Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LibRaw "get_huffman_diff()" Out-of-bounds read vulnerability #270

Closed
GirlElecta opened this issue Apr 2, 2020 · 4 comments
Closed

LibRaw "get_huffman_diff()" Out-of-bounds read vulnerability #270

GirlElecta opened this issue Apr 2, 2020 · 4 comments

Comments

@GirlElecta
Copy link

GirlElecta commented Apr 2, 2020

Description

An out-of-bounds read vulnerability exists within the "get_huffman_diff()" function (libraw\src\x3f\x3f_utils_patched.cpp) when parsing a crafted X3F file.

Steps to Reproduce

(poc archive password= girlelecta):
https://drive.google.com/file/d/1Yhqo6idPqWMisvPKrlzjsUKRApHmz2M_/view

cmd:
magick.exe convert poc1.X3F new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\magick.exe convert E:\Workspace\poc1.X3F E:\Workspace\new.png

************* Path validation summary **************
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff6 5a870000 00007ff6 5a882000 magick.exe
ModLoad: 00007ffe c1500000 00007ffe c16f0000 ntdll.dll
ModLoad: 00007ffe a8a10000 00007ffe a8a81000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x2264: page heap enabled with flags 0x3.
ModLoad: 00007ffe bf9a0000 00007ffe bfa52000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe be510000 00007ffe be7b3000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe 82020000 00007ffe 822a9000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ffe c0ea0000 00007ffe c1034000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe 92500000 00007ffe 926c9000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ffe bf580000 00007ffe bf5a1000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe c0910000 00007ffe c0936000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe be7c0000 00007ffe be954000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe a8d20000 00007ffe a8d42000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ffe 8b440000 00007ffe 8b5fb000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ffe beab0000 00007ffe beb4e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe beb80000 00007ffe bec7a000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe c1280000 00007ffe c1323000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffe c0bb0000 00007ffe c0c4e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe c0cc0000 00007ffe c0d57000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffe c02a0000 00007ffe c03c0000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe a88b0000 00007ffe a88d7000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ffe a8220000 00007ffe a833f000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ffe a8190000 00007ffe a8216000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ffe a7a50000 00007ffe a7af0000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ffe a87f0000 00007ffe a881a000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ffe a87c0000 00007ffe a87e3000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ffe 81ce0000 00007ffe 8201b000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ffe bfa60000 00007ffe c0145000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffe bf530000 00007ffe bf57a000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffe c0b00000 00007ffe c0ba9000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe bf5b0000 00007ffe bf8e6000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe be490000 00007ffe be510000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffe bec80000 00007ffe bf3ff000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffe c1430000 00007ffe c149f000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffe be470000 00007ffe be48f000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffe be400000 00007ffe be44a000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffe be3d0000 00007ffe be3e0000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ffe c1220000 00007ffe c1272000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffe be3e0000 00007ffe be3f1000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffe bf510000 00007ffe bf527000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ffe c1040000 00007ffe c1196000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffe bd950000 00007ffe bd98a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffe bd990000 00007ffe bda5a000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffe c0220000 00007ffe c0228000 C:\WINDOWS\System32\NSI.dll
(2264.3f58): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffe c15d121c cc int 3
0:000> g
ModLoad: 00007ffe c1400000 00007ffe c142e000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffe b4720000 00007ffe b472f000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 00007ffe 81b30000 00007ffe 81cdb000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 00007ffe 9a850000 00007ffe 9a946000 C:\WINDOWS\SYSTEM32\MSVCP140D.dll
(2264.3f58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libraw_.dll
CORE_DB_libraw_!get_bit+0x34:
00007ffe 81c20bb4 0fb600 movzx eax,byte ptr [rax] ds:0000014b bf836da4=??
0:000> k
Child-SP RetAddr Call Site
00 00000038 853e32a0 00007ffe 81c219fe CORE_DB_libraw_!get_bit+0x34 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 857]
01 00000038 853e32c0 00007ffe 81c2251a CORE_DB_libraw_!get_huffman_diff+0x6e [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1017]
02 00000038 853e3320 00007ffe 81c22352 CORE_DB_libraw_!huffman_decode_row+0x13a [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1055]
03 00000038 853e33f0 00007ffe 81c37cee CORE_DB_libraw_!huffman_decode+0xb2 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1095]
04 00000038 853e3470 00007ffe 81c37a93 CORE_DB_libraw_!x3f_load_huffman_compressed+0x21e [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1411]
05 00000038 853e34e0 00007ffe 81c37ecd CORE_DB_libraw_!x3f_load_huffman+0x283 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1468]
06 00000038 853e3550 00007ffe 81c37768 CORE_DB_libraw_!x3f_load_image+0x12d [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1514]
07 00000038 853e35b0 00007ffe 81c38504 CORE_DB_libraw_!x3f_load_data+0x88 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 2059]
08 00000038 853e35f0 00007ffe 81c33628 CORE_DB_libraw_!LibRaw::x3f_load_raw+0x64 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_parse_process.cpp @ 579]
09 00000038 853e36e0 00007ffe 81c3d358 CORE_DB_libraw_!LibRaw::unpack+0xc18 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\decoders\unpack.cpp @ 283]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\IM_MOD_DB_DNG_.dll
0a 00000038 853e38a0 00007ffe b4721989 CORE_DB_libraw_!libraw_unpack+0x48 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\libraw_c_api.cpp @ 136]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickCore_.dll
0b 00000038 853e38e0 00007ffe 820783b7 IM_MOD_DB_DNG_!ReadDNGImage+0x479 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\coders\dng.c @ 425]
0c 00000038 853e59f0 00007ffe 82079af3 CORE_DB_MagickCore_!ReadImage+0x5e7 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickWand_.dll
0d 00000038 853eac10 00007ffe 9253aac3 CORE_DB_MagickCore_!ReadImages+0x393 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickcore\constitute.c @ 927]
0e 00000038 853ebcc0 00007ffe 925d3fe8 CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
0f 00000038 853ed810 00007ff6 5a8714ea CORE_DB_MagickWand_!MagickCommandGenesis+0x338 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickwand\mogrify.c @ 185]
10 00000038 853ee980 00007ff6 5a871693 magick!MagickMain+0x4ea [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\utilities\magick.c @ 149]
11 00000038 853efbf0 00007ff6 5a871f24 magick!wmain+0x43 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\utilities\magick.c @ 195]
12 00000038 853efc30 00007ff6 5a871e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80]
13 00000038 853efc70 00007ff6 5a871cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
14 00000038 853efcd0 00007ff6 5a871f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
15 00000038 853efd00 00007ffe bf9b7bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
16 00000038 853efd30 00007ffe c156ced1 KERNEL32!BaseThreadInitThunk+0x14
17 00000038 853efd60 00000000 00000000 ntdll!RtlUserThreadStart+0x21

System Configuration

@GirlElecta GirlElecta changed the title out-of-bounds-read in libraw\src\x3f\x3f_utils_patched.cpp out-of-bounds read in libraw\src\x3f\x3f_utils_patched.cpp Apr 2, 2020
@LibRaw
Copy link
Owner

LibRaw commented Apr 2, 2020

have_fpdata is not called from x3f_dpq_interpolate_rg, could you please recheck your stack trace.

@GirlElecta
Copy link
Author

GirlElecta commented Apr 2, 2020

Provided stack trace is exact result of using k command on windbg. Can you please run PoC on ImageMagick using command I provided in report?
You should be able to reproduce this easily hopefully with a better stack trace.
Let me know if you need my help, please.

@LibRaw
Copy link
Owner

LibRaw commented Apr 2, 2020

Sorry, no ImageMagic. Will try to reproduce using samples provided w/ LibRaw.

@LibRaw
Copy link
Owner

LibRaw commented Apr 4, 2020

Fixed by d75af00

@LibRaw LibRaw closed this as completed Apr 4, 2020
@GirlElecta GirlElecta changed the title out-of-bounds read in libraw\src\x3f\x3f_utils_patched.cpp "get_bit()" Out-of-bounds read vulnerability Jun 15, 2020
@GirlElecta GirlElecta changed the title "get_bit()" Out-of-bounds read vulnerability LibRaw "get_huffman_diff()" Out-of-bounds read vulnerability Jun 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants