Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Libraw "crxFreeSubbandData()" Memory Corruption Vulnerability #279

Closed
0xfoxone opened this issue Apr 26, 2020 · 1 comment
Closed

Libraw "crxFreeSubbandData()" Memory Corruption Vulnerability #279

0xfoxone opened this issue Apr 26, 2020 · 1 comment

Comments

@0xfoxone
Copy link

Description:

There is a memory corruption vulnerability within the "crxFreeSubbandData()" function (libraw\src\decoders\crx.cpp) when processing cr3 files.

Steps to Reproduce:

poc (password: 0xfoxone):
https://drive.google.com/open?id=10pjqVx6mItzmvovgqF-8IHi3jnnKQ6fD

cmd:
magick.exe convert poc.cr3 new.bmp

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\magick.exe convert c:\poc.cr3 c:\new.bmp

Symbol search path is: srv*
Executable search path is:
ModLoad: 00e90000 00ea0000 magick.exe
ModLoad: 776c0000 7785a000 ntdll.dll
Page heap: pid 0x125C: page heap enabled with flags 0x3.
ModLoad: 6c050000 6c0b3000 C:\WINDOWS\SysWOW64\verifier.dll
Page heap: pid 0x125C: page heap enabled with flags 0x3.
ModLoad: 75260000 75340000 C:\WINDOWS\SysWOW64\KERNEL32.DLL
ModLoad: 76570000 7676e000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
ModLoad: 6bdf0000 6c049000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 75530000 756c7000 C:\WINDOWS\SysWOW64\USER32.dll
ModLoad: 756d0000 756e7000 C:\WINDOWS\SysWOW64\win32u.dll
ModLoad: 76470000 76491000 C:\WINDOWS\SysWOW64\GDI32.dll
ModLoad: 75340000 7549a000 C:\WINDOWS\SysWOW64\gdi32full.dll
ModLoad: 75dd0000 75e4c000 C:\WINDOWS\SysWOW64\msvcp_win.dll
ModLoad: 76ab0000 76bcf000 C:\WINDOWS\SysWOW64\ucrtbase.dll
ModLoad: 754b0000 75529000 C:\WINDOWS\SysWOW64\ADVAPI32.dll
ModLoad: 775f0000 776af000 C:\WINDOWS\SysWOW64\msvcrt.dll
ModLoad: 76a30000 76aa6000 C:\WINDOWS\SysWOW64\sechost.dll
ModLoad: 75720000 757db000 C:\WINDOWS\SysWOW64\RPCRT4.dll
ModLoad: 74e90000 74eb0000 C:\WINDOWS\SysWOW64\SspiCli.dll
ModLoad: 74e80000 74e8a000 C:\WINDOWS\SysWOW64\CRYPTBASE.dll
ModLoad: 750f0000 7514f000 C:\WINDOWS\SysWOW64\bcryptPrimitives.dll
ModLoad: 76510000 7656e000 C:\WINDOWS\SysWOW64\WS2_32.dll
ModLoad: 6bc80000 6bde2000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 6bc60000 6bc7c000 C:\WINDOWS\SysWOW64\VCRUNTIME140D.dll
ModLoad: 6bae0000 6bc53000 C:\WINDOWS\SysWOW64\ucrtbased.dll
ModLoad: 6bac0000 6bade000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 6b9f0000 6bac0000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 6b980000 6b9e6000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 6b900000 6b97c000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 6b8e0000 6b8fa000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 6b8b0000 6b8d1000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 6b880000 6b8a8000 C:\WINDOWS\SysWOW64\VCOMP140D.DLL
ModLoad: 6b5f0000 6b87e000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 76cd0000 77246000 C:\WINDOWS\SysWOW64\SHELL32.dll
ModLoad: 769f0000 76a2b000 C:\WINDOWS\SysWOW64\cfgmgr32.dll
ModLoad: 75d40000 75dc4000 C:\WINDOWS\SysWOW64\shcore.dll
ModLoad: 77370000 775e5000 C:\WINDOWS\SysWOW64\combase.dll
ModLoad: 75ea0000 76464000 C:\WINDOWS\SysWOW64\windows.storage.dll
ModLoad: 75d20000 75d3b000 C:\WINDOWS\SysWOW64\profapi.dll
ModLoad: 75cd0000 75d13000 C:\WINDOWS\SysWOW64\powrprof.dll
ModLoad: 76770000 7677d000 C:\WINDOWS\SysWOW64\UMPDC.dll
ModLoad: 764c0000 76504000 C:\WINDOWS\SysWOW64\shlwapi.dll
ModLoad: 756f0000 756ff000 C:\WINDOWS\SysWOW64\kernel.appcore.dll
ModLoad: 76780000 76793000 C:\WINDOWS\SysWOW64\cryptsp.dll
ModLoad: 76bd0000 76cc7000 C:\WINDOWS\SysWOW64\ole32.dll
ModLoad: 747c0000 747f2000 C:\WINDOWS\SysWOW64\IPHLPAPI.DLL
ModLoad: 74720000 747b3000 C:\WINDOWS\SysWOW64\DNSAPI.dll
ModLoad: 75700000 75707000 C:\WINDOWS\SysWOW64\NSI.dll
(125c.fa8): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=011be000 ecx=366a0000 edx=00000000 esi=04b1a7c8 edi=776c688c
eip=7776eaa2 esp=00f9f7d0 ebp=00f9f7fc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrInitShimEngineDynamic+0x6e2:
7776eaa2 cc int 3
0:000> g
ModLoad: 77340000 77365000 C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 6b390000 6b39e000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 6b230000 6b384000 C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 6b170000 6b229000 C:\WINDOWS\SysWOW64\MSVCP140D.dll
ModLoad: 73db0000 73ddf000 C:\WINDOWS\SysWOW64\rsaenh.dll
ModLoad: 764a0000 764b9000 C:\WINDOWS\SysWOW64\bcrypt.dll
(125c.fa8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_libraw_.dll
eax=cdcdcdcd ebx=00000000 ecx=cdcdcdcd edx=0a2465b8 esi=00f9414c edi=00f941a4
eip=6b2e0e5f esp=00f94114 ebp=00f9411c iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
CORE_DB_libraw_!crxFreeSubbandData+0xf:
6b2e0e5f 833800 cmp dword ptr [eax],0 ds:002b:cdcdcdcd=????????
0:000> k
ChildEBP RetAddr
00 00f9411c 6b2e0de7 CORE_DB_libraw_!crxFreeSubbandData+0xf [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\crx.cpp @ 1633]
01 00f94140 6b2e3100 CORE_DB_libraw_!crxFreeImageData+0xa7 [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\crx.cpp @ 2341]
02 00f941f8 6b2f86f5 CORE_DB_libraw_!LibRaw::crxLoadRaw+0x210 [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\crx.cpp @ 2440]
03 00f94374 6b300abc CORE_DB_libraw_!LibRaw::unpack+0xa25 [c:\imagemagick-7.0.10-7-x86\libraw\src\decoders\unpack.cpp @ 282]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\IM_MOD_DB_DNG_.dll
04 00f94380 6b391be6 CORE_DB_libraw_!libraw_unpack+0x2c [c:\imagemagick-7.0.10-7-x86\libraw\src\libraw_c_api.cpp @ 136]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickCore_.dll
05 00f963d8 6be552e3 IM_MOD_DB_DNG_!ReadDNGImage+0x466 [c:\imagemagick-7.0.10-7-x86\imagemagick\coders\dng.c @ 408]
06 00f9b4f0 6be568ac CORE_DB_MagickCore_!ReadImage+0x543 [c:\imagemagick-7.0.10-7-x86\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7-x86\VisualMagick\bin\CORE_DB_MagickWand_.dll
07 00f9c534 6bcad449 CORE_DB_MagickCore_!ReadImages+0x2fc [c:\imagemagick-7.0.10-7-x86\imagemagick\magickcore\constitute.c @ 941]
08 00f9da94 6bd1912d CORE_DB_MagickWand_!ConvertImageCommand+0xd29 [c:\imagemagick-7.0.10-7-x86\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
09 00f9eb50 00e913de CORE_DB_MagickWand_!MagickCommandGenesis+0x2cd [c:\imagemagick-7.0.10-7-x86\imagemagick\magickwand\mogrify.c @ 186]
0a 00f9fc84 00e91626 magick!MagickMain+0x3de [c:\imagemagick-7.0.10-7-x86\imagemagick\utilities\magick.c @ 149]
0b 00f9fca4 00e91d2e magick!wmain+0x46 [c:\imagemagick-7.0.10-7-x86\imagemagick\utilities\magick.c @ 195]
0c 00f9fcb8 00e91c10 magick!invoke_main+0x1e [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 79]
0d 00f9fd10 00e91abd magick!__scrt_common_main_seh+0x150 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
0e 00f9fd18 00e91d48 magick!__scrt_common_main+0xd [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
0f 00f9fd20 75276359 magick!wmainCRTStartup+0x8 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
WARNING: Stack unwind information not available. Following frames may be wrong.
10 00f9fd30 77727c24 KERNEL32!BaseThreadInitThunk+0x19
11 00f9fd8c 77727bf4 ntdll!RtlGetAppContainerNamedObjectPath+0xe4
12 00f9fd9c 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xb4

System Configuration:

@LibRaw
Copy link
Owner

LibRaw commented Apr 26, 2020

fix: e41f331

@LibRaw LibRaw closed this as completed Apr 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants