Bug#991819: ZDI-CAN-14599: New Vulnerability Report
Package: Inkscape
Version: 1.1
ZDI-CAN-14599: Inkscape WMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
-- CVSS -----------------------------------------
3.3: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Inkscape - Inkscape
-- VULNERABILITY DETAILS ------------------------
* Version tested: 1.1
* Installer file: inkscape-1.1-x86.exe
* Platform tested: Win 10 19041.1.amd64fre.vb_release.191206-1406
---
### Analysis
Without page heap, app sometimes hangs forever when loading PoC.
Sometimes it loads the PoC successfully.
So set page heap on Inkscape.exe.
Load PoC.
```
(cc0.3ec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify timestamp for C:\Program Files (x86)\Inkscape\bin\libinkscape_base.dll
eax=0000000a ebx=0015fcae ecx=013f7ce2 edx=238f0000 esi=23790378 edi=23790366
eip=76bc13f9 esp=013fe7e8 ebp=013fe838 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
gdi32full!SetWinMetaFileBits+0xe9:
76bc13f9 66030a add cx,word ptr [edx] ds:002b:238f0000=????
0:000> kv
# ChildEBP RetAddr Args to Child
00 013fe838 717e593c 0015fcae 23790366 8c010de9 gdi32full!SetWinMetaFileBits+0xe9 (FPO: [4,17,4])
WARNING: Stack unwind information not available. Following frames may be wrong.
01 013fe8c4 72c57c55 00000009 013fe8f8 01400000 libinkscape_base!ZN8Inkscape2UI6Dialog23FileSaveDialogImplWin3224GetSaveFileName_hookprocEP6HWND__jjl+0x89c
02 013fe8d4 717ea61e 00000009 013fe8b4 772078fd verifier!AVrfpDphExitHeapPath+0x15 (FPO: [Non-Fpo])
03 013fe8e0 772078fd 013fe9a8 771fad20 10cc2d58 libinkscape_base!ZN8Inkscape2UI6Dialog23FileOpenDialogImplWin324showEv+0x16e
04 013fe950 72c71c9b 146be418 000002a8 06290000 ntdll!RtlpFreeHeapInternal+0x783 (FPO: [Non-Fpo])
05 013fe9b8 77059bf3 06290000 00000000 146be418 verifier!AVrfpRtlFreeHeap+0x16b (FPO: [Non-Fpo])
06 013fea00 72c7278f 72c7275a a764916d 00000000 KERNELBASE!LocalFree+0x53 (FPO: [SEH])
07 013fea04 72c7275a a764916d 00000000 146be418 verifier!AVrfpLocalFree+0x8f (FPO: [SEH])
08 00000000 00000000 00000000 00000000 00000000 verifier!AVrfpLocalFree+0x5a (FPO: [Non-Fpo])
0:000> !heap -p -a edx
address 238f0000 found in
_DPH_HEAP_ROOT @ 9411000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
9414ac4: 23790350 15fcae - 23790000 161000
72c5a8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
7725f04e ntdll!RtlDebugAllocateHeap+0x00000039
771c70d0 ntdll!RtlpAllocateHeap+0x000000f0
771c6e2c ntdll!RtlpAllocateHeapInternal+0x0000104c
771c5dce ntdll!RtlAllocateHeap+0x0000003e
72c71a87 verifier!AVrfpRtlAllocateHeap+0x000000b7
76747580 msvcrt!malloc+0x00000090
72c727c8 verifier!AVrfp_malloc+0x00000038
717e5888 libinkscape_base!ZN8Inkscape2UI6Dialog23FileSaveDialogImplWin3224GetSaveFileName_hookprocEP6HWND__jjl+0x000007e8
```
Vulnerable code:
```
.text:717E5911 call ds:GetDC
.text:717E5917 sub esp, 4
.text:717E591A mov ebp, eax
.text:717E591C lea eax, [esp+25Ch+MFP]
.text:717E5920 mov [esp+25Ch+lpData], ebp ; hdcRef
.text:717E5924 mov [esp+25Ch+lpSecurityAttributes], eax ; lpMFP
.text:717E5928 lea eax, [edi+16h]
.text:717E592B mov [esp+25Ch+cbBuffer], eax ; lpMeta16Data
.text:717E592F mov eax, [esp+25Ch+nNumberOfBytesToRead]
.text:717E5933 mov [esp+25Ch+lpName], eax ; nSize
.text:717E5936 call ds:SetWinMetaFileBits
```
Our of bounds read.
Information disclosure.
Metadata:
```
0:000> vertarget
Windows 10 Version 19043 MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Build layer: ->
Build layer: ->
Build layer: ->
Machine Name:
Debug session time: Fri Jul 9 17:46:05.435 2021 (UTC - 7:00)
System Uptime: 2 days 6:09:38.434
Process Uptime: 0 days 0:00:06.157
Kernel time: 0 days 0:00:00.171
User time: 0 days 0:00:00.000
0:000> lmvm inkscape
Browse full module list
start end module name
00980000 009d7000 inkscape T (no symbols)
Loaded symbol image file: C:\Program Files (x86)\Inkscape\bin\inkscape.exe
Image path: C:\Program Files (x86)\Inkscape\bin\inkscape.exe
Image name: inkscape.exe
Browse all global symbols functions data
Timestamp: unavailable (00000000)
CheckSum: 0005AAB9
ImageSize: 00057000
File version: 1.1.0.0
Product version: 1.1.0.0
File flags: 0 (Mask 0)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Inkscape project
ProductName: Inkscape
InternalName: Inkscape
OriginalFilename: inkscape.exe
ProductVersion: 1.1
FileVersion: 1.1
FileDescription: Inkscape vector graphics editor
LegalCopyright: �� 2021 Inkscape project
Comments: Published under the GNU GPL
0:000> lmvm libinkscape_base
Browse full module list
start end module name
710d0000 72607000 libinkscape_base (deferred)
Image path: C:\Program Files (x86)\Inkscape\bin\libinkscape_base.dll
Image name: libinkscape_base.dll
Browse all global symbols functions data
Timestamp: unavailable (00000000)
CheckSum: 01523E95
ImageSize: 01537000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
khangkito of Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@trendmicro.com
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
Reply to: