[CAL-2011-0073]Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability Discover: nine8 of code audit labs of vulnhunt.com with "vulnhunt Fuzzing" CAL: CAL-2011-0073 CVE:CVE-2012-2028 http://www.adobe.com/support/security/bulletins/apsb12-11.html http://blog.vulnhunt.com/index.php/2012/05/09/cal-2011-0073_adobe-photoshop-extended-parsing-tif-heap-buffer-overflow-vulnerability/ 1 Affected Products ================= Adobe Photoshop EXTENDED CS5 12.0 Adobe Photoshop EXTENDED CS5.1 12.1 2 Vulnerability Details ===================== There are some problems when Photoshop parsing "tif" file. If "Compression Tag(0x100)" is replaced with "ImageWidth Tag(0x100)" or "ImageLength Tag(0x101)", the copy dest heap size is calculated with "ImageWidth(replaced), ImageLength, SamplePerPixel" or "ImageLength(replaced), ImageWidth, SamplePerPixel", when copying strip bytes. This will cause heap overflow. 3 Analysis ========= COPY Size: StripByteCounts file offset 0x144 (dword) COPY Src : StripOffsets file offset 0x134 (dword) COPY Dst Heap Size: ImageLength * ImageWidth(Vuln Seg) * SamplesPerPixel Or ImageLength(Vuln Seg) * ImageWidth * SamplesPerPixel ImageLength Value file offset 0x2A (word) ImageWidth Value(be replaced) file offset 0x42 (word) SamplesPerPixel Value file offset 0x72 (word) IDA View: Photoshop.exe(12.0), IDA ImageBase: 0x400000 .text:01BF0250 .text:01BF0250 ; int __cdecl t_memcpy(void *Src, void *Dst, size_t Size) .text:01BF0250 _t_memcpy proc near .text:01BF0250 ; sub_6B7780+1F6p ... .text:01BF0250 .text:01BF0250 Src = dword ptr 4 .text:01BF0250 Dst = dword ptr 8 .text:01BF0250 Size = dword ptr 0Ch .text:01BF0250 .text:01BF0250 mov eax, [esp+Size] .text:01BF0254 mov ecx, [esp+Src] .text:01BF0258 mov edx, [esp+Dst] .text:01BF025C push eax ; Size .text:01BF025D push ecx ; Src .text:01BF025E push edx ; Dst .text:01BF025F call memcpy .text:01BF0264 add esp, 0Ch .text:01BF0267 retn .text:01BF0267 _t_memcpy endp .text:00F5294F push edi ; int .text:00F52950 movzx edi, word ptr [esi+0Ch] .text:00F52954 push edi ; int .text:00F52955 movzx edi, word ptr [esi+58h] .text:00F52959 push edi ; __int16 .text:00F5295A movzx edi, word ptr [esi+0Eh] .text:00F5295E push edi ; int .text:00F5295F movzx edi, word ptr [esi+6] .text:00F52963 push edi ; __int16 .text:00F52964 push ecx ; int .text:00F52965 mov ecx, [esp+4Ch+arg_Size] ; ecx = arg0 .text:00F52969 push edx ; int .text:00F5296A mov edx, [esp+50h+arg_8] ; edx = arg8 .text:00F5296E push ecx ; arg_size .text:00F5296F push edx ; arg_dst .text:00F52970 push eax ; arg_src, from file .text:00F52971 call _t_CallBugMemcpyFunc ; <----- call bug memcpy func .text:00F52977 movzx eax, ax .text:00F5297A add esp, 30h Windbg Debug 1) Attach photoshop.exe process. 2) set breakpoint, at 00F52971 call _t_CallBugMemcpyFunc 0:018> bu photoshop + 00b52971 3) Breakpoint 2 hit eax=18943008 ebx=111a0028 ecx=00006660 edx=0c2203c0 esi=0012eee0 edi=00000001 eip=00f52971 esp=0012e6ec ebp=153a6360 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00240202 Photoshop+0xb52971: 00f52971 ff1578881902 call dword ptr [Photoshop!boost::serialization::s ingleton > >::get_const_instance+0x546f78 (02198878)] ds:0023:0 2198878=0045bff0 #copy arguments 0:000> dd esp (src) (dst) (size) 0012e6ec 18943008 0c2203c0 00006660 000000ae 0012e6fc 00000002 00000001 00000002 00000002 0012e70c 00000001 00000008 00000005 111a0028 0012e71c d56de0ac 0000897e 0012eee0 00000000 0012e72c 00006660 4084d555 01e3a8d4 153a6360 0012e73c 0012ea64 01d2d896 00000007 00f52ca9 0012e74c 00006660 111a0028 0c2203c0 00000000 0012e75c 0012eee0 0012ea70 00000000 0000015c #copy dest heap size 0:000> !heap -p -a 0c2203c0 address 0c2203c0 found in _HEAP @ c1c0000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 0c2203b8 0281 0000 [01] 0c2203c0 01400 - (busy) #copy source content 0:000> db 18943008 18943008 aa bb cc dd ee ff 16 0d-07 84 42 61 50 b8 64 36 ..........BaP.d6 18943018 1d 0f 88 44 62 51 38 a4-56 2d 17 8c 46 63 51 b8 ...DbQ8.V-..FcQ. 18943028 e4 76 3d 1f 90 48 64 52-39 24 96 4d 27 94 4a 65 .v=..HdR9$.M'.Je 18943038 52 b9 64 b6 5d 2f 98 4c-66 53 39 a4 d6 6d 37 9c R.d.]/.LfS9..m7. 18943048 43 a0 4f f9 cc f6 7d 3f-a0 50 68 54 3a 25 16 8d C.O...}?.PhT:%.. 18943058 47 a4 52 69 54 ba 65 36-9d 4f a8 54 67 b3 ba 95 G.RiT.e6.O.Tg... 18943068 56 ad 57 ac 56 6b 55 ba-e5 76 bd 5f b0 58 6c 56 V.W.VkU..v._.XlV 18943078 3b 24 da a9 65 b4 5a 6d-56 bb 65 b6 dd 6f b8 5c ;$..e.ZmV.e..o.\ 4 Exploitable? ============ Heap overflow druing memory copy, and the copy source content, copy size are controlled, the copy dest heap is also contolled. It can cause arbitrary code execution. 5 Crash info: =============== (44c.324): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0000d67b ebx=00000005 ecx=00008afb edx=0bc38fc0 esi=1211cb10 edi=0bc344b8 eip=0f5c9896 esp=0012e694 ebp=0012e6e0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Adobe Photoshop CS5\Plug-ins\Extensions\MMXCore.8BX - MMXCore!ENTRYPOINT1+0x1846e: 0f5c9896 660f7f6240 movdqa xmmword ptr [edx+40h],xmm4 ds:0023:0bc39000=???????????????????????????????? 6 About Code Audit Labs: ===================== Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com http://blog.vulnhunt.com http://t.qq.com/vulnhunt http://weibo.com/vulnhunt https://twitter.com/#!/vulnhunt