 248, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x3d05d0000)\n frame #0: 0x0000000101f6cbe8 ImageGear18`IGRaster::PlanarPackedToStd(long long, long long, long long, long long, unsigned char const*, void*, long long) + 248\n ImageGear18`IGRaster::PlanarPackedToStd:\n -> 0x101f6cbe8 <+248>: mov byte ptr [r10], r8b\n 0x101f6cbeb <+251>: add ecx, eax\n 0x101f6cbed <+253>: add r10, rdi\n 0x101f6cbf0 <+256>: dec r9\n \n\nAs can be seen above, the application is processing the planar packed information. If we look to where the buffer in R10 comes from, we can see the size being used for allocation. The malloc log for R10 is below.\n \n \n ALLOC 0x3c704eff0-0x3c704eff7 [size=8]: TIF_read | _TIF_read | _TIF_Load_Uncompressed | _TIF_Load_Uncompressed_subs | AF_memm_alloc | malloc\n \n\nAnd the area where this is calculated inside of `_TIF_Load_Uncompressed_subs`.\n \n \n call _IO_raster_size_get\n mov [rbp+var_50], rax\n mov r12d, eax\n lea rdx, aApplicationsBu_178 ; \"/Applications/buildAgent/work/90a7e357b\"...\n mov edi, r13d\n mov rsi, r12\n mov ecx, 1796h\n call _AF_memm_alloc\n \n\nThe raster size of this image is returned, then passed into a malloc wrapper, returning a properly allocated buffer. The problem arises when using the buffer inside of `PlanarPackedToStd`, the counter for the loop is miscalculated, and the overflow occurs. The relevant code is shown below.\n \n \n mov eax, 8\n mov r12,eax [0]\n mov rax, r15 [1]\n cqo\n idiv r12\n mov [rbp+var_30], rax [2]\n \n\nThe above code calculates the loop counter for how many planars to unpack. At [0], eight is set as the value used for the size of the planar. Then, R15 is directly passed in and is too large a value. This causes the loop counter to be written as four, and causes the buffer to be overflowed. Below is the use of the counter variable and the vulnerable buffer to cause the overflow.\n \n \n do\n {\n ...\n do\n {\n *vuln_buffer = data & (mem >> data_calc);\n vuln_buffer = &vuln_buffer[inc_1]; [1]\n --v22;\n ++inc_1;\n }\n while ( v22 );\n }\n ++count;\n }\n while ( count != vuln_counter ); [2]\n \n\nAt [1], the buffer is being accessed in the loop with the counter of proper size. Then, at [2], we see the problem with the counter show up, and the buffer is overwritten, causing a vulnerable condition to arise. An attacker could craft arbitrary data to overwrite with and gain code execution through this vulnerability.\n\n### Crash Information\n \n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 ImageGear18 0x00000001089dfbe8 IGRaster::PlanarPackedToStd(long long, long long, long long, long long, unsigned char const*, void*, long long) + 248\n 1 ImageGear18 0x0000000108895690 iIG_IP_planar_raster_unpack + 21\n 2 ImageGear18 0x00000001089f462f _TIF_process_planar + 266\n 3 ImageGear18 0x00000001089f38cd _TIF_Load_Uncompressed_subs + 1909\n 4 ImageGear18 0x00000001089f46be _TIF_Load_Uncompressed + 94\n 5 ImageGear18 0x00000001089ef2b6 _TIF_read + 1235\n 6 ImageGear18 0x00000001089eed85 TIF_read + 261\n 7 ImageGear18 0x00000001088ebdfd GPb_fltrm_READ_call_param + 178\n 8 ImageGear18 0x00000001088ebd45 GPb_fltrm_READ_call + 21\n 9 ImageGear18 0x00000001088c2bbf iIG_load_FD_CB_ex + 411\n 10 ImageGear18 0x0000000108a343b6 IG_load_FD_CB_ex + 91\n 11 com.acdsystem.canvastool.ImageIO 0x000000016882bd12 CIGReadFile_CB_ext::readFile() + 836\n 12 com.acdsystem.canvastool.ImageIO 0x0000000168858633 ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 722\n 13 com.acdsystem.canvastool.ImageIO 0x0000000168858bf2 ImageIORunAcquireProc(_ImageIOAcquireState*) + 750\n 14 com.acdsystem.canvastool.ImageIO 0x000000016885678a 0x1687d8000 + 518026\n 15 com.acdsystem.canvastool.ImageIO 0x0000000168857ef4 DoImportFile(ImportFileMsg*) + 817\n 16 com.acdsystem.canvastool.ImageIO 0x000000016880b7c1 toolmain() + 917\n 17 com.acdsystem.canvastool.ImageIO 0x000000016883790a stdtool(TToolCallBlock*) + 122\n 18 com.acdsystem.canvastool.ImageIO 0x0000000168837889 cvtool_main(TToolCallBlock*) + 9\n 19 com.acdsystems.Canvas-Draw4 0x0000000106c275b0 0x106aee000 + 1283504\n 20 com.acdsystems.Canvas-Draw4 0x00000001076fcb76 0x106aee000 + 12643190\n 21 com.acdsystems.Canvas-Draw4 0x00000001076fc438 0x106aee000 + 12641336\n 22 com.acdsystems.Canvas-Draw4 0x000000010782c8a7 0x106aee000 + 13887655\n 23 com.apple.AppKit 0x00007fffafee4bd3 -[NSApplication _doOpenFile:ok:tryTemp:] + 322\n 24 com.apple.AppKit 0x00007fffafaa3ba7 -[NSApplication finishLaunching] + 1624\n 25 com.apple.AppKit 0x00007fffafaa3148 -[NSApplication run] + 267\n 26 com.apple.AppKit 0x00007fffafa6de0e NSApplicationMain + 1237\n 27 libdyld.dylib 0x00007fffc7734235 start + 1\n \n log name is: ./crashlogs/f.crashlog.txt\n ---\n exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %r8b,(%r10):instruction_address=0x00000001089dfbe8:access_type=write:access_address=0x0000000385a3a000:\n Crash accessing invalid address. \n \n\n### Timeline\n\n2018-03-20 - Vendor Disclosure \n2018-04-18 - 30 day follow up \n2018-04-19 - Vendor escalated to Canvas development team \n2018-05-02 - 45 day follow up \n2018-06-25 - Vendor confirmed fix scheduled for next update \n2018-07-19 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0544\n\nPrevious Report\n\nTALOS-2018-0541\n", "published": "2018-07-19T00:00:00", "modified": "2018-07-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0542", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2018-3858"], "type": "talos", "lastseen": "2019-05-29T19:20:11", "edition": 4, "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-3858"]}, {"type": "talosblog", "idList": ["TALOSBLOG:52537C1FF9F5015E63EDF01AD08DE54E"]}], "modified": "2019-05-29T19:20:11", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2019-05-29T19:20:11", "rev": 2}, "vulnersScore": 5.2}, "scheme": null}
{"cve": [{"lastseen": "2021-02-02T06:52:37", "description": "An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain the ability to execute code. A different vulnerability than CVE-2018-3857.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-19T19:29:00", "title": "CVE-2018-3858", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3858"], "modified": "2020-09-18T16:09:00", "cpe": ["cpe:/a:acdsystems:canvas_draw:4.0.0"], "id": "CVE-2018-3858", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3858", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:acdsystems:canvas_draw:4.0.0:*:*:*:*:*:*:*"]}], "talosblog": [{"lastseen": "2018-07-19T20:46:01", "bulletinFamily": "blog", "cvelist": ["CVE-2018-3857", "CVE-2018-3858", "CVE-2018-3859", "CVE-2018-3860", "CVE-2018-3870", "CVE-2018-3871"], "description": "_These vulnerabilities were discovered by Tyler Bohan of Cisco Talos_ \n \nToday, Talos is disclosing several vulnerabilities that have been identified in Canvas Draw graphics editing tool for Macs. \n \nCanvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application. \n \n \n \n \n\n\n## Vulnerability Details\n\n \n\n\n### TALOS-2018-0541 (CVE-2018-3857) - ACD Systems Canvas Draw 4 setRasterData Heap Overflow Code Execution Vulnerability\n\n \n[TALOS-2018-0541](<http://www.talosintelligence.com/reports/TALOS-2018-0541>) describes an exploitable heap overflow vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. \n \nThe vulnerability arises in the parsing of a compressed and tiled TIFF image. TIFF has support for multiple versions of image compression, and an image application is expected to be able to handle them. The tag used to define levels of compression is tag number 259. The crash happens due to an invalid object being freed on the free list. \n \n\n\n### TALOS-2018-0542 (CVE-2018-3858) - ACD Systems Canvas Draw 4 PlanarConfiguration Heap Overflow Code Execution Vulnerability\n\n \n[TALOS-2018-0542](<http://www.talosintelligence.com/reports/TALOS-2018-0542>) is an exploitable heap overflow vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. \n \nThe vulnerability arises in the parsing of a tiled TIFF image with the PlanarConfiguration tag set. \n \n\n\n### TALOS-2018-0543 (CVE-2018-3859) - ACD Systems Canvas Draw 4 Huff Table Out of Bounds Write Code Execution Vulnerability\n\n \n[TALOS-2018-0543](<http://www.talosintelligence.com/reports/TALOS-2018-0543>) describes an exploitable out of bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. \n \nThe vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithms but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table. \n \n\n\n### TALOS-2018-0544 (CVE-2018-3860) - ACD Systems Canvas Draw 4 Resoultion_Set Out of Bounds Write Code Execution Vulnerability\n\n \n[TALOS-2018-0544](<http://www.talosintelligence.com/reports/TALOS-2018-0544>) is an exploitable out of bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. \n \nThe vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data. \n \n\n\n### TALOS-2018-0552 (CVE-2018-3870) - ACD Systems Canvas Draw 4 IO Metadata Out-of-Bounds Write Code Execution Vulnerability\n\n \n[TALOS-2018-0552](<http://www.talosintelligence.com/reports/TALOS-2018-0552>) describes an exploitable out of bounds write vulnerability that exists in the PCX parsing functionality of Canvas Draw version 4.0.0. A specially crafted PCX image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. \n \nThe vulnerability arises in parsing the PCX image, specifically dealing with the compression of the image. The compression scheme is determined via the file header and by choosing run length encoding as the compression the program write out of bounds using user controlled data. The problem lies in the error checking in the code. If there is an error present the code path can be altered and allow user controlled data to be accessed without validation. \n \n\n\n### TALOS-2018-0553 (CVE-2018-3871) - ACD Systems Canvas Draw 4 Invert Map Out-of-Bounds Write Code Execution Vulnerability\n\n \n[TALOS-2018-0553](<http://www.talosintelligence.com/reports/TALOS-2018-0553>) is an exploitable out of bounds write vulnerability that exists in the PCX parsing functionality of Canvas Draw version 4.0.0. A specially crafted PCX image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. \n \nThe vulnerability arises in parsing the PCX image, specifically dealing with the column and row sizes of the image. Inside of the PCX header, values are set to determine the location of image data and the size of the image itself. By passing in incorrect values the application will write out of bounds attempting to access the image data. \n \n\n\n### Affected versions\n\n \nThe vulnerabilities are confirmed in the Canvas Draw version 4.0.0 but they may also be present in the earlier versions of the product. Users are advised to apply the latest security update for their version. \n \n\n\n[](<https://www.canvasgfx.com/en/support/canvas-draw-5>)\n\n \n\n\n## Discussion\n\n \nFamiliar file formats that are routinely shared in a work environment make tempting targets for attackers as the targets not may consider familiar image files as being potentially malicious. The TIFF and PCX file formats are regularly used in the graphic design industry and for the distribution of certain documents such as fax messages. \n \nThe complexity of image file formats means that there is a lot of scope for vulnerabilities to be inadvertently included in programs that parse them. Organizations need to remain abreast of vulnerabilities in the image editing software packages such as ACD Systems Canvas Draw and update to the latest version as soon as possible. \n \n\n\n## Coverage\n\n \nThe following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: \n \n\n\n * 45985-45988, 45991-45994, 45997-46002, 46143-46148\n \n \n", "modified": "2018-07-19T19:20:37", "published": "2018-07-19T05:28:00", "id": "TALOSBLOG:52537C1FF9F5015E63EDF01AD08DE54E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/NZoY3tkjjVw/vulnerability-spotlight-ACDsystems.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Vulnerabilities in ACD Systems Canvas Draw 4", "cvss": {"score": 0.0, "vector": "NONE"}}]}