An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20. A specially crafted J2K image file can cause an out of bounds write of a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.
LEADTOOLS, according to the website, “is a collection of comprehensive toolkits to integrate document, medical, multimedia, and imaging technologies into desktop, server, tablet, and mobile applications”. It offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc), that are all geared towards building applications for medical systems.
The module used for this analysis is below:
Image path: C:\LEADTOOLS 20\Bin\CDLL\Win32\lfJ2kU.DLL
Image name: lfJ2kU.DLL
Browse all global symbols functions data
Timestamp: Fri Mar 1 09:35:20 2019 (5C795138)
CheckSum: 00058242
ImageSize: 0005D000
File version: 20.0.0.4
Product version: 20.0.0.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
One of the box types when parsing is Contiguous Codestream box (tagged by jp2c). For this box type, there are a number of code tags which specify the attributes of the box itself. For example, the tag 0xFF51 (SIZ) signifies an Image and Tile Size. An allocation is created based on the size given in the SIZ tag [0].
The contiguous codestream box can contain number components. Each of these components have an integer multiple which is used to populate the image in tiles rather than as an entire image all at once.
By providing an offset field for a tile component that is outside the range of the original image, this will write data outside of the area of the image allocation, causing a heap buffer overflow, potentially resulting in code execution.
{"id": "TALOS-2019-0916", "bulletinFamily": "info", "title": "LEADTOOLS JPEG2000 j2pc Parsing Remote Code Execution Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0916\n\n## LEADTOOLS JPEG2000 j2pc Parsing Remote Code Execution Vulnerability\n\n##### November 5, 2019\n\n##### CVE Number\n\nCVE-2019-5125 \n\n### Summary\n\nAn exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20. A specially crafted J2K image file can cause an out of bounds write of a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.\n\n### Tested Versions\n\nLEADTOOLS 20.0.2019.3.15\n\n### Product URLs\n\n<https://www.leadtools.com/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-122: Heap-based Buffer Overflow\n\n### Details\n\nLEADTOOLS, according to the website, \u201cis a collection of comprehensive toolkits to integrate document, medical, multimedia, and imaging technologies into desktop, server, tablet, and mobile applications\u201d. It offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc), that are all geared towards building applications for medical systems.\n\nThe module used for this analysis is below:\n \n \n Image path: C:\\LEADTOOLS 20\\Bin\\CDLL\\Win32\\lfJ2kU.DLL\n Image name: lfJ2kU.DLL\n Browse all global symbols functions data\n Timestamp: Fri Mar 1 09:35:20 2019 (5C795138)\n CheckSum: 00058242\n ImageSize: 0005D000\n File version: 20.0.0.4\n Product version: 20.0.0.0\n File flags: 0 (Mask 3F)\n File OS: 40004 NT Win32\n File type: 2.0 Dll\n File date: 00000000.00000000\n Translations: 0409.04e4\n \n\nOne of the box types when parsing is Contiguous Codestream box (tagged by `jp2c`). For this box type, there are a number of code tags which specify the attributes of the box itself. For example, the tag 0xFF51 (SIZ) signifies an Image and Tile Size. An allocation is created based on the size given in the SIZ tag [0].\n \n \n lfj2ku+0x33f80\n .text:00033F77 mov esi, [eax+14h]\n ...\n .text:00033F80 mov edx, [ebp+var_18]\n .text:00033F83 mov ebx, eax\n .text:00033F85 mov eax, [ebp+var_48]\n .text:00033F88 mov [ebp+var_3C], ebx\n .text:00033F8B mov eax, [eax+4]\n .text:00033F8E mov ecx, [eax+0Ch] ; Xsiz field from image\n .text:00033F91 mov eax, [edx+0Ch]\n .text:00033F94 imul ecx, esi\n .text:00033F97 mov [ebx+4], eax\n .text:00033F9A test ecx, ecx\n .text:00033F9C jg short loc_33FAB\n .text:00033FAB lea eax, [ecx-1]\n .text:00033FAE cdq\n .text:00033FAF and edx, 7\n .text:00033FB2 add eax, edx\n .text:00033FB4 sar eax, 3\n .text:00033FB7 inc eax\n .text:00033FB8\n .text:00033FB8 push offset aDSrcmLead15Api_13 \n .text:00033FBD push 393h\n .text:00033FC2 push 1\n .text:00033FC4 add eax, 30h\n .text:00033FC7 push eax ; Calculated allocation size\n .text:00033FC8 call ds:L_LocalAlloc ; [0]\n \n\nThe contiguous codestream box can contain number components. Each of these components have an integer multiple which is used to populate the image in tiles rather than as an entire image all at once.\n \n \n lfj2ku+0x32b32\n .text:00032B32 mov esi, [esp+60h+image_offset] ; XRsiz field for current component\n ...\n .text:00032B40 loop_top: \n .text:00032B40 movq mm2, qword ptr [edi]\n .text:00032B43 lea edi, [edi+10h]\n .text:00032B46 mov ecx, [esp+60h+var_34]\n .text:00032B4A paddsw mm2, mm3\n .text:00032B4D psraw mm2, 5\n .text:00032B51 paddsw mm2, mm4\n .text:00032B54 movq mm1, qword ptr [edi-8]\n .text:00032B58 paddsw mm1, mm3\n .text:00032B5B psraw mm1, 5\n .text:00032B5F movq mm0, mm4\n .text:00032B62 paddsw mm0, mm1\n .text:00032B65 packuswb mm2, mm0\n .text:00032B68 movq qword ptr [esp+60h+var_20], mm2\n .text:00032B6D movzx eax, byte ptr [esp+60h+var_20]\n .text:00032B72 mov [edx], al\n .text:00032B74 movzx eax, byte ptr [esp+60h+var_20+1]\n .text:00032B79 mov [ecx+esi], al\n .text:00032B7C movzx eax, byte ptr [esp+60h+var_20+2]\n .text:00032B81 mov ecx, [esp+60h+var_30]\n .text:00032B85 mov [esi], al\n ...\n .text:00032BC3 add esi, [esp+60h+var_38]\n .text:00032BC7 sub [esp+60h+var_40], 1\n .text:00032BCC jnz loop_top\n .text:00032BD2 mov edi, [esp+60h+var_48]\n .text:00032BD6 mov ecx, [esp+60h+var_54]\n \n\nBy providing an offset field for a tile component that is outside the range of the original image, this will write data outside of the area of the image allocation, causing a heap buffer overflow, potentially resulting in code execution.\n\n### Crash Information\n \n \n eax=00000080 ebx=0be05fe8 ecx=00000004 edx=0be07ffb esi=0be08003 edi=0bddaf70\n eip=7a1d2b85 esp=012fa7e0 ebp=012fa848 iopl=0 nv up ei pl nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206\n lfJ2kU!fltJ2KFileInfo+0x6765:\n 7a1d2b85 8806 mov byte ptr [esi],al ds:002b:0be08003=??\n \n 0:000:x86> dc esi-0x20\n 0be07fe3 c0c0c080 c0c0c080 c0c0c080 c0c0c080 ................\n 0be07ff3 c0c0c080 c0c0c080 c0c0c080 ???????? ............????\n 0be08003 ???????? ???????? ???????? ???????? ????????????????\n 0be08013 ???????? ???????? ???????? ???????? ????????????????\n \n\n### Timeline\n\n2019-10-08 - Vendor Disclosure \n2019-11-03 - Vendor Patched \n2019-11-05 - Public Release\n\n##### Credit\n\nDiscovered by Cory Duplantis of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2019-0891\n\nPrevious Report\n\nTALOS-2019-0892\n", "published": "2019-11-05T00:00:00", "modified": "2019-11-05T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0916", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2019-5125"], "type": "talos", "lastseen": "2020-07-01T21:25:12", "edition": 3, "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5125"]}, {"type": "talosblog", "idList": ["TALOSBLOG:944A6E5031F26048E8CAD262966162C0"]}], "modified": "2020-07-01T21:25:12", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-07-01T21:25:12", "rev": 2}, "vulnersScore": 5.2}, "scheme": null}
{"cve": [{"lastseen": "2020-10-03T13:38:54", "description": "An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20. A specially crafted J2K image file can cause an out of bounds write of a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-06T20:15:00", "title": "CVE-2019-5125", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5125"], "modified": "2019-12-12T16:21:00", "cpe": [], "id": "CVE-2019-5125", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5125", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "talosblog": [{"lastseen": "2019-11-09T16:30:30", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5084", "CVE-2019-5099", "CVE-2019-5125"], "description": "[](<https://1.bp.blogspot.com/-4KmzPgCzEnI/XUgv9m3AF_I/AAAAAAAAAC4/C28-47fWukERV4yT0uQnA2_xuy2aB8ZkgCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)\n\n_ \n__Marcin Towalski and Cory Duplantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ \n \nCisco Talos recently discovered multiple vulnerabilities in the LEADTOOLS line of imaging toolkits. LEADTOOLS is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia and imaging technologies into applications. All of the software is produced by LEAD Technologies Inc. LEADTOOLS offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building \n\n\n[](<https://1.bp.blogspot.com/-JXkSIehaKi4/XUgwEX6wLjI/AAAAAAAAAC8/8mea4rZfy7AGT_PIchejkERmCFmfdbxTACPcBGAYYCw/s1600/patch_availability_available.jpg>)\n\napplications for medical systems. Various pieces of LEADTOOLS contain vulnerabilities that could be exploited by malicious actors to carry out a number of actions, including denial-of-service conditions and the execution of code remotely. \n \nIn accordance with our coordinated disclosure policy, Cisco Talos worked with LEAD Technologies to ensure that these issues are resolved and that [an update](<https://www.leadtools.com/downloads>) is available for affected customers. \n \n\n\n### Vulnerability details\n\n**LEADTOOLS TIF ImageWidth code execution vulnerability (TALOS-2019-0876/CVE-2019-5084)** \n \nAn exploitable heap out-of-bounds write vulnerability exists in the TIF-parsing functionality of LEADTOOLS 20. A specially crafted TIF image can cause an offset beyond the bounds of a heap allocation to be written, potentially resulting in code execution. An attacker can specially craft a TIF image to trigger this vulnerability. \n \nRead the complete vulnerability advisory [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0876>) for additional information. \n \n**LEADTOOLS CMP-parsing code execution vulnerability (TALOS-2019-0891/CVE-2019-5099)** \n \nAn exploitable integer underflow vulnerability exists in the CMP-parsing functionality of LEADTOOLS 20. A specially crafted CMP image file can cause an integer underflow, potentially resulting in code execution. An attacker can specially craft a CMP image to trigger this vulnerability. \n \nRead the complete vulnerability advisory [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0891>) for additional information. \n \n**LEADTOOLS BMP parsing remote code execution vulnerability ****(TALOS-2019-0892/CVE-2019-5125)** \n \nAn exploitable integer overflow vulnerability exists in the BMP header parsing functionality of LEADTOOLS 20. A specially crafted BMP image file can cause an integer overflow, potentially resulting in code execution. An attacker can specially craft a BMP image to trigger this vulnerability. \n \nRead the complete vulnerability advisory [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0892>) for additional information. \n \n**LEADTOOLS JPEG2000 j2pc parsing code execution vulnerability ****(TALOS-2019-0916/CVE-2019-5125)** \n \nAn exploitable heap overflow vulnerability exists in the JPEG2000-parsing functionality of LEADTOOLS 20. A specially crafted J2K image file can cause an out-of-bounds write of a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.. \n \nRead the complete vulnerability advisory [here](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0916>) for additional information. \n \n\n\n### Versions tested\n\nTalos tested and confirmed that version 20.0.2019.3.15 of LEADTOOLS is affected by these vulnerabilities. \n \n\n\n### Coverage\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**Snort Rules:** 50824 - 50827, 51930-51938, 51447, 51448", "modified": "2019-11-06T09:02:20", "published": "2019-11-06T09:02:20", "id": "TALOSBLOG:944A6E5031F26048E8CAD262966162C0", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/Q-mYB3ISwHo/vulnerability-spotlight-code-execution.html", "type": "talosblog", "title": "Vulnerability Spotlight: Code execution vulnerabilities in LEADTOOLS", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
