Adobe Camera Raw Plug-in BO

December 21, 2012

Adobe Photoshop is an image editor capable of handling numerous image file formats and is available on multiple platforms. One of the file formats supported by Photoshop is the Tagged Image File Format (TIFF). TIFF supports a number of image data and compression formats as well as storage of multiple images in a single file. The header structure of a TIFF file is shown:

Offset     Length (bytes)  Description ---------- --------------- ------------------------------------------------ 0x0000     2               byte order 0x0002     2               0x002a (42) 0x0004     4               offset of first Image File Directory (IFD)

Byte order is defined by two codes, where 'II' indicates little-endian and 'MM' indicates big-endian. The offset of the IFD is relative to the beginning of the file. Each IFD record is an array of entries. The record structure is shown:

Offset     Length (bytes)  Description ---------- --------------- ------------------------------------------------ 0x0000     2               number of IFDs (n) 0x0002     12 * n          IFD data [....]     4               offset of next IFD

The last record in the file is denoted by the offset of the next IFD being set to zero. Each IFD data record contains an array of values. The record structure is shown:

Offset     Length (bytes)  Description ---------- --------------- ------------------------------------------------ 0x0000     2               tag 0x0002     2               type 0x0004     4               count 0x0008     4               value or offset 

The tag field defines what the data type of the value is. The type field defines the type of record contained in the value that follows or the offset of the value in the file if the value field is too small to hold it. The count field defines how many values are contained in the array. Image data in TIFF files is either stored in arrays of rows or tiles. The data stored in arrays may be compressed using one of many available compression algorithms, one of which is the LZW algorithm.

A buffer overflow vulnerability exists in the LZW decompression code of Adobe Camera Raw plugin when decoding TIFF images. During construction of the compression dictionary, codes that aren't defined yet, may lead to the creation of a circular reference. When such codes are subsequently encountered, the dereference of the circular reference will lead to an endless loop. During this loop, data is being written to a buffer, which eventually results in a buffer overflow. An attacker has to entice the target user to open a malicious TIFF file with the vulnerable application in order to exploit this vulnerability. Successful exploitation could possibly allow code execution under the security context of the logged in user. Exploitation resulting in successful code execution is possible, however, unlikely due to the nature of the flaw.

Dell SonicWALL has released IPS signatures to address this issue. The following signatures were released:

  • 9381 - Adobe Photoshop Camera Raw Buffer Underflow 1
  • 9382 - Adobe Photoshop Camera Raw Buffer Underflow 2

The vendor has released an advisory addressing this issue.
The vulnerability has been assigned the id CVE-2012-5679 by mitre.