Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Libraw "new_node()" Out-of-bounds Write Vulnerability #272

Closed
0xfoxone opened this issue Apr 3, 2020 · 1 comment
Closed

Libraw "new_node()" Out-of-bounds Write Vulnerability #272

0xfoxone opened this issue Apr 3, 2020 · 1 comment

Comments

@0xfoxone
Copy link

0xfoxone commented Apr 3, 2020

Description

There is an out-of-bounds write vulnerability within the "new_node()" function (libraw\src\x3f\x3f_utils_patched.cpp).

Steps to Reproduce

poc (password: 0xfoxone):
https://drive.google.com/open?id=1SGItp-hBZXEgrPErI6URiRkqUOT5J9In

cmd:
magick.exe convert poc.X3F new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\ImageMagick-7.0.9-16\VisualMagick\bin\magick.exe convert C:\poc.X3F C:\new.png

Symbol search path is: srv*
Executable search path is:
ModLoad: 0000000000830000 0000000000840000 magick.exe
ModLoad: 00007ffe62840000 00007ffe62a30000 ntdll.dll
ModLoad: 0000000077260000 00000000773fa000 ntdll.dll
ModLoad: 0000000001200000 0000000001271000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x9210: page heap enabled with flags 0x3.
ModLoad: 00007ffe60bc0000 00007ffe60c15000 C:\WINDOWS\System32\wow64.dll
ModLoad: 00007ffe60b40000 00007ffe60bbd000 C:\WINDOWS\System32\wow64win.dll
(9210.8cf4): Break instruction exception - code 80000003 (first chance)
ntdll!LdrInitShimEngineDynamic+0x35c:
00007ffe6291121c cc int 3 0:000> g ModLoad: 0000000077250000 0000000077259000 C:\WINDOWS\System32\wow64cpu.dll ModLoad: 0000000071620000 0000000071683000 C:\WINDOWS\SysWOW64\verifier.dll Page heap: pid 0x9210: page heap enabled with flags 0x3. ModLoad: 0000000074b20000 0000000074c00000 C:\WINDOWS\SysWOW64\KERNEL32.DLL ModLoad: 0000000075500000 00000000756fd000 C:\WINDOWS\SysWOW64\KERNELBASE.dll ModLoad: 0000000070750000 000000007099e000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickCore_.dll ModLoad: 00000000714b0000 0000000071611000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickWand_.dll ModLoad: 0000000074ce0000 0000000074e77000 C:\WINDOWS\SysWOW64\USER32.dll ModLoad: 0000000075eb0000 0000000075ec7000 C:\WINDOWS\SysWOW64\win32u.dll ModLoad: 0000000070ff0000 0000000071163000 C:\WINDOWS\SysWOW64\ucrtbased.dll ModLoad: 0000000071490000 00000000714ac000 C:\WINDOWS\SysWOW64\VCRUNTIME140D.dll ModLoad: 0000000071460000 0000000071488000 C:\WINDOWS\SysWOW64\VCOMP140D.DLL ModLoad: 0000000076fe0000 0000000077001000 C:\WINDOWS\SysWOW64\GDI32.dll ModLoad: 0000000075d30000 0000000075e8a000 C:\WINDOWS\SysWOW64\gdi32full.dll ModLoad: 0000000077150000 00000000771cc000 C:\WINDOWS\SysWOW64\msvcp_win.dll ModLoad: 0000000076720000 000000007683f000 C:\WINDOWS\SysWOW64\ucrtbase.dll ModLoad: 0000000075480000 00000000754f9000 C:\WINDOWS\SysWOW64\ADVAPI32.dll ModLoad: 00000000764a0000 000000007655f000 C:\WINDOWS\SysWOW64\msvcrt.dll ModLoad: 00000000771d0000 0000000077246000 C:\WINDOWS\SysWOW64\sechost.dll ModLoad: 0000000077010000 00000000770cb000 C:\WINDOWS\SysWOW64\RPCRT4.dll ModLoad: 0000000074a30000 0000000074a50000 C:\WINDOWS\SysWOW64\SspiCli.dll ModLoad: 0000000074a20000 0000000074a2a000 C:\WINDOWS\SysWOW64\CRYPTBASE.dll ModLoad: 00000000765f0000 000000007664f000 C:\WINDOWS\SysWOW64\bcryptPrimitives.dll ModLoad: 0000000071440000 000000007145e000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_bzlib_.dll ModLoad: 0000000070680000 0000000070750000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_freetype_.dll ModLoad: 0000000070f80000 0000000070fe6000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_lcms_.dll ModLoad: 0000000071390000 00000000713aa000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_lqr_.dll ModLoad: 0000000070bb0000 0000000070c2c000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libxml_.dll ModLoad: 000000006fd60000 000000006ffee000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_glib_.dll ModLoad: 0000000075f20000 000000007649a000 C:\WINDOWS\SysWOW64\SHELL32.dll ModLoad: 0000000076850000 000000007688b000 C:\WINDOWS\SysWOW64\cfgmgr32.dll ModLoad: 0000000071360000 0000000071381000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_zlib_.dll ModLoad: 0000000076560000 00000000765e4000 C:\WINDOWS\SysWOW64\shcore.dll ModLoad: 0000000075840000 0000000075ab5000 C:\WINDOWS\SysWOW64\combase.dll ModLoad: 00000000769b0000 0000000076f75000 C:\WINDOWS\SysWOW64\windows.storage.dll ModLoad: 0000000074c50000 0000000074c67000 C:\WINDOWS\SysWOW64\profapi.dll ModLoad: 0000000074c90000 0000000074cd3000 C:\WINDOWS\SysWOW64\powrprof.dll ModLoad: 0000000075700000 000000007570d000 C:\WINDOWS\SysWOW64\UMPDC.dll ModLoad: 0000000075ed0000 0000000075f14000 C:\WINDOWS\SysWOW64\shlwapi.dll ModLoad: 00000000766c0000 000000007671e000 C:\WINDOWS\SysWOW64\WS2_32.dll ModLoad: 0000000074f10000 0000000074f1f000 C:\WINDOWS\SysWOW64\kernel.appcore.dll ModLoad: 0000000075e90000 0000000075ea3000 C:\WINDOWS\SysWOW64\cryptsp.dll ModLoad: 0000000075ac0000 0000000075bb7000 C:\WINDOWS\SysWOW64\ole32.dll ModLoad: 0000000074920000 0000000074952000 C:\WINDOWS\SysWOW64\IPHLPAPI.DLL ModLoad: 0000000074880000 0000000074911000 C:\WINDOWS\SysWOW64\DNSAPI.dll ModLoad: 0000000076840000 00000000`76847000 C:\WINDOWS\SysWOW64\NSI.dll
(9210.8cf4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll_77260000!LdrInitShimEngineDynamic+0x6e2:
7730e9e2 cc int 3
0:000:x86> g
ModLoad: 75810000 75835000 C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 71430000 7143e000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 70520000 70674000 C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 70320000 703d9000 C:\WINDOWS\SysWOW64\MSVCP140D.dll
(9210.8cf4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libraw_.dll
CORE_DB_libraw_!new_node+0x41:
705dbf21 c74208ffffffff mov dword ptr [edx+8],0FFFFFFFFh ds:002b:117d0000=????????
0:000:x86> k
ChildEBP RetAddr
00 00fa4198 705cab75 CORE_DB_libraw_!new_node+0x41 [c:\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 715]
01 00fa41bc 705e2f65 CORE_DB_libraw_!add_code_to_tree+0x75 [c:\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 736]
02 00fa41e8 705ed80d CORE_DB_libraw_!populate_true_huffman_tree+0x95 [c:\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 762]
03 00fa4234 705ec86e CORE_DB_libraw_!x3f_load_true+0x36d [c:\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1334]
04 00fa4254 705ec28c CORE_DB_libraw_!x3f_load_image+0xbe [c:\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1509]
05 00fa426c 705ecd80 CORE_DB_libraw_!x3f_load_data+0x6c [c:\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 2058]
06 00fa42e8 705e86f5 CORE_DB_libraw_!LibRaw::x3f_load_raw+0x50 [c:\imagemagick-7.0.9-16\libraw\src\x3f\x3f_parse_process.cpp @ 579]
07 00fa4464 705f0abc CORE_DB_libraw_!LibRaw::unpack+0xa25 [c:\imagemagick-7.0.9-16\libraw\src\decoders\unpack.cpp @ 282]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.9-16\VisualMagick\bin\IM_MOD_DB_DNG_.dll
08 00fa4470 71431be6 CORE_DB_libraw_!libraw_unpack+0x2c [c:\imagemagick-7.0.9-16\libraw\src\libraw_c_api.cpp @ 136]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickCore_.dll
09 00fa64c8 707b25a3 IM_MOD_DB_DNG_!ReadDNGImage+0x466 [c:\imagemagick-7.0.9-16\imagemagick\coders\dng.c @ 425]
0a 00fab5e0 707b3b2c CORE_DB_MagickCore_!ReadImage+0x543 [c:\imagemagick-7.0.9-16\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickWand_.dll
0b 00fac624 714dd449 CORE_DB_MagickCore_!ReadImages+0x2fc [c:\imagemagick-7.0.9-16\imagemagick\magickcore\constitute.c @ 927]
0c 00fadb84 71548b4d CORE_DB_MagickWand_!ConvertImageCommand+0xd29 [c:\imagemagick-7.0.9-16\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
0d 00faec40 008313de CORE_DB_MagickWand_!MagickCommandGenesis+0x2cd [c:\imagemagick-7.0.9-16\imagemagick\magickwand\mogrify.c @ 185]
0e 00fafd74 00831626 magick!MagickMain+0x3de [c:\imagemagick-7.0.9-16\imagemagick\utilities\magick.c @ 149]
0f 00fafd94 00831d2e magick!wmain+0x46 [c:\imagemagick-7.0.9-16\imagemagick\utilities\magick.c @ 195]
10 00fafda8 00831c10 magick!invoke_main+0x1e [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 79]
11 00fafe00 00831abd magick!__scrt_common_main_seh+0x150 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
12 00fafe08 00831d48 magick!__scrt_common_main+0xd [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
13 00fafe10 74b36359 magick!wmainCRTStartup+0x8 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
WARNING: Stack unwind information not available. Following frames may be wrong.
14 00fafe20 772c7b74 KERNEL32!BaseThreadInitThunk+0x19
15 00fafe7c 772c7b44 ntdll_77260000!RtlGetAppContainerNamedObjectPath+0xe4
16 00fafe8c 00000000 ntdll_77260000!RtlGetAppContainerNamedObjectPath+0xb4

System Configuration

@0xfoxone 0xfoxone closed this as completed Apr 3, 2020
@0xfoxone 0xfoxone reopened this Apr 3, 2020
@LibRaw
Copy link
Owner

LibRaw commented Apr 4, 2020

Fixed by 11c4db2

@LibRaw LibRaw closed this as completed Apr 4, 2020
@0xfoxone 0xfoxone changed the title out-of-bounds write in libraw\src\x3f\x3f_utils_patched.cpp Libraw "new_node()" Out-of-bounds Write Vulnerability Jun 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants