what you don't know can hurt you

Adobe Photoshop TIF Buffer Overflow

Adobe Photoshop TIF Buffer Overflow
Posted May 9, 2012
Authored by Code Audit Labs | Site vulnhunt.com

Adobe Photoshop EXTENDED versions CS5 12.0 and CS5.1 12.1 suffer from a TIF parsing heap buffer overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2012-2028
MD5 | 81cd9b7b4273bf611c642b916c492ff3

Adobe Photoshop TIF Buffer Overflow

Change Mirror Download
[CAL-2011-0073]Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability


Discover: nine8 of code audit labs of vulnhunt.com with "vulnhunt Fuzzing"
CAL: CAL-2011-0073
CVE:CVE-2012-2028

http://www.adobe.com/support/security/bulletins/apsb12-11.html
http://blog.vulnhunt.com/index.php/2012/05/09/cal-2011-0073_adobe-photoshop-extended-parsing-tif-heap-buffer-overflow-vulnerability/


1 Affected Products
=================
Adobe Photoshop EXTENDED CS5 12.0
Adobe Photoshop EXTENDED CS5.1 12.1


2 Vulnerability Details
=====================
There are some problems when Photoshop parsing "tif" file. If "Compression Tag(0x100)" is
replaced with "ImageWidth Tag(0x100)" or "ImageLength Tag(0x101)", the copy dest heap size is
calculated with "ImageWidth(replaced), ImageLength, SamplePerPixel" or "ImageLength(replaced),
ImageWidth, SamplePerPixel", when copying strip bytes. This will cause heap overflow.

3 Analysis
=========


COPY Size: StripByteCounts file offset 0x144 (dword)
COPY Src : StripOffsets file offset 0x134 (dword)
COPY Dst Heap Size: ImageLength * ImageWidth(Vuln Seg) * SamplesPerPixel Or
ImageLength(Vuln Seg) * ImageWidth * SamplesPerPixel

ImageLength Value file offset 0x2A (word)
ImageWidth Value(be replaced) file offset 0x42 (word)
SamplesPerPixel Value file offset 0x72 (word)



IDA View: Photoshop.exe(12.0), IDA ImageBase: 0x400000


.text:01BF0250
.text:01BF0250 ; int __cdecl t_memcpy(void *Src, void *Dst, size_t Size)
.text:01BF0250 _t_memcpy proc near
.text:01BF0250 ; sub_6B7780+1F6p ...
.text:01BF0250
.text:01BF0250 Src = dword ptr 4
.text:01BF0250 Dst = dword ptr 8
.text:01BF0250 Size = dword ptr 0Ch
.text:01BF0250
.text:01BF0250 mov eax, [esp+Size]
.text:01BF0254 mov ecx, [esp+Src]
.text:01BF0258 mov edx, [esp+Dst]
.text:01BF025C push eax ; Size
.text:01BF025D push ecx ; Src
.text:01BF025E push edx ; Dst
.text:01BF025F call memcpy
.text:01BF0264 add esp, 0Ch
.text:01BF0267 retn
.text:01BF0267 _t_memcpy endp


.text:00F5294F push edi ; int
.text:00F52950 movzx edi, word ptr [esi+0Ch]
.text:00F52954 push edi ; int
.text:00F52955 movzx edi, word ptr [esi+58h]
.text:00F52959 push edi ; __int16
.text:00F5295A movzx edi, word ptr [esi+0Eh]
.text:00F5295E push edi ; int
.text:00F5295F movzx edi, word ptr [esi+6]
.text:00F52963 push edi ; __int16
.text:00F52964 push ecx ; int
.text:00F52965 mov ecx, [esp+4Ch+arg_Size] ; ecx = arg0
.text:00F52969 push edx ; int
.text:00F5296A mov edx, [esp+50h+arg_8] ; edx = arg8
.text:00F5296E push ecx ; arg_size
.text:00F5296F push edx ; arg_dst
.text:00F52970 push eax ; arg_src, from file
.text:00F52971 call _t_CallBugMemcpyFunc ; <----- call bug memcpy func
.text:00F52977 movzx eax, ax
.text:00F5297A add esp, 30h


Windbg Debug

1) Attach photoshop.exe process.
2) set breakpoint, at 00F52971 call _t_CallBugMemcpyFunc
0:018> bu photoshop + 00b52971

3) Breakpoint 2 hit
eax=18943008 ebx=111a0028 ecx=00006660 edx=0c2203c0 esi=0012eee0 edi=00000001
eip=00f52971 esp=0012e6ec ebp=153a6360 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00240202
Photoshop+0xb52971:
00f52971 ff1578881902 call dword ptr [Photoshop!boost::serialization::s
ingleton<std::multiset<boost::serialization::extended_type_info const *,boost
::serialization::detail::key_compare,std::allocator<boost::serialization::exte
nded_type_info const *> > >::get_const_instance+0x546f78 (02198878)] ds:0023:0
2198878=0045bff0


#copy arguments
0:000> dd esp
(src) (dst) (size)
0012e6ec 18943008 0c2203c0 00006660 000000ae
0012e6fc 00000002 00000001 00000002 00000002
0012e70c 00000001 00000008 00000005 111a0028
0012e71c d56de0ac 0000897e 0012eee0 00000000
0012e72c 00006660 4084d555 01e3a8d4 153a6360
0012e73c 0012ea64 01d2d896 00000007 00f52ca9
0012e74c 00006660 111a0028 0c2203c0 00000000
0012e75c 0012eee0 0012ea70 00000000 0000015c

#copy dest heap size
0:000> !heap -p -a 0c2203c0
address 0c2203c0 found in _HEAP @ c1c0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0c2203b8 0281 0000 [01] 0c2203c0 01400 - (busy)

#copy source content
0:000> db 18943008
18943008 aa bb cc dd ee ff 16 0d-07 84 42 61 50 b8 64 36 ..........BaP.d6
18943018 1d 0f 88 44 62 51 38 a4-56 2d 17 8c 46 63 51 b8 ...DbQ8.V-..FcQ.
18943028 e4 76 3d 1f 90 48 64 52-39 24 96 4d 27 94 4a 65 .v=..HdR9$.M'.Je
18943038 52 b9 64 b6 5d 2f 98 4c-66 53 39 a4 d6 6d 37 9c R.d.]/.LfS9..m7.
18943048 43 a0 4f f9 cc f6 7d 3f-a0 50 68 54 3a 25 16 8d C.O...}?.PhT:%..
18943058 47 a4 52 69 54 ba 65 36-9d 4f a8 54 67 b3 ba 95 G.RiT.e6.O.Tg...
18943068 56 ad 57 ac 56 6b 55 ba-e5 76 bd 5f b0 58 6c 56 V.W.VkU..v._.XlV
18943078 3b 24 da a9 65 b4 5a 6d-56 bb 65 b6 dd 6f b8 5c ;$..e.ZmV.e..o.\


4 Exploitable?
============
Heap overflow druing memory copy, and the copy source content, copy size are controlled,
the copy dest heap is also contolled. It can cause arbitrary code execution.


5 Crash info:
===============
(44c.324): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000d67b ebx=00000005 ecx=00008afb edx=0bc38fc0 esi=1211cb10 edi=0bc344b8
eip=0f5c9896 esp=0012e694 ebp=0012e6e0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Adobe Photoshop CS5\Plug-ins\Extensions\MMXCore.8BX -
MMXCore!ENTRYPOINT1+0x1846e:
0f5c9896 660f7f6240 movdqa xmmword ptr [edx+40h],xmm4 ds:0023:0bc39000=????????????????????????????????



6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/#!/vulnhunt


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close