Tyler Bohan of Cisco Talos discovered these vulnerabilities. Vanja Svajcer authored this blog post.

Cisco Talos is disclosing several vulnerabilities in ACD Systems' Canvas Draw 5, a graphics-editing tool for Mac. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format that's used in Canvas Draw. PCX was a popular image format with early computers, and although it's been replaced by more sophisticated formats, it is still in use and fully supported by Canvas Draw.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ACD Systems to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Details

ACD Systems Canvas Draw 5 FillSpan out-of-bounds write code execution vulnerability (TALOS-2018-0638/CVE-2018-3973)

TALOS-2018-0638 is an exploitable out-of-bounds write vulnerability that exists in the TIFF-parsing function of Canvas Draw, version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

An address influenced by the parsed image is loaded into a register and the lower four bytes are then zeroed out in memory. When this value is used later in function `DIB_resolution_set`, it causes an out-of-bounds write and an exploitable condition to arise.

For more information, read the full advisory here.

ACD Systems Canvas Draw 5 IO metadata out-of-bounds write code execution vulnerability (TALOS-2018-0642/CVE-2018-3976)

TALOS-2018-0642 is an exploitable out-of-bounds write vulnerability that exists in the CALS Raster file format parsing function of Canvas Draw, version 5.0.0.28. A specially crafted CAL image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a CAL image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of the CALS Raster file format, specifically dealing with the column and row sizes of an image. Inside of the CALS header, values are set to determine the location of image data and the size of the image itself. By passing in incorrect values, the application will write out of array bounds, attempting to access the image data.

For more information, read the full advisory here.

ACD Systems Canvas Draw 5 huff table out-of-bounds write code execution vulnerability (TALOS-2018-0648/CVE-2018-3980)

TALOS-2018-0648 is an exploitable out-of-bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw, version 5.0.0.

The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithms but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it.

The vulnerability may be triggered while attempting to build a Huffman table. Huffman coding is one of the two things that make up the deflate encoding scheme. When using the deflate encoding scheme the application takes user data directly from the TIFF image without validation.

For more information, read the full advisory here.

ACD Systems Canvas Draw 5 Resoultion_Set out-of-bounds write code execution vulnerability (TALOS-2018-0649/CVE-2018-3981)

TALOS-2018-0649 is an exploitable out-of-bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data. A user influenced address is loaded into a processor register and the lower four bytes are then zeroed out in memory. This value is used later in `DIB_resolution_set` function, where it causes an out-of-bounds write and an exploitable condition to arise.

For more information, read the full advisory here.

Affected versions

The vulnerabilities are confirmed in the Canvas Draw version 5.0.0.28, but they may also be present in the earlier versions of the product. Users are advised to apply the latest security update for their version.

Conclusion

Familiar file formats that are routinely shared in a work environment make tempting targets for attackers as the targets not may consider familiar image files as being potentially malicious. The TIFF and PCX file formats are regularly used in the graphic design industry and for the distribution of certain documents such as fax messages.

The complexity of image file formats means there are ample opportunities for vulnerabilities to be inadvertently included in programs that parse them.

Coverage

The following SNORT® rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort rules: 39593 - 39596, 39599 - 39632, 47336, 47337