Microsoft Color Management Module 'icm32.dll' - 'icm32!Fill_ushort_ELUTs_from_lut16Tag' Out-of-Bounds Read (MS17-013)

EDB-ID:

41657




Platform:

Windows

Date:

2017-03-20


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1052

We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!Fill_ushort_ELUTs_from_lut16Tag function, while trying to display a TIFF image with a malformed embedded color profile:

---
(7c1c.93b0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0028f0dc ecx=0984f7c0 edx=00006ff0 esi=0980f800 edi=00000100
eip=6ac4f701 esp=0028ecc8 ebp=0028ecf4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
icm32!Fill_ushort_ELUTs_from_lut16Tag+0xe4:
6ac4f701 0fb711          movzx   edx,word ptr [ecx]       ds:002b:0984f7c0=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0028ecf4 6ac495bd 0028f0dc ff837f84 00004000 icm32!Fill_ushort_ELUTs_from_lut16Tag+0xe4
0028ed28 6ac4b117 0028f0dc 0028ef54 00002100 icm32!ExtractElutFromLut16+0xec
0028ed80 6ac4ca1d 0028f0dc 0028ef54 41324230 icm32!ExtractAll_MFT_LutsFromLut16+0x10a
0028edac 6ac4ccbf 0028f0dc 0028ef54 41324230 icm32!ExtractAll_MFT_Luts+0x8c
0028ee3c 6ac4d562 0028f0dc 0028ef54 00000000 icm32!ExtractAllLuts+0x257
0028f148 6ac4e947 0953ee58 09534ff0 061f7f70 icm32!CreateCombi+0x725
0028f2ec 6ac43c84 0953ee58 09534ff0 00000000 icm32!PrepareCombiLUTs+0x3a6
0028f498 6ac42dba 0953ee58 09534ff0 09534ff0 icm32!CMMConcatInitPrivate+0x23e
0028f4b4 6ac41630 0028f520 09534ff0 0028f5c4 icm32!CWConcatColorWorld4MS+0x42
0028f4e0 6ac41fce 0028f520 00180002 00000000 icm32!CMCreateMultiProfileTransformInternal+0x10b
0028f508 6c5ec8af 0028f5bc 00000002 0028f5c4 icm32!CMCreateMultiProfileTransform+0x20
0028f57c 6d2fd7c8 0028f5bc 00000002 0028f5c4 mscms!CreateMultiProfileTransform+0x22d
0028f5a0 6d2fb62c 0028f5bc 0028f5c4 00000000 WindowsCodecsExt!ICMModule::CreateMultiProfileTransform+0x27
0028f5d4 6d2f58cd 06277f90 40c8e2f0 40cf42f0 WindowsCodecsExt!CIcmColorTransform::CreateVectorTransform+0x6f
0028f640 69b25e74 09744f88 0970afac 0028f6b4 WindowsCodecsExt!CFormatConverterNChannel::Initialize+0x4b2
0028f6d8 6c8ea4be 0970cf90 0970afac 0028f710 WindowsCodecs!CFormatConverterResolver::Initialize+0x318
0028f724 6c8ec909 0010300c 00000000 07b67f68 gdiplus!GpWicDecoder::InitFormatConverter+0x7e
0028f760 6c8e9d72 00000000 07b55fd0 07b4df98 gdiplus!GpWicDecoder::DecodeFrame+0xb5
0028f774 6c8ddeb8 07b67f68 07b4df98 07b4df98 gdiplus!GpWicDecoder::GetImageInfo+0x29
0028f798 6c8de328 07b4df98 0000027f 07b4df38 gdiplus!GpDecodedImage::InternalGetImageInfo+0x3f
0028f7b8 6c830aee 07b55fd0 07b4df98 07b4bcd8 gdiplus!GpDecodedImage::GetImageInfo+0x18
0028f7cc 6c832cd3 0028f880 0028f7e8 6c83330d gdiplus!CopyOnWriteBitmap::CopyOnWriteBitmap+0x48
0028f7d8 6c83330d 0028f880 07b45f28 0028f7f8 gdiplus!CopyOnWriteBitmap::Create+0x1d
0028f7e8 6c8342aa 0028f880 07b43ff4 0028f81c gdiplus!GpBitmap::GpBitmap+0x2c
0028f7f8 6c803e8d 0028f880 085a1000 07b43ff0 gdiplus!GpImage::LoadImageW+0x69
0028f81c 003b171f 0028f880 07b43ff4 b2121dcf gdiplus!GdipLoadImageFromFile+0x74
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays images using GDI+, or any existing GDI+ client (such as Microsoft Office).

Attached is a TIFF file which triggers the crash.

################################################################################

A similar crash with a slightly different stack trace was also encountered in the icm32!Fill_byte_ALUTs_from_lut16Tag function:

---
(62a8.4d70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000001fe ebx=09222000 ecx=09220ffe edx=00000801 esi=000003fc edi=0924d3f8
eip=6ac4f821 esp=002bf594 ebp=002bf5b8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
icm32!Fill_byte_ALUTs_from_lut16Tag+0x9a:
6ac4f821 0fb711          movzx   edx,word ptr [ecx]       ds:002b:09220ffe=????
0:000> kb
ChildEBP RetAddr  Args to Child              
002bf5b8 6ac4aa4d 002bf9a0 00000801 0924d3f8 icm32!Fill_byte_ALUTs_from_lut16Tag+0x9a
002bf5ec 6ac4b0f3 0002a000 002bf818 00007000 icm32!ExtractAlutFromLut16+0xe2
002bf644 6ac4ca1d 002bf9a0 002bf818 42324130 icm32!ExtractAll_MFT_LutsFromLut16+0xe6
002bf670 6ac4cd0d 002bf9a0 002bf818 42324130 icm32!ExtractAll_MFT_Luts+0x8c
002bf700 6ac4d562 002bf9a0 002bf818 00000000 icm32!ExtractAllLuts+0x2a5
002bfa0c 6ac4e947 07c46e58 07c44fe8 07c48ef8 icm32!CreateCombi+0x725
002bfbb0 6ac43c84 07c46e58 07c44fe8 00000000 icm32!PrepareCombiLUTs+0x3a6
002bfd5c 6ac42dba 07c46e58 07c44fe8 07c44fe8 icm32!CMMConcatInitPrivate+0x23e
002bfd78 6ac41630 002bfde4 07c44fe8 002bfea8 icm32!CWConcatColorWorld4MS+0x42
002bfda4 6ac41fce 002bfde4 00080000 00000000 icm32!CMCreateMultiProfileTransformInternal+0x10b
002bfdcc 6c5ec8af 002bfe98 00000004 002bfea8 icm32!CMCreateMultiProfileTransform+0x20
002bfe40 011c1923 002bfe98 00000004 002bfea8 mscms!CreateMultiProfileTransform+0x22d
[...]
---

Attached is a color profile which triggers the above crash. In order to reproduce it, it is necessary to use a dedicated program which loads the file and creates a color transform.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41657.zip