Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"LibRaw::parse_exif()" Out-of-bounds write vulnerability #301

Closed
GirlElecta opened this issue Jun 15, 2020 · 1 comment
Closed

"LibRaw::parse_exif()" Out-of-bounds write vulnerability #301

GirlElecta opened this issue Jun 15, 2020 · 1 comment

Comments

@GirlElecta
Copy link

Description

An out-of-bounds write vulnerability exists within the "LibRaw::parse_exif()" function (libraw\src\metadata\exif_gps.cpp) which can be triggered by changing the AtomName from "CMT1" to an unknown name and making the "tiff_nifds" field equals zero.

Steps to Reproduce

(poc archive password= girlelecta).
https://drive.google.com/file/d/1ExYAqarMtdA_cpcvn2JFvYFP6QKKC5SN/view?usp=sharing

cmd:
magick.exe convert poc.cr3 new.png

Upon running this, following crash happens only in ImageMagick x64 (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\magick.exe convert e:\poc.cr3 e:\new.png

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff792190000 00007ff7921a2000 magick.exe
ModLoad: 00007ffcef540000 00007ffcef730000 ntdll.dll
ModLoad: 00007ffcd4d50000 00007ffcd4dc1000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x1824: page heap enabled with flags 0x3.
ModLoad: 00007ffcee860000 00007ffcee912000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffcec6a0000 00007ffcec944000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffcea2a0000 00007ffcea32f000 C:\WINDOWS\SYSTEM32\apphelp.dll
ModLoad: 00007ffcd4d20000 00007ffcd4d42000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ffccb0f0000 00007ffccb2ab000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ffcc3650000 00007ffcc3942000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ffccae20000 00007ffccafeb000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ffcee6c0000 00007ffcee854000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffced510000 00007ffced531000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffceebf0000 00007ffceec16000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffcec500000 00007ffcec694000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffcecaa0000 00007ffcecb3e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffced330000 00007ffced42a000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffcedce0000 00007ffcedd83000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffceeda0000 00007ffceee3e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffcef380000 00007ffcef417000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffcee450000 00007ffcee570000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffcee580000 00007ffcee5ef000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffcd4cf0000 00007ffcd4d17000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ffccd6d0000 00007ffccd756000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ffcca8d0000 00007ffcca9ef000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ffccd600000 00007ffccd6a0000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ffcd2ed0000 00007ffcd2f05000 C:\WINDOWS\SYSTEM32\VCOMP140D.DLL
ModLoad: 00007ffcd4cc0000 00007ffcd4ce3000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ffcd2790000 00007ffcd27ba000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 000001a2eece0000 000001a2eed0a000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ffcc1460000 00007ffcc179b000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ffced5f0000 00007ffcedcd4000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffced2e0000 00007ffced32a000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffceec20000 00007ffceecc9000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffceded0000 00007ffcee206000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffced430000 00007ffced4b0000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffcecb40000 00007ffced2be000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffcec450000 00007ffcec473000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffcec480000 00007ffcec4ca000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffcec400000 00007ffcec410000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ffcee3f0000 00007ffcee442000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffcec410000 00007ffcec421000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffced2c0000 00007ffced2d7000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ffcee210000 00007ffcee367000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffceb920000 00007ffceb95a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffceb960000 00007ffceba2b000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffceed80000 00007ffceed88000 C:\WINDOWS\System32\NSI.dll
(1824.1fc8): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffc ef61119c cc int 3
0:000> g
ModLoad: 00007ffceed50000 00007ffceed7e000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffce32a0000 00007ffce32af000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 00007ffcc12b0000 00007ffcc145c000 C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 00007ffcca700000 00007ffcca7f6000 C:\WINDOWS\SYSTEM32\MSVCP140D.dll
(1824.1fc8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_libraw_.dll
CORE_DB_libraw_!LibRaw::parse_exif+0xc21:
00007ffcc130f541 f30f1184012c960600 movss dword ptr [rcx+rax+6962Ch],xmm0 ds:00008412f3b2d48c=????????
0:000> k
Child-SP RetAddr Call Site
00 0000003fa10ef060 00007ffcc12f44ee CORE_DB_libraw_!LibRaw::parse_exif+0xc21 [c:\imagemagick-7.0.10-19-x64\libraw\src\metadata\exif_gps.cpp @ 121]
01 0000003fa10ef660 00007ffcc12f533d CORE_DB_libraw_!LibRaw::parseCR3+0x8fe [c:\imagemagick-7.0.10-19-x64\libraw\src\metadata\cr3_parser.cpp @ 334]
02 0000003fa10ef930 00007ffcc12f533d CORE_DB_libraw_!LibRaw::parseCR3+0x174d [c:\imagemagick-7.0.10-19-x64\libraw\src\metadata\cr3_parser.cpp @ 518]
03 0000003fa10efc00 00007ffcc12d0bf5 CORE_DB_libraw_!LibRaw::parseCR3+0x174d [c:\imagemagick-7.0.10-19-x64\libraw\src\metadata\cr3_parser.cpp @ 518]
04 0000003fa10efed0 00007ffcc13a79de CORE_DB_libraw_!LibRaw::identify+0x2085 [c:\imagemagick-7.0.10-19-x64\libraw\src\metadata\identify.cpp @ 719]
05 0000003fa10f33f0 00007ffcc13ab149 CORE_DB_libraw_!LibRaw::open_datastream+0x10e [c:\imagemagick-7.0.10-19-x64\libraw\src\utils\open.cpp @ 377]
06 0000003fa10f3690 00007ffcc13bdfc8 CORE_DB_libraw_!LibRaw::open_file+0x269 [c:\imagemagick-7.0.10-19-x64\libraw\src\utils\open.cpp @ 99]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\IM_MOD_DB_DNG_.dll
07 0000003fa10f37c0 00007ffce32a1983 CORE_DB_libraw_!libraw_open_wfile+0x58 [c:\imagemagick-7.0.10-19-x64\libraw\src\libraw_c_api.cpp @ 113]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_MagickCore_.dll
08 0000003fa10f3800 00007ffcc36c6c97 IM_MOD_DB_DNG_!ReadDNGImage+0x2d3 [c:\imagemagick-7.0.10-19-x64\imagemagick\coders\dng.c @ 413]
09 0000003fa10f5910 00007ffcc36c84a3 CORE_DB_MagickCore_!ReadImage+0x5e7 [c:\imagemagick-7.0.10-19-x64\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-19-x64\VisualMagick\bin\CORE_DB_MagickWand_.dll
0a 0000003fa10fab30 00007ffccae5aac3 CORE_DB_MagickCore_!ReadImages+0x393 [c:\imagemagick-7.0.10-19-x64\imagemagick\magickcore\constitute.c @ 943]
0b 0000003fa10fbbe0 00007ffccaef44ae CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [c:\imagemagick-7.0.10-19-x64\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
0c 0000003fa10fd730 00007ff7921914ea CORE_DB_MagickWand_!MagickCommandGenesis+0x33e [c:\imagemagick-7.0.10-19-x64\imagemagick\magickwand\mogrify.c @ 191]
0d 0000003fa10fe8a0 00007ff792191693 magick!MagickMain+0x4ea [c:\imagemagick-7.0.10-19-x64\imagemagick\utilities\magick.c @ 149]
0e 0000003fa10ffb10 00007ff792191f24 magick!wmain+0x43 [c:\imagemagick-7.0.10-19-x64\imagemagick\utilities\magick.c @ 195]
0f 0000003fa10ffb50 00007ff792191e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80]
10 0000003fa10ffb90 00007ff792191cfe magick!_scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
11 0000003fa10ffbf0 00007ff792191f39 magick!scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
12 0000003fa10ffc20 00007ffcee877bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
13 0000003fa10ffc50 00007ffcef5ace51 KERNEL32!BaseThreadInitThunk+0x14
14 0000003fa10ffc80 0000000000000000 ntdll!RtlUserThreadStart+0x21
0:000> u
CORE_DB_libraw
!LibRaw::parse_exif+0xc21 [c:\imagemagick-7.0.10-19-x64\libraw\src\metadata\exif_gps.cpp @ 121]:
00007ffcc130f541 f30f1184012c960600 movss dword ptr [rcx+rax+6962Ch],xmm0 00007ffcc130f54a e9080b0000 jmp CORE_DB_libraw
!LibRaw::parse_exif+0x1737 (00007ffcc1310057) 00007ffcc130f54f 8b542474 mov edx,dword ptr [rsp+74h]
00007ffcc130f553 488b8c2400060000 mov rcx,qword ptr [rsp+600h] 00007ffcc130f55b e850ddfbff call CORE_DB_libraw
!LibRaw::getreal (00007ffcc12cd2b0) 00007ffcc130f560 f20f5ac0 cvtsd2ss xmm0,xmm0
00007ffcc130f564 488b842400060000 mov rax,qword ptr [rsp+600h] 00007ffcc130f56c f30f118018ef0200 movss dword ptr [rax+2EF18h],xmm0

System Configuration

@GirlElecta GirlElecta changed the title Libraw "LibRaw::parse_exif()" Out-of-bounds write vulnerability "LibRaw::parse_exif()" Out-of-bounds write vulnerability Jun 15, 2020
@LibRaw
Copy link
Owner

LibRaw commented Jun 16, 2020

great thanks, fixed in 55f0a0c

@LibRaw LibRaw closed this as completed Jun 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants