Wednesday, October 4, 2017

Vulnerability Spotlight: Multiple vulnerabilities in Computerinsel Photoline

These vulnerabilities are discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of multiple vulnerabilities discovered within the Computerinsel GmbH PhotoLine image processing software. PhotoLine, developed by Computerinsel GmbH, is a well established raster and vector graphics editor for Windows and Mac OS X that can also be used for desktop publishing.

TALOS-2017-0387 (CVE-2017-2880). TALOS-2017-0427 (CVE-2017-2920), TALOS-2017-0458 (CVE-2017-12106) and TALOS-2017-0459 (CVE-2017-12107) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted image file is opened by the PhotoLine image processing software.

Technical details


TALOS-2017-0387


An attacker may be able to manipulate GIF content to control a counter variable that controls memory writes, and cause PhotoLine to overflow memory, potentially resulting in a remote code execution.

Specifically, a short byte value is read from a GIF file from which the variable counter is calculated in the vulnerable code of PhotoLine and used in a memory loop containing memory write instructions. Further details can be found here.

Graphics Interchange Format image files are universally used and are one of the most popular image formats today on the internet.

TALOS-2017-0427


During the parsing of SVG files, memset function is executed with a size parameter that can be controlled by attacker. Specifically, the size parameter is calculated from the SVG path's D attribute which is a string containing a series of path descriptions that could be manipulated. The bug requires the feGaussianBlur filter to be attached to the path style. Further details can be found here.

Scalable Vector Graphics image files are often used and are one of the popular image formats today on the internet, with support for interactivity and animation. All major web browsers support rendering of SVG files.

TALOS-2017-0458


Truevision TGA, often referred to as TARGA, is a raster graphics file format developed in the early eighties and was one of the most commonly used graphical formats in first personal computers. The format is still in use today.

A memory corruption vulnerability exists in the TGA parsing functionality of Computerinsel GmbH Photoline. A specially crafted TGA file can cause a vulnerability resulting in potential code execution. An attacker can send specific TGA file to trigger this vulnerability. Further details can be found here.

TALOS-2017-0459


PCX (PiCture eXchange) is an older image file format originally designed for the PC Paintbrush program and one of the first widely accepted DOS imaging standards. Although the format is superseded by more modern formats, it is still supported by a large number of popular image viewers and editors.

A memory corruption vulnerability exists in the Photoline's .PCX parsing functionality. A specially crafted .PCX file can cause a vulnerability resulting in potential code execution. An attacker can send specific .PCX file to trigger this vulnerability.Further details can be found here.

Although these vulnerabilities specifically affect Computerinsel PhotoLine image editing software, users of other popular image editing programs are recommended to install latest updates in order to make sure that they are running the latest program versions, which likely contain the fewest number of security vulnerabilities.

Affected versions


The vulnerability has been confirmed in Computerinsel GmbH PhotoLine version 20.02 but it may also exists in previous versions. The vendor has released an updated version of software which can be downloaded from here.

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43725-43726 (TALOS-2017-0387), 44178-44179 (TALOS-2017-0427), 44451-44452 (TALOS-2017-0458), 44524-44525 (TALOS-2017-0459)

No comments:

Post a Comment