Computerinsel Photoline PCX Run Length Encoding Code Execution Vulnerability

Summary

A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.

Tested Versions

Computerinsel Photoline 20.54 for OS X

Product URLs

<https://www.pl32.com/&gt;

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

Photoline is an image processing tool used to modify and edit images, as well as other graphics-editing tasks. This product has a large user base, and is popular in the graphic design field. The vulnerable component is in the handling of PCX images. PCX was a popular image format with early computers, and although it has been replaced by more sophisticated formats, it is still in use and fully supported inside of Canvas Draw.

The vulnerability arises in parsing the PCX image, specifically dealing with the run length encoding of the image. The run length is the way that PCX handles new image chunks. This value determines the size of the upcoming image chunk. By crafting an image with successive large encoding values, the program can be caused to write a null byte out of bounds, leading to an exploitable condition. The code is shown below.

if {
    ...

do {
    *vuln_object++ = a2[1];
    --v7;
  }
  while ( v7 );
  vuln_object += run_length;        [0]
}
a2 += 2;
++count;
  }
  else
  {
    ++a2;
    *vuln_object++ = v5;     [1]
    --a3;
  }
  ++count;
}
while ( count < max );       [2]

The above code is a parsing loop designed to fill out the vulnerable object with the image data. The vulnerable object size is passed in and used as the max variable in the loop [2]. At location [0], it can be seen that the object is incremented based on the run length read in from the image. By crafting an image, an attacker can place a large run length toward the end of the image, causing the vulnerable object to be incremented beyond its bounds. Thus at location [1], the object is beyond its bounds and written to directly causing an out-of-bounds write and an exploitable condition to arise.

Crash Information

 Crashed thread log = 
: Dispatch queue: com.apple.main-thread
0   de.pl32.photoline               0x000000010e8763d3 0x10de15000 + 10884051
1   de.pl32.photoline               0x000000010e876476 0x10de15000 + 10884214
2   de.pl32.photoline               0x000000010e877094 0x10de15000 + 10887316
3   de.pl32.photoline               0x000000010df574f7 0x10de15000 + 1320183
4   de.pl32.photoline               0x000000010df57378 0x10de15000 + 1319800
5   de.pl32.photoline               0x000000010df57069 0x10de15000 + 1319017
6   de.pl32.photoline               0x000000010e3a5b22 0x10de15000 + 5835554
7   de.pl32.photoline               0x000000010dfcb066 0x10de15000 + 1794150
8   de.pl32.photoline               0x000000010dfcadc7 0x10de15000 + 1793479
9   de.pl32.photoline               0x000000010e028a66 0x10de15000 + 2177638
10  de.pl32.photoline               0x000000010e8709d2 0x10de15000 + 10861010
11  de.pl32.photoline               0x000000010e870d7a 0x10de15000 + 10861946
12  com.apple.AppKit                0x00007fff28d4086d -[NSDocument _initWithContentsOfURL:ofType:error:] + 172
13  com.apple.AppKit                0x00007fff28d40752 -[NSDocument initWithContentsOfURL:ofType:error:] + 231
14  com.apple.AppKit                0x00007fff28e162a5 -[NSDocumentController makeDocumentWithContentsOfURL:ofType:error:] + 628
15  com.apple.AppKit                0x00007fff290975e4 __97-[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:]_block_invoke + 91
16  com.apple.AppKit                0x00007fff2909757e -[NSDocumentController makeDocumentWithContentsOfURL:alternateContents:ofType:completionHandler:] + 176
17  com.apple.AppKit                0x00007fff28e1545b __80-[NSDocumentController openDocumentWithContentsOfURL:display:completionHandler:]_block_invoke + 880
18  com.apple.AppKit                0x00007fff29096225 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_4 + 31
19  com.apple.AppKit                0x00007fff290965ae __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke_2.970 + 149
20  com.apple.AppKit                0x00007fff290964e9 __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.969 + 138
21  com.apple.AppKit                0x00007fff290963ab __144-[NSDocumentController _coordinateReadingAndGetAlternateContentsForOpeningDocumentAtURL:resolvingSymlinks:thenContinueOnMainThreadWithAccessor:]_block_invoke.964 + 254
22  com.apple.CoreFoundation        0x00007fff2b5c48cc __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
23  com.apple.CoreFoundation        0x00007fff2b5a72a3 __CFRunLoopDoBlocks + 275
24  com.apple.CoreFoundation        0x00007fff2b5a692e __CFRunLoopRun + 1278
25  com.apple.CoreFoundation        0x00007fff2b5a61a3 CFRunLoopRunSpecific + 483
26  com.apple.HIToolbox             0x00007fff2a88ed96 RunCurrentEventLoopInMode + 286
27  com.apple.HIToolbox             0x00007fff2a88ea0f ReceiveNextEventCommon + 366
28  com.apple.HIToolbox             0x00007fff2a88e884 _BlockUntilNextEventMatchingListInModeWithFilter + 64
29  com.apple.AppKit                0x00007fff28b41a73 _DPSNextEvent + 2085
30  com.apple.AppKit                0x00007fff292d7e34 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
31  com.apple.AppKit                0x00007fff28b36885 -[NSApplication run] + 764
32  de.pl32.photoline               0x000000010e86d7b9 0x10de15000 + 10848185
33  com.apple.AppKit                0x00007fff28b05a72 NSApplicationMain + 804
34  de.pl32.photoline               0x000000010de170b4 0x10de15000 + 8372

log name is: ./crashlogs/1.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb  %r11b,(%rcx):instruction_address=0x000000010e8763d3:access_type=write:access_address=0x000000019ad18000:
Crash accessing invalid address.

Timeline

2018-05-01 - Vendor Disclosure
2018-07-11 - Public Release