These vulnerabilities were discovered by Tyler Bohan of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Canvas Draw graphics editing tool for Macs.

Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.

Vulnerability Details

TALOS-2018-0541 (CVE-2018-3857) - ACD Systems Canvas Draw 4 setRasterData Heap Overflow Code Execution Vulnerability
TALOS-2018-0541 describes an exploitable heap overflow vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of a compressed and tiled TIFF image. TIFF has support for multiple versions of image compression, and an image application is expected to be able to handle them. The tag used to define levels of compression is tag number 259. The crash happens due to an invalid object being freed on the free list.

TALOS-2018-0542 (CVE-2018-3858) - ACD Systems Canvas Draw 4 PlanarConfiguration Heap Overflow Code Execution Vulnerability
TALOS-2018-0542 is an exploitable heap overflow vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of a tiled TIFF image with the PlanarConfiguration tag set.

TALOS-2018-0543 (CVE-2018-3859) - ACD Systems Canvas Draw 4 Huff Table Out of Bounds Write Code Execution Vulnerability
TALOS-2018-0543 describes an exploitable out of bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithms but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table.

TALOS-2018-0544 (CVE-2018-3860) - ACD Systems Canvas Draw 4 Resoultion_Set Out of Bounds Write Code Execution Vulnerability
TALOS-2018-0544 is an exploitable out of bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data.

TALOS-2018-0552 (CVE-2018-3870) - ACD Systems Canvas Draw 4 IO Metadata Out-of-Bounds Write Code Execution Vulnerability
TALOS-2018-0552 describes an exploitable out of bounds write vulnerability that exists in the PCX parsing functionality of Canvas Draw version 4.0.0. A specially crafted PCX image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.

The vulnerability arises in parsing the PCX image, specifically dealing with the compression of the image. The compression scheme is determined via the file header and by choosing run length encoding as the compression the program write out of bounds using user controlled data. The problem lies in the error checking in the code. If there is an error present the code path can be altered and allow user controlled data to be accessed without validation.

TALOS-2018-0553 (CVE-2018-3871) - ACD Systems Canvas Draw 4 Invert Map Out-of-Bounds Write Code Execution Vulnerability
TALOS-2018-0553 is an exploitable out of bounds write vulnerability that exists in the PCX parsing functionality of Canvas Draw version 4.0.0. A specially crafted PCX image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.

The vulnerability arises in parsing the PCX image, specifically dealing with the column and row sizes of the image. Inside of the PCX header, values are set to determine the location of image data and the size of the image itself. By passing in incorrect values the application will write out of bounds attempting to access the image data.

Affected versions
The vulnerabilities are confirmed in the Canvas Draw version 4.0.0 but they may also be present in the earlier versions of the product. Users are advised to apply the latest security update for their version.


Discussion
Familiar file formats that are routinely shared in a work environment make tempting targets for attackers as the targets not may consider familiar image files as being potentially malicious. The TIFF and PCX file formats are regularly used in the graphic design industry and for the distribution of certain documents such as fax messages.

The complexity of image file formats means that there is a lot of scope for vulnerabilities to be inadvertently included in programs that parse them. Organizations need to remain abreast of vulnerabilities in the image editing software packages such as ACD Systems Canvas Draw and update to the latest version as soon as possible.

Coverage
The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

  • 45985-45988, 45991-45994, 45997-46002, 46143-46148