Vulnerabilities > CVE-2017-12107 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Pl32 Photoline 20.02

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
pl32
CWE-119

Summary

An memory corruption vulnerability exists in the .PCX parsing functionality of Computerinsel Photoline 20.02. A specially crafted .PCX file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .PCX file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Pl32
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Seebug

bulletinFamilyexploit
description### Summary An memory corruption vulnerability exists in the .PCX parsing functionality of Computerinsel Photoline 20.02. A specially crafted .PCX file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .PCX file to trigger this vulnerability. ### Tested Versions Computerinsel Photoline 20.02 ### Product URLs https://www.pl32.com/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-787: Out-of-bounds Write ### Details The code responsible for the vulnerability is provided below: ``` .text:00B8D3AA xor edi, edi ; ebp=loop1 max count | edi = counter .text:00B8D3AC test ebp, ebp .text:00B8D3AE jle short loop_done2 .text:00B8D3B0 .text:00B8D3B0 loc_B8D3B0: ; CODE XREF: pcx_bad_func+D5°j .text:00B8D3B0 mov al, [esi] ; [esi] point to attacker's data .text:00B8D3B2 mov dl, al .text:00B8D3B4 and dl, 0C0h .text:00B8D3B7 cmp dl, 0C0h ; condition 1 .text:00B8D3BA jnz short loc_B8D3DE .text:00B8D3BC and al, 3Fh .text:00B8D3BE movzx ax, al .text:00B8D3C2 movzx eax, ax .text:00B8D3C5 cwde .text:00B8D3C6 inc esi .text:00B8D3C7 test eax, eax ; condition 2 (and a loop2 counter) .text:00B8D3C9 jle short loc_B8D3DA .text:00B8D3CB jmp short loc_B8D3D0 ; overwrite .text:00B8D3CB ; --------------------------------------------------------------------------- .text:00B8D3CD align 10h .text:00B8D3D0 .text:00B8D3D0 loc_B8D3D0: ; CODE XREF: pcx_bad_func+BB^j .text:00B8D3D0 ; pcx_bad_func+C8°j .text:00B8D3D0 mov dl, [esi] .text:00B8D3D2 mov [ecx], dl ; copy attacker's data byte by byte .text:00B8D3D4 inc ecx .text:00B8D3D5 sub eax, 1 .text:00B8D3D8 jnz short loc_B8D3D0 ; continue write (loop 2) .text:00B8D3DA .text:00B8D3DA loc_B8D3DA: ; CODE XREF: pcx_bad_func+B9^j .text:00B8D3DA inc esi .text:00B8D3DB inc edi .text:00B8D3DC jmp short is_loop_done1 .text:00B8D3DE loc_B8D3DE: ; CODE XREF: pcx_bad_func+AA^j .text:00B8D3DE mov [ecx], al .text:00B8D3E0 inc ecx .text:00B8D3E1 inc esi .text:00B8D3E2 .text:00B8D3E2 is_loop_done1: ; CODE XREF: pcx_bad_func+CC^j .text:00B8D3E2 inc edi .text:00B8D3E3 cmp edi, ebp .text:00B8D3E5 jl short loc_B8D3B0 ; loop 1, again ``` An attacker can control the number of "loop 2" iterations because the max loop iteration value is obtained directly from the PCX file (instruction at 0x00B8D3D0). This can cause a memory corruption where attacker controls the size and the source data. ### Crash Information ``` HEAP[PhotoLine32.exe]: Heap block at 06DEE068 modified at 06DEE3A1 past requested size of 331 (89c.3698): Break instruction exception - code 80000003 (first chance) eax=06dee068 ebx=06dee3a1 ecx=778e3733 edx=0018e2d5 esi=06dee068 edi=00000331 eip=7794071c esp=0018e51c ebp=0018e51c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!RtlpBreakPointHeap+0x23: 7794071c cc int 3 0:000> !heap NtGlobalFlag enables following debugging aids for new heaps: tail checking free checking validate parameters Stop inside heap manager...validating heap address 0x06dee068 Index Address Name Debugging options enabled 1: 01760000 Segment at 01760000 to 01860000 (000a1000 bytes committed) 2: 00350000 Segment at 00350000 to 00360000 (0000a000 bytes committed) Segment at 03a30000 to 03b30000 (000bd000 bytes committed) 3: 030a0000 Segment at 030a0000 to 030b0000 (00001000 bytes committed) 4: 032a0000 Segment at 032a0000 to 032b0000 (00010000 bytes committed) Segment at 02f80000 to 03080000 (00100000 bytes committed) Segment at 03b30000 to 03d30000 (00200000 bytes committed) Segment at 04110000 to 04510000 (00400000 bytes committed) Segment at 05100000 to 05900000 (00800000 bytes committed) Segment at 05ea0000 to 06e70000 (00fd0000 bytes committed) Segment at 07190000 to 08160000 (0008f000 bytes committed) Flags: 40001062 ForceFlags: 40000060 Granularity: 8 bytes Segment Reserve: 02fa0000 Segment Commit: 00002000 DeCommit Block Thres: 00000200 DeCommit Total Thres: 00002000 Total Free Size: 0000c9f3 Max. Allocation Size: 7ffdefff Lock Variable at: 032a0138 Next TagIndex: 0000 Maximum TagIndex: 0000 Tag Entries: 00000000 PsuedoTag Entries: 00000000 Virtual Alloc List: 032a00a0 Unable to read nt!_HEAP_VIRTUAL_ALLOC_ENTRY structure at 05be0000 Uncommitted ranges: 032a0090 FreeList[ 00 ] at 032a00c4: 0512f228 . 06de6c20 Unable to read nt!_HEAP_FREE_ENTRY structure at fffffff7 (632 blocks) 06dee020: 00030 . 00048 [107] - busy (30), tail fill 06dee068: 00048 . 00350 [107] - busy (331), tail fill (Handle ffffffff) (Tag ffff) Stack traces not enabled (ntdll!RtlpStackTraceDataBase is null). Heap block at 06dee068 modified at 06dee3a1 past requested size of 331 (6a * 8 - 1f) 06dee3b8: 55960 . 6b288 [01] - busy (5b289) ##CORRUPTION FOUND at 0x06DEE3B8 PreviousSize field does not match Size field in previous entry Entry->PreviousSize == 0xd651 PreviousEntry->Size == 0x9 ##CORRUPTION FOUND at 0x06E59640 PreviousSize field does not match Size field in previous entry Entry->PreviousSize == 0xf00d PreviousEntry->Size == 0xab2c ##The above errors were found in segment at 0x05EA0000 Flags: 40001062 ForceFlags: 40000060 Granularity: 8 bytes Segment Reserve: 02fa0000 Segment Commit: 00002000 DeCommit Block Thres: 00000200 DeCommit Total Thres: 00002000 Total Free Size: 0000c9f3 Max. Allocation Size: 7ffdefff Lock Variable at: 032a0138 Next TagIndex: 0000 Maximum TagIndex: 0000 Tag Entries: 00000000 PsuedoTag Entries: 00000000 Virtual Alloc List: 032a00a0 Unable to read nt!_HEAP_VIRTUAL_ALLOC_ENTRY structure at 05be0000 Uncommitted ranges: 032a0090 FreeList[ 00 ] at 032a00c4: 0512f228 . 06de6c20 Unable to read nt!_HEAP_FREE_ENTRY structure at fffffff7 (632 blocks) 06dee020: 00030 . 00048 [107] - busy (30), tail fill 06dee068: 00048 . 00350 [107] - busy (331), tail fill (Handle ffffffff) (Tag ffff) Stack traces not enabled (ntdll!RtlpStackTraceDataBase is null). Heap block at 06dee068 modified at 06dee3a1 past requested size of 331 (6a * 8 - 1f) 06dee3b8: 55960 . 6b288 [01] - busy (5b289) ##CORRUPTION FOUND at 0x06DEE3B8 PreviousSize field does not match Size field in previous entry Entry->PreviousSize == 0xd651 PreviousEntry->Size == 0x9 ##CORRUPTION FOUND at 0x06E59640 PreviousSize field does not match Size field in previous entry Entry->PreviousSize == 0xf00d PreviousEntry->Size == 0xab2c ##The above errors were found in segment at 0x05EA0000 ``` ### Timeline * 2017-10-11 - Vendor Disclosure * 2017-10-30 - Public Release
idSSV:96800
last seen2017-11-19
modified2017-11-06
published2017-11-06
reporterRoot
titleComputerinsel Photoline PCX Parsing Code Execution Vulnerability(CVE-2017-12107)

Talos

idTALOS-2017-0459
last seen2019-05-29
published2017-10-30
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0459
titleComputerinsel Photoline PCX Parsing Code Execution Vulnerability