Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Libraw "LibRaw::parseSonySRF()" Out-of-bounds Read Vulnerability #283

Closed
0xfoxone opened this issue May 10, 2020 · 1 comment
Closed

Libraw "LibRaw::parseSonySRF()" Out-of-bounds Read Vulnerability #283

0xfoxone opened this issue May 10, 2020 · 1 comment

Comments

@0xfoxone
Copy link

Description:

There is an out-of-bounds read vulnerability within the "LibRaw::parseSonySRF()" function (libraw\src\metadata\sony.cpp) when processing srf files.

Steps to Reproduce:

poc (password: 0xfoxone):
https://drive.google.com/open?id=1r0wig5pSGUFhP3mDycIUcKMvnHamYaGJ

cmd:
magick.exe convert poc.srf new.bmp

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\ImageMagick-7.0.10-7\VisualMagick\bin\magick.exe convert c:\poc.srf c:\new.bmp
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff779300000 00007ff779312000 magick.exe
ModLoad: 00007ffdb0d20000 00007ffdb0f10000 ntdll.dll
ModLoad: 00007ffd99d60000 00007ffd99dd1000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x1ED0: page heap enabled with flags 0x3.
ModLoad: 00007ffdaf870000 00007ffdaf922000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffdadd60000 00007ffdae004000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffd87cf0000 00007ffd87fe1000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ffd886a0000 00007ffd8886b000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ffdb01a0000 00007ffdb0334000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffdaea40000 00007ffdaea61000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffdaf270000 00007ffdaf296000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffdae010000 00007ffdae1a4000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffdaea70000 00007ffdaeb0e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffdaeb30000 00007ffdaec2a000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffdb04c0000 00007ffdb0563000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffdafdf0000 00007ffdafe8e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffdb0420000 00007ffdb04b7000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffdaf5b0000 00007ffdaf6d0000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffdafd80000 00007ffdafdef000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffda1d20000 00007ffda1d42000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ffd86800000 00007ffd869bb000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ffd8d900000 00007ffd8da1f000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ffd8e600000 00007ffd8e686000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ffda1b50000 00007ffda1b77000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ffd8e1c0000 00007ffd8e260000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ffd9dbe0000 00007ffd9dc03000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ffd9d610000 00007ffd9d63a000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ffd9a400000 00007ffd9a435000 C:\WINDOWS\SYSTEM32\VCOMP140D.DLL
ModLoad: 00007ffd85150000 00007ffd8548b000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ffdb05f0000 00007ffdb0cd4000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffdaed80000 00007ffdaedca000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffdafc70000 00007ffdafd19000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffdaf930000 00007ffdafc66000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffdae1b0000 00007ffdae230000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffdae260000 00007ffdae9dd000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffdadc80000 00007ffdadca3000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffdadbf0000 00007ffdadc3a000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffdadbe0000 00007ffdadbf0000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ffdb03c0000 00007ffdb0412000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffdadc40000 00007ffdadc51000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffdaeb10000 00007ffdaeb27000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ffdb0040000 00007ffdb0197000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffdad1b0000 00007ffdad27b000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffdaf370000 00007ffdaf378000 C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ffdad160000 00007ffdad19a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
(1ed0.1214): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffdb0df119c cc int 3 0:000> g ModLoad: 00007ffdaf4b0000 00007ffdaf4de000 C:\WINDOWS\System32\IMM32.DLL ModLoad: 00007ffda93a0000 00007ffda93af000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll ModLoad: 00007ffd86310000 00007ffd864bc000 C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll ModLoad: 00007ffd88e10000 00007ffd88f06000 C:\WINDOWS\SYSTEM32\MSVCP140D.dll (1ed0.1214): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll CORE_DB_libraw_!LibRaw::sget2+0x2c: 00007ffd86396d9c 0fb60401 movzx eax,byte ptr [rcx+rax] ds:0000019e5bb50000=?? 0:000> k Child-SP RetAddr Call Site 00 000000939ecee890 00007ffd8636bf5d CORE_DB_libraw_!LibRaw::sget2+0x2c [c:\imagemagick-7.0.10-7\libraw\src\utils\utils_dcraw.cpp @ 84] 01 000000939ecee8a0 00007ffd8636fe7a CORE_DB_libraw_!LibRaw::parseSonySRF+0x42d [c:\imagemagick-7.0.10-7\libraw\src\metadata\sony.cpp @ 1952] 02 000000939ecee950 00007ffd8638071a CORE_DB_libraw_!LibRaw::parse_exif+0x155a [c:\imagemagick-7.0.10-7\libraw\src\metadata\exif_gps.cpp @ 229] 03 000000939eceef50 00007ffd8637bebb CORE_DB_libraw_!LibRaw::parse_tiff_ifd+0x484a [c:\imagemagick-7.0.10-7\libraw\src\metadata\tiff.cpp @ 717] 04 000000939ecefdd0 00007ffd8632f89f CORE_DB_libraw_!LibRaw::parse_tiff+0x11b [c:\imagemagick-7.0.10-7\libraw\src\metadata\tiff.cpp @ 1468] 05 000000939ecefe30 00007ffd864079de CORE_DB_libraw_!LibRaw::identify+0xd2f [c:\imagemagick-7.0.10-7\libraw\src\metadata\identify.cpp @ 537] 06 000000939ecf3350 00007ffd8640b149 CORE_DB_libraw_!LibRaw::open_datastream+0x10e [c:\imagemagick-7.0.10-7\libraw\src\utils\open.cpp @ 377] 07 000000939ecf35f0 00007ffd8641dfc8 CORE_DB_libraw_!LibRaw::open_file+0x269 [c:\imagemagick-7.0.10-7\libraw\src\utils\open.cpp @ 99] *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll 08 000000939ecf3720 00007ffda93a191c CORE_DB_libraw_!libraw_open_wfile+0x58 [c:\imagemagick-7.0.10-7\libraw\src\libraw_c_api.cpp @ 113] *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll 09 000000939ecf3760 00007ffd87d671e7 IM_MOD_DB_DNG_!ReadDNGImage+0x2fc [c:\imagemagick-7.0.10-7\imagemagick\coders\dng.c @ 379] 0a 000000939ecf5870 00007ffd87d68963 CORE_DB_MagickCore_!ReadImage+0x5e7 [c:\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 553] *** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll 0b 000000939ecfaa90 00007ffd886daac3 CORE_DB_MagickCore_!ReadImages+0x393 [c:\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 941] 0c 000000939ecfbb40 00007ffd887744ae CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [c:\imagemagick-7.0.10-7\imagemagick\magickwand\convert.c @ 606] *** WARNING: Unable to verify checksum for magick.exe 0d 000000939ecfd690 00007ff7793014ea CORE_DB_MagickWand_!MagickCommandGenesis+0x33e [c:\imagemagick-7.0.10-7\imagemagick\magickwand\mogrify.c @ 186] 0e 000000939ecfe800 00007ff779301693 magick!MagickMain+0x4ea [c:\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 149] 0f 000000939ecffa70 00007ff779301f24 magick!wmain+0x43 [c:\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 195] 10 000000939ecffab0 00007ff779301e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80] 11 000000939ecffaf0 00007ff779301cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253] 12 000000939ecffb50 00007ff779301f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296] 13 000000939ecffb80 00007ffdaf887bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17] 14 000000939ecffbb0 00007ffdb0d8ce51 KERNEL32!BaseThreadInitThunk+0x14 15 000000939ecffbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

System Configuration:

@LibRaw
Copy link
Owner

LibRaw commented May 10, 2020

Although not reproduced, this patch should improve things: c243f45

@LibRaw LibRaw closed this as completed May 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants