Advertisement






Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability

CVE Category Price Severity
CVE-2012-2028 CWE-122 Unknown High
Author Risk Exploitation Type Date
Jackson Henry Critical Local 2012-05-13
CPE
cpe:cpe:/a:adobe:photoshop:extended
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.004736 0.347489

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2012050070

Below is a copy:

Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability

Discover: nine8 of code audit labs of vulnhunt.com with “vulnhunt Fuzzing”
CAL: CAL-2011-0073;

CVE:CVE-2012-2028

1 Affected Products
=================
Adobe Photoshop EXTENDED CS5 12.0
Adobe Photoshop EXTENDED CS5.1 12.1

2 Vulnerability Details
=====================
There are some problems when Photoshop parsing “tif” file.  If “Compression Tag(0100)” is
replaced with “ImageWidth Tag(0100)” or “ImageLength Tag(0101)”, the copy dest heap size is
calculated with “ImageWidth(replaced), ImageLength, SamplePerPixel” or “ImageLength(replaced),
ImageWidth, SamplePerPixel”, when copying strip bytes. This will cause heap overflow.

3 Analysis
=========

COPY Size:     StripByteCounts         file offset 0144 (dword)
COPY Src :     StripOffsets            file offset 0134 (dword)
COPY Dst Heap Size:    ImageLength * ImageWidth(Vuln Seg) * SamplesPerPixel  Or
ImageLength(Vuln Seg) * ImageWidth * SamplesPerPixel

ImageLength    Value                                file offset 02A (word)
ImageWidth Value(be replaced)                    file offset 042 (word)
SamplesPerPixel Value                            file offset 072 (word)

IDA View: Photoshop.exe(12.0),  IDA ImageBase: 0x400000
 
.text:01BF0250
.text:01BF0250 ;  int __cdecl t_memcpy(void *Src, void *Dst, size_t Size)
.text:01BF0250   _t_memcpy       proc near
.text:01BF0250                                         ; sub_6B7780+1F6p ...
.text:01BF0250
.text:01BF0250  Src             = dword ptr  4
.text:01BF0250  Dst             = dword ptr  8
.text:01BF0250  Size            = dword ptr  0Ch
.text:01BF0250
.text:01BF0250                 mov     eax, [esp+Size]
.text:01BF0254                 mov     ecx, [esp+Src]
.text:01BF0258                 mov     edx, [esp+Dst]
.text:01BF025C                 push    eax               ; Size
.text:01BF025D                 push    ecx               ; Src
.text:01BF025E                 push    edx               ; Dst
.text:01BF025F                 call    memcpy
.text:01BF0264                 add     esp, 0Ch
.text:01BF0267                 retn
.text:01BF0267  _t_memcpy     endp
 
.text:00F5294F   push    edi                               ; int
.text:00F52950   movzx   edi, word ptr [esi+0Ch]
.text:00F52954   push    edi                               ; int
.text:00F52955   movzx   edi, word ptr [esi+58h]
.text:00F52959   push    edi                               ; __int16
.text:00F5295A   movzx   edi, word ptr [esi+0Eh]
.text:00F5295E   push    edi                               ; int
.text:00F5295F   movzx   edi, word ptr [esi+6]
.text:00F52963   push    edi                               ; __int16
.text:00F52964   push    ecx                               ; int
.text:00F52965   mov     ecx, [esp+4Ch+arg_Size]             ; ecx = arg0
.text:00F52969   push    edx                              ; int
.text:00F5296A   mov     edx, [esp+50h+arg_8]               ; edx = arg8
.text:00F5296E   push    ecx                              ; arg_size
.text:00F5296F   push    edx                              ; arg_dst
.text:00F52970   push    eax                              ; arg_src, from file
.text:00F52971   call    _t_CallBugMemcpyFunc              ; <----- call bug memcpy func
.text:00F52977   movzx   eax, ax
.text:00F5297A   add     esp, 30h
 
Windbg Debug
 
1)    Attach  photoshop.exe process.
2)    set breakpoint, at 00F52971 call    _t_CallBugMemcpyFunc
0:018> bu  photoshop + 00b52971
 
3)    Breakpoint 2 hit
eax=18943008 ebx=111a0028 ecx=00006660 edx=0c2203c0 esi=0012eee0 edi=00000001
eip=00f52971 esp=0012e6ec ebp=153a6360 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00240202
Photoshop+0xb52971:
00f52971 ff1578881902    call    dword ptr [Photoshop!boost::serialization::s
ingleton<std::multiset<boost::serialization::extended_type_info const *,boost
::serialization::detail::key_compare,std::allocator<boost::serialization::exte
nded_type_info const *> > >::get_const_instance+0x546f78 (02198878)] ds:0023:0
2198878=0045bff0
 
#copy arguments
0:000> dd esp
(src)       (dst)     (size)
0012e6ec  18943008 0c2203c0 00006660 000000ae
0012e6fc  00000002 00000001 00000002 00000002
0012e70c  00000001 00000008 00000005 111a0028
0012e71c  d56de0ac 0000897e 0012eee0 00000000
0012e72c  00006660 4084d555 01e3a8d4 153a6360
0012e73c  0012ea64 01d2d896 00000007 00f52ca9
0012e74c  00006660 111a0028 0c2203c0 00000000
0012e75c  0012eee0 0012ea70 00000000 0000015c
 
#copy dest heap size
0:000> !heap -p -a 0c2203c0
address 0c2203c0 found in _HEAP @ c1c0000
HEAP_ENTRY     Size      Prev Flags    UserPtr UserSize - state
0c2203b8         0281  0000  [01]   0c2203c0  01400 - (busy)
 
#copy source content
0:000> db 18943008
18943008  aa bb cc dd ee ff 16 0d-07 84 42 61 50 b8 64 36  ..........BaP.d6
18943018  1d 0f 88 44 62 51 38 a4-56 2d 17 8c 46 63 51 b8  ...DbQ8.V-..FcQ.
18943028  e4 76 3d 1f 90 48 64 52-39 24 96 4d 27 94 4a 65  .v=..HdR9$.M'.Je
18943038  52 b9 64 b6 5d 2f 98 4c-66 53 39 a4 d6 6d 37 9c  R.d.]/.LfS9..m7.
18943048  43 a0 4f f9 cc f6 7d 3f-a0 50 68 54 3a 25 16 8d  C.O...}?.PhT:%..
18943058  47 a4 52 69 54 ba 65 36-9d 4f a8 54 67 b3 ba 95  G.RiT.e6.O.Tg...
18943068  56 ad 57 ac 56 6b 55 ba-e5 76 bd 5f b0 58 6c 56  V.W.VkU..v._.XlV
18943078  3b 24 da a9 65 b4 5a 6d-56 bb 65 b6 dd 6f b8 5c  ;$..e.ZmV.e..o.\
<h2>4 Exploitable?</h2>
============
Heap overflow druing memory copy, and the copy source content, copy size are controlled,
the copy dest heap is also contolled. It can cause arbitrary code execution.
5 Crash info:
===============

(44c.324): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000d67b ebx=00000005 ecx=00008afb edx=0bc38fc0 esi=1211cb10 edi=0bc344b8
eip=0f5c9896 esp=0012e694 ebp=0012e6e0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Adobe Photoshop CS5\Plug-ins\Extensions\MMXCore.8BX -
MMXCore!ENTRYPOINT1+0x1846e:
0f5c9896 660f7f6240      movdqa  xmmword ptr [edx+40h],xmm4 ds:0023:0bc39000=????????????????????????????????
6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:” You create value for customer,We protect your value”

http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/#!/vulnhunt
http://blog.vulnhunt.com/index.php/2012/05/09/cal-2011-0073_adobe-photoshop-extended-parsing-tif-heap-buffer-overflow-vulnerability/

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.