Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"LibRaw::adobe_copy_pixel()" Out-of-bounds read vulnerability #273

Closed
GirlElecta opened this issue Apr 8, 2020 · 2 comments
Closed

"LibRaw::adobe_copy_pixel()" Out-of-bounds read vulnerability #273

GirlElecta opened this issue Apr 8, 2020 · 2 comments

Comments

@GirlElecta
Copy link

GirlElecta commented Apr 8, 2020

Description

An out-of-bounds read vulnerability exists within the "LibRaw::adobe_copy_pixel()" function (libraw\src\decoders\dng.cpp) when parsing a crafted DNG file.

Steps to Reproduce

(poc archive password= girlelecta):
https://drive.google.com/file/d/1kDMhDwfxoZBa31_vrsA2TfQI45FG8NRW/view

cmd:
magick.exe convert poc.DNG new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\magick.exe convert E:\Workspace\poc.DNG E:\Workspace\new.png

************* Path validation summary **************
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff7 d89d0000 00007ff7 d89e2000 magick.exe
ModLoad: 00007ffe c1500000 00007ffe c16f0000 ntdll.dll
ModLoad: 00007ffe a8430000 00007ffe a84a1000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x2AA8: page heap enabled with flags 0x3.
ModLoad: 00007ffe bf9a0000 00007ffe bfa52000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe be510000 00007ffe be7b3000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe a87f0000 00007ffe a8812000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ffe 8b440000 00007ffe 8b5fb000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ffe 800e0000 00007ffe 80374000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ffe c0ea0000 00007ffe c1034000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe bf580000 00007ffe bf5a1000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe c0910000 00007ffe c0936000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe be7c0000 00007ffe be954000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe beab0000 00007ffe beb4e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe beb80000 00007ffe bec7a000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe c1280000 00007ffe c1323000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffe c0bb0000 00007ffe c0c4e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe 7ff10000 00007ffe 800da000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ffe c0cc0000 00007ffe c0d57000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffe c02a0000 00007ffe c03c0000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe c1430000 00007ffe c149f000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffe a82a0000 00007ffe a8340000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ffe a87c0000 00007ffe a87e7000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ffe a8210000 00007ffe a8296000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ffe a8400000 00007ffe a8423000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ffe a81e0000 00007ffe a820a000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 0000015b 7f580000 0000015b 7f5aa000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ffe 9a830000 00007ffe 9a94f000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ffe 7f540000 00007ffe 7f87b000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ffe bfa60000 00007ffe c0145000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffe bf530000 00007ffe bf57a000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffe c0b00000 00007ffe c0ba9000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe bf5b0000 00007ffe bf8e6000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe be490000 00007ffe be510000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffe bec80000 00007ffe bf3ff000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffe be470000 00007ffe be48f000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffe be400000 00007ffe be44a000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffe be3d0000 00007ffe be3e0000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ffe c1220000 00007ffe c1272000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffe be3e0000 00007ffe be3f1000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffe bf510000 00007ffe bf527000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ffe c1040000 00007ffe c1196000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffe bd950000 00007ffe bd98a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffe bd990000 00007ffe bda5a000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffe c0220000 00007ffe c0228000 C:\WINDOWS\System32\NSI.dll
(2aa8.3a0): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffe c15d121c cc int 3
0:000> g
ModLoad: 00007ffe c1400000 00007ffe c142e000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffe b9cb0000 00007ffe b9cbf000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 00007ffe 7f390000 00007ffe 7f53b000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 00007ffe 982d0000 00007ffe 983c6000 C:\WINDOWS\SYSTEM32\MSVCP140D.dll
(2aa8.3a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll
CORE_DB_libraw_!LibRaw::adobe_copy_pixel+0x95:
00007ffe 7f39dd25 0fb700 movzx eax,word ptr [rax] ds:0000015b 0b76e000=????
0:000> k
Child-SP RetAddr Call Site
00 0000003f 23be2e20 00007ffe 7f3c30e9 CORE_DB_libraw_!LibRaw::adobe_copy_pixel+0x95 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\decoders\dng.cpp @ 36]
01 0000003f 23be2e40 00007ffe 7f493628 CORE_DB_libraw_!LibRaw::lossless_dng_load_raw+0x569 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\decoders\dng.cpp @ 110]
02 0000003f 23be31b0 00007ffe 7f49d358 CORE_DB_libraw_!LibRaw::unpack+0xc18 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\decoders\unpack.cpp @ 283]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll
03 0000003f 23be3370 00007ffe b9cb1989 CORE_DB_libraw_!libraw_unpack+0x48 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\libraw_c_api.cpp @ 136]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll
04 0000003f 23be33b0 00007ffe 8013b667 IM_MOD_DB_DNG_!ReadDNGImage+0x479 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\coders\dng.c @ 408]
05 0000003f 23be54c0 00007ffe 8013cde3 CORE_DB_MagickCore_!ReadImage+0x5e7 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll
06 0000003f 23bea6e0 00007ffe 7ff4aac3 CORE_DB_MagickCore_!ReadImages+0x393 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 941]
07 0000003f 23beb790 00007ffe 7ffe4758 CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
08 0000003f 23bed2e0 00007ff7 d89d14ea CORE_DB_MagickWand_!MagickCommandGenesis+0x338 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickwand\mogrify.c @ 186]
09 0000003f 23bee450 00007ff7 d89d1693 magick!MagickMain+0x4ea [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 149]
0a 0000003f 23bef6c0 00007ff7 d89d1f24 magick!wmain+0x43 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 195]
0b 0000003f 23bef700 00007ff7 d89d1e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80]
0c 0000003f 23bef740 00007ff7 d89d1cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
0d 0000003f 23bef7a0 00007ff7 d89d1f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
0e 0000003f 23bef7d0 00007ffe bf9b7bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
0f 0000003f 23bef800 00007ffe c156ced1 KERNEL32!BaseThreadInitThunk+0x14
10 0000003f 23bef830 00000000 00000000 ntdll!RtlUserThreadStart+0x21

System Configuration

@LibRaw
Copy link
Owner

LibRaw commented Apr 8, 2020

This patch should fix it, please confirm: a6937d4

@GirlElecta
Copy link
Author

Thank you for your time on patch. I do not have a test environment, but as the patch is simple I could
patch ImageMagick binary and confirm that provided PoC does not crash it anymore.

@LibRaw LibRaw closed this as completed Apr 9, 2020
@GirlElecta GirlElecta changed the title out-of-bounds read in libraw\src\decoders\dng.cpp "LibRaw::adobe_copy_pixel()" Out-of-bounds read vulnerability Jun 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants