Vulnerabilities > CVE-2017-2880 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Pl32 Photoline 20.02

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
pl32
CWE-119

Summary

An memory corruption vulnerability exists in the .GIF parsing functionality of Computerinsel Photoline 20.02. A specially crafted .GIF file can cause a vulnerability resulting in potential code execution. An attacker can send specific .GIF file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Pl32
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Seebug

bulletinFamilyexploit
description### Summary An memory corruption vulnerability exists in the .GIF parsing functionality of Computerinsel Photoline 20.02. A specially crafted .GIF file can cause a vulnerability resulting in potential code execution. An attacker can send specific .GIF file to trigger this vulnerability. ### Tested Versions Computerinsel GmbH Photoline 20.02 ### Product URLs https://www.pl32.com/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details The code responsible for the vulnerability is provided below: ``` .text:007BE521 loc_7BE521: ; CODE XREF: buggy_proc+62j .text:007BE521 mov cl, [esi+14h] ; [esi+14h] -> byte taken straight from GIF file .text:007BE524 mov edx, 1 .text:007BE529 shl edx, cl .text:007BE52B movzx cx, cl .text:007BE52F lea eax, [edx+1] .text:007BE532 mov [esi+1Ch], ax .text:007BE536 lea eax, [edx+2] .text:007BE539 mov [esi+401Eh], ax .text:007BE540 mov eax, 1000h .text:007BE545 mov [esi+4020h], ax .text:007BE54C inc cx .text:007BE54E mov eax, 1 .text:007BE553 shl eax, cl .text:007BE555 mov [esi+16h], cx .text:007BE559 xor ecx, ecx .text:007BE55B mov [esi+1Ah], dx .text:007BE55F dec eax .text:007BE560 mov [esi+18h], ax .text:007BE564 xor eax, eax .text:007BE566 cmp cx, dx .text:007BE569 jnb short loc_7BE58B .text:007BE56B jmp short bug_write_loop .text:007BE570 bug_write_loop: ; CODE XREF: buggy_proc+BBj .text:007BE570 ; buggy_proc+D9j .text:007BE570 movzx ecx, ax .text:007BE573 mov edx, 1000h .text:007BE578 mov [esi+ecx*2+1Eh], dx ; WRITE! .text:007BE57D mov [ecx+esi+201Eh], al ; WRITE! .text:007BE584 inc eax .text:007BE585 cmp ax, [esi+1Ah] ; [esi+1Ah] is calculated from our data .text:007BE589 jb short bug_write_loop .text:007BE58B ``` In short the byte value is taken directly from the .GIF file (see address 0x007BE521). This value is later multiplied and used as a loop repeat number (see address 0x007BE585). This gives the attacker the opportunity to cause memory corruption and a memory overflow (instructions at 0x007BE578 and 0x007BE57D). ### Crash Information ``` PhotoLine+0x3be578: 007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx ds:002b:001a0000=6341 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: PhotoLine+3be578 007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 007be578 (PhotoLine+0x003be578) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 FAULTING_THREAD: 000015ec DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: PhotoLine.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text> EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 001a0000 FOLLOWUP_IP: PhotoLine+3be578 007be578 6689544e1e mov word ptr [esi+ecx*2+1Eh],dx WRITE_ADDRESS: 001a0000 WATSON_BKT_PROCSTAMP: 589ee44a WATSON_BKT_PROCVER: 20.0.0.2 PROCESS_VER_PRODUCT: PhotoLine WATSON_BKT_MODULE: PhotoLine.exe WATSON_BKT_MODSTAMP: 589ee44a WATSON_BKT_MODOFFSET: 3be578 WATSON_BKT_MODVER: 20.0.0.2 MODULE_VER_PRODUCT: PhotoLine BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH: f2c082d751a472df1a8a185b4416b966db139902 MODLIST_SHA1_HASH: 7429f67ba2c849f9234e8c4db6453a762d0885f1 NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 272 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: CLAB ANALYSIS_SESSION_TIME: 07-04-2017 08:52:40.0767 ANALYSIS_VERSION: 10.0.15063.400 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: PLK PROBLEM_CLASSES: ID: [0n292] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0x15ec] Frame: [0] : PhotoLine ID: [0n265] Type: [INVALID_POINTER_WRITE] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0x15ec] Frame: [0] : PhotoLine ID: [0n152] Type: [ZEROED_STACK] Class: Addendum Scope: BUCKET_ID Name: Add Data: Omit PID: [0x302c] TID: [0x15ec] Frame: [0] : PhotoLine BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 00000000 to 007be578 STACK_TEXT: 00000000 00000000 00000000 00000000 00000000 PhotoLine+0x3be578 THREAD_SHA1_HASH_MOD_FUNC: d8e26008eb6acc069d83c04d0ced24485d541252 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c6dcc5f486de8c186b5aa96f2e4c9b36115ffd5f THREAD_SHA1_HASH_MOD: d8e26008eb6acc069d83c04d0ced24485d541252 FAULT_INSTR_CODE: 4e548966 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: PhotoLine+3be578 FOLLOWUP_NAME: MachineOwner MODULE_NAME: PhotoLine IMAGE_NAME: PhotoLine.exe DEBUG_FLR_IMAGE_TIMESTAMP: 589ee44a STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_PhotoLine.exe!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_PhotoLine+3be578 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: PhotoLine.exe BUCKET_ID_IMAGE_STR: PhotoLine.exe FAILURE_MODULE_NAME: PhotoLine BUCKET_ID_MODULE_STR: PhotoLine FAILURE_FUNCTION_NAME: Unknown BUCKET_ID_FUNCTION_STR: Unknown BUCKET_ID_OFFSET: 3be578 BUCKET_ID_MODTIMEDATESTAMP: 589ee44a BUCKET_ID_MODCHECKSUM: 103c5a2 BUCKET_ID_MODVER_STR: 20.0.0.2 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: PhotoLine.exe!Unknown WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/PhotoLine.exe/20.0.0.2/589ee44a/PhotoLine.exe/20.0.0.2/589ee44a/c0000005/003be578.htm?Retriage=1 TARGET_TIME: 2017-07-04T06:52:49.000Z OSBUILD: 15063 OSSERVICEPACK: 296 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS USER_LCID: 0 OSBUILD_TIMESTAMP: unknown_date BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.15063.296 ANALYSIS_SESSION_ELAPSED_TIME: 732b ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_photoline.exe!unknown FAILURE_ID_HASH: {3391e579-c3a2-d370-e494-6a2226b83b1d} Followup: MachineOwner --------- ``` ### Timeline * 2017-08-02 - Vendor Disclosure * 2017-10-04 - Public Release
idSSV:96632
last seen2017-11-19
modified2017-10-10
published2017-10-10
reporterRoot
titleComputerinsel Photoline GIF Parsing Code Execution Vulnerability(CVE-2017-2880)

Talos

idTALOS-2017-0387
last seen2019-05-29
published2017-10-04
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0387
titleComputerinsel Photoline GIF Parsing Code Execution Vulnerability