xnview 1.98.5 – Multiple Vulnerabilities

• Exploit Database
• 100 阅读

• 作者： Luigi Auriemma
  日期： 2012-02-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18491/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212

  #######################################################################   Luigi Auriemma   Application:XnView http://www.xnview.com Versions: <= 1.98.5 Platforms:Windows Bugs: A] integer overflow in width/height calculation B] jpeg heap overflow C] ICO heap overflow D] PCX heap overflow E] FLI heap overflow Exploitation: via file Date: 16 Feb 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bugs 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     "XnView is an efficient multimedia viewer, browser and converter supporting more than 400 graphics formats"     #######################################################################   ======= 2) Bugs =======     Note that this program has been tested only for a quick blind experiment of some minutes so this advisory is not much completed or detailed.     ----------------------------------------------- A] integer overflow in width/height calculation -----------------------------------------------   The function that handles the width/height of the screen used for any file format if affected by some integer overflow vulnerabilities:   0047DB20/$ 83EC 18SUB ESP,18 ... 0047DB78|> 8B4424 38MOV EAX,DWORD PTR SS:[ESP+38] 0047DB7C|. 8B4C24 3CMOV ECX,DWORD PTR SS:[ESP+3C] 0047DB80|. 8B6C24 34MOV EBP,DWORD PTR SS:[ESP+34] 0047DB84|. 8947 08MOV DWORD PTR DS:[EDI+8],EAX 0047DB87|. 894F 0CMOV DWORD PTR DS:[EDI+C],ECX 0047DB8A|. 8B55 00MOV EDX,DWORD PTR SS:[EBP] 0047DB8D|. 8957 10MOV DWORD PTR DS:[EDI+10],EDX 0047DB90|. 8B4D 04MOV ECX,DWORD PTR SS:[EBP+4] 0047DB93|. 8D1485 00000000LEA EDX,DWORD PTR DS:[EAX*4]; integer overflow 0047DB9A|. 894F 14MOV DWORD PTR DS:[EDI+14],ECX 0047DB9D|. 52 PUSH EDX 0047DB9E|. E8 B8311400CALL xnview.005C0D5B; malloc 0047DBA3|. 8907 MOV DWORD PTR DS:[EDI],EAX 0047DBA5|. 8B47 0CMOV EAX,DWORD PTR DS:[EDI+C] 0047DBA8|. C1E0 02SHL EAX,2 ; integer overflow 0047DBAB|. 50 PUSH EAX 0047DBAC|. E8 AA311400CALL xnview.005C0D5B; malloc 0047DBB1|. 8B4F 08MOV ECX,DWORD PTR DS:[EDI+8] 0047DBB4|. 8947 04MOV DWORD PTR DS:[EDI+4],EAX 0047DBB7|. 8B45 00MOV EAX,DWORD PTR SS:[EBP] 0047DBBA|. 83C4 08ADD ESP,8 0047DBBD|. 3BC8 CMP ECX,EAX 0047DBBF|. 75 51JNZ SHORT xnview.0047DC12 0047DBC1|. 8B57 0CMOV EDX,DWORD PTR DS:[EDI+C] 0047DBC4|. 8B45 04MOV EAX,DWORD PTR SS:[EBP+4] 0047DBC7|. 3BD0 CMP EDX,EAX 0047DBC9|. 75 47JNZ SHORT xnview.0047DC12 0047DBCB|. 33C0 XOR EAX,EAX 0047DBCD|. 3BCE CMP ECX,ESI 0047DBCF|. 7E 16JLE SHORT xnview.0047DBE7 0047DBD1|> 33C9 /XOR ECX,ECX; write loop 0047DBD3|. 8B17 |MOV EDX,DWORD PTR DS:[EDI] 0047DBD5|. 66:8B4D 0E |MOV CX,WORD PTR SS:[EBP+E] 0047DBD9|. 0FAFC8 |IMUL ECX,EAX 0047DBDC|. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX 0047DBDF|. 8B4F 08|MOV ECX,DWORD PTR DS:[EDI+8] 0047DBE2|. 40 |INC EAX 0047DBE3|. 3BC1 |CMP EAX,ECX 0047DBE5|.^7C EA\JL SHORT xnview.0047DBD1 0047DBE7|> 8B4F 0CMOV ECX,DWORD PTR DS:[EDI+C] 0047DBEA|. 33C0 XOR EAX,EAX 0047DBEC|. 3BCE CMP ECX,ESI 0047DBEE|. 0F8E B6000000JLE xnview.0047DCAA 0047DBF4|> 8B4D 08/MOV ECX,DWORD PTR SS:[EBP+8] ; write loop 0047DBF7|. 8B75 28|MOV ESI,DWORD PTR SS:[EBP+28] 0047DBFA|. 0FAFC8 |IMUL ECX,EAX 0047DBFD|. 8B57 04|MOV EDX,DWORD PTR DS:[EDI+4] 0047DC00|. 03CE |ADD ECX,ESI 0047DC02|. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX 0047DC05|. 8B4F 0C|MOV ECX,DWORD PTR DS:[EDI+C] 0047DC08|. 40 |INC EAX 0047DC09|. 3BC1 |CMP EAX,ECX 0047DC0B|.^7C E7\JL SHORT xnview.0047DBF4 0047DC0D|. E9 98000000JMP xnview.0047DCAA   The content of the 32bit value to write depends by the file format and the continuation of the execution after the exception may depend by the system in use (more chances using Windows 7).     --------------------- B] jpeg heap overflow ---------------------   Heap overflow during the handling of the "Samples per Line" in the Baseline DCT header:   006E1E5B > 8B7424 3CMOV ESI,DWORD PTR SS:[ESP+3C] 006E1E5F . 8B6C24 14MOV EBP,DWORD PTR SS:[ESP+14] 006E1E63 > 33DB XOR EBX,EBX 006E1E65 . 83C1 03ADD ECX,3 006E1E68 . 8A1C06 MOV BL,BYTE PTR DS:[ESI+EAX] 006E1E6B . 8BF3 MOV ESI,EBX 006E1E6D . 33DB XOR EBX,EBX 006E1E6F . 8A18 MOV BL,BYTE PTR DS:[EAX] 006E1E71 . 8BFB MOV EDI,EBX 006E1E73 . 33DB XOR EBX,EBX 006E1E75 . 8A1C28 MOV BL,BYTE PTR DS:[EAX+EBP] 006E1E78 . 8BEB MOV EBP,EBX 006E1E7A . 8B5C24 18MOV EBX,DWORD PTR SS:[ESP+18] 006E1E7E . 8B1CAB MOV EBX,DWORD PTR DS:[EBX+EBP*4] 006E1E81 . 03DE ADD EBX,ESI 006E1E83 . 8A1413 MOV DL,BYTE PTR DS:[EBX+EDX] 006E1E86 . 8851 FDMOV BYTE PTR DS:[ECX-3],DL 006E1E89 . 8B5424 1CMOV EDX,DWORD PTR SS:[ESP+1C] 006E1E8D . 8B1CBA MOV EBX,DWORD PTR DS:[EDX+EDI*4] 006E1E90 . 8B5424 20MOV EDX,DWORD PTR SS:[ESP+20] 006E1E94 . 031CAA ADD EBX,DWORD PTR DS:[EDX+EBP*4] 006E1E97 . 8B5424 24MOV EDX,DWORD PTR SS:[ESP+24] 006E1E9B . C1FB 10SAR EBX,10 006E1E9E . 03DE ADD EBX,ESI 006E1EA0 . 8A1C13 MOV BL,BYTE PTR DS:[EBX+EDX] 006E1EA3 . 8859 FEMOV BYTE PTR DS:[ECX-2],BL 006E1EA6 . 8B5C24 28MOV EBX,DWORD PTR SS:[ESP+28] 006E1EAA . 8B3CBB MOV EDI,DWORD PTR DS:[EBX+EDI*4] 006E1EAD . 03FE ADD EDI,ESI 006E1EAF . 8B7424 34MOV ESI,DWORD PTR SS:[ESP+34] 006E1EB3 . 40 INC EAX 006E1EB4 . 4E DEC ESI 006E1EB5 . 8A1C17 MOV BL,BYTE PTR DS:[EDI+EDX] 006E1EB8 . 897424 34MOV DWORD PTR SS:[ESP+34],ESI 006E1EBC . 8859 FFMOV BYTE PTR DS:[ECX-1],BL 006E1EBF .^75 9AJNZ SHORT xnview.006E1E5B     -------------------- C] ICO heap overflow --------------------   Heap overflow during the handling of an ICO file with a smaller number of bits per pixels than how much specified in the main header.     -------------------- D] PCX heap overflow --------------------   Heap overflow in the handling of the PCX files. The provided proof-of-concept should result in EIP 0x61616161.     -------------------- E] FLI heap overflow --------------------   Heap overflow in the handling of the frames in the FLI files.     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/poc/xnview_1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18491.zip     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################