The_Arhitect Posted February 17, 2012 Report Posted February 17, 2012 XnView <= 1.98.5 Multiple Vulnerabilities####################################################################### Luigi AuriemmaApplication: XnView http://www.xnview.comVersions: <= 1.98.5Platforms: WindowsBugs: A] integer overflow in width/height calculation B] jpeg heap overflow C] ICO heap overflow D] PCX heap overflow E] FLI heap overflowExploitation: via fileDate: 16 Feb 2012Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org#######################################################################1) Introduction2) Bugs3) The Code4) Fix#######################################################################===============1) Introduction==============="XnView is an efficient multimedia viewer, browser and convertersupporting more than 400 graphics formats"#######################################################################=======2) Bugs=======Note that this program has been tested only for a quick blindexperiment of some minutes so this advisory is not much completed ordetailed.-----------------------------------------------A] integer overflow in width/height calculation-----------------------------------------------The function that handles the width/height of the screen used for anyfile format if affected by some integer overflow vulnerabilities: 0047DB20 /$ 83EC 18 SUB ESP,18 ... 0047DB78 |> 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38] 0047DB7C |. 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C] 0047DB80 |. 8B6C24 34 MOV EBP,DWORD PTR SS:[ESP+34] 0047DB84 |. 8947 08 MOV DWORD PTR DS:[EDI+8],EAX 0047DB87 |. 894F 0C MOV DWORD PTR DS:[EDI+C],ECX 0047DB8A |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP] 0047DB8D |. 8957 10 MOV DWORD PTR DS:[EDI+10],EDX 0047DB90 |. 8B4D 04 MOV ECX,DWORD PTR SS:[EBP+4] 0047DB93 |. 8D1485 00000000 LEA EDX,DWORD PTR DS:[EAX*4] ; integer overflow 0047DB9A |. 894F 14 MOV DWORD PTR DS:[EDI+14],ECX 0047DB9D |. 52 PUSH EDX 0047DB9E |. E8 B8311400 CALL xnview.005C0D5B ; malloc 0047DBA3 |. 8907 MOV DWORD PTR DS:[EDI],EAX 0047DBA5 |. 8B47 0C MOV EAX,DWORD PTR DS:[EDI+C] 0047DBA8 |. C1E0 02 SHL EAX,2 ; integer overflow 0047DBAB |. 50 PUSH EAX 0047DBAC |. E8 AA311400 CALL xnview.005C0D5B ; malloc 0047DBB1 |. 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8] 0047DBB4 |. 8947 04 MOV DWORD PTR DS:[EDI+4],EAX 0047DBB7 |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP] 0047DBBA |. 83C4 08 ADD ESP,8 0047DBBD |. 3BC8 CMP ECX,EAX 0047DBBF |. 75 51 JNZ SHORT xnview.0047DC12 0047DBC1 |. 8B57 0C MOV EDX,DWORD PTR DS:[EDI+C] 0047DBC4 |. 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4] 0047DBC7 |. 3BD0 CMP EDX,EAX 0047DBC9 |. 75 47 JNZ SHORT xnview.0047DC12 0047DBCB |. 33C0 XOR EAX,EAX 0047DBCD |. 3BCE CMP ECX,ESI 0047DBCF |. 7E 16 JLE SHORT xnview.0047DBE7 0047DBD1 |> 33C9 /XOR ECX,ECX ; write loop 0047DBD3 |. 8B17 |MOV EDX,DWORD PTR DS:[EDI] 0047DBD5 |. 66:8B4D 0E |MOV CX,WORD PTR SS:[EBP+E] 0047DBD9 |. 0FAFC8 |IMUL ECX,EAX 0047DBDC |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX 0047DBDF |. 8B4F 08 |MOV ECX,DWORD PTR DS:[EDI+8] 0047DBE2 |. 40 |INC EAX 0047DBE3 |. 3BC1 |CMP EAX,ECX 0047DBE5 |.^7C EA \JL SHORT xnview.0047DBD1 0047DBE7 |> 8B4F 0C MOV ECX,DWORD PTR DS:[EDI+C] 0047DBEA |. 33C0 XOR EAX,EAX 0047DBEC |. 3BCE CMP ECX,ESI 0047DBEE |. 0F8E B6000000 JLE xnview.0047DCAA 0047DBF4 |> 8B4D 08 /MOV ECX,DWORD PTR SS:[EBP+8] ; write loop 0047DBF7 |. 8B75 28 |MOV ESI,DWORD PTR SS:[EBP+28] 0047DBFA |. 0FAFC8 |IMUL ECX,EAX 0047DBFD |. 8B57 04 |MOV EDX,DWORD PTR DS:[EDI+4] 0047DC00 |. 03CE |ADD ECX,ESI 0047DC02 |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX 0047DC05 |. 8B4F 0C |MOV ECX,DWORD PTR DS:[EDI+C] 0047DC08 |. 40 |INC EAX 0047DC09 |. 3BC1 |CMP EAX,ECX 0047DC0B |.^7C E7 \JL SHORT xnview.0047DBF4 0047DC0D |. E9 98000000 JMP xnview.0047DCAAThe content of the 32bit value to write depends by the file format andthe continuation of the execution after the exception may depend by thesystem in use (more chances using Windows 7).---------------------B] jpeg heap overflow---------------------Heap overflow during the handling of the "Samples per Line" in theBaseline DCT header: 006E1E5B > 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C] 006E1E5F . 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14] 006E1E63 > 33DB XOR EBX,EBX 006E1E65 . 83C1 03 ADD ECX,3 006E1E68 . 8A1C06 MOV BL,BYTE PTR DS:[ESI+EAX] 006E1E6B . 8BF3 MOV ESI,EBX 006E1E6D . 33DB XOR EBX,EBX 006E1E6F . 8A18 MOV BL,BYTE PTR DS:[EAX] 006E1E71 . 8BFB MOV EDI,EBX 006E1E73 . 33DB XOR EBX,EBX 006E1E75 . 8A1C28 MOV BL,BYTE PTR DS:[EAX+EBP] 006E1E78 . 8BEB MOV EBP,EBX 006E1E7A . 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18] 006E1E7E . 8B1CAB MOV EBX,DWORD PTR DS:[EBX+EBP*4] 006E1E81 . 03DE ADD EBX,ESI 006E1E83 . 8A1413 MOV DL,BYTE PTR DS:[EBX+EDX] 006E1E86 . 8851 FD MOV BYTE PTR DS:[ECX-3],DL 006E1E89 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C] 006E1E8D . 8B1CBA MOV EBX,DWORD PTR DS:[EDX+EDI*4] 006E1E90 . 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20] 006E1E94 . 031CAA ADD EBX,DWORD PTR DS:[EDX+EBP*4] 006E1E97 . 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24] 006E1E9B . C1FB 10 SAR EBX,10 006E1E9E . 03DE ADD EBX,ESI 006E1EA0 . 8A1C13 MOV BL,BYTE PTR DS:[EBX+EDX] 006E1EA3 . 8859 FE MOV BYTE PTR DS:[ECX-2],BL 006E1EA6 . 8B5C24 28 MOV EBX,DWORD PTR SS:[ESP+28] 006E1EAA . 8B3CBB MOV EDI,DWORD PTR DS:[EBX+EDI*4] 006E1EAD . 03FE ADD EDI,ESI 006E1EAF . 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34] 006E1EB3 . 40 INC EAX 006E1EB4 . 4E DEC ESI 006E1EB5 . 8A1C17 MOV BL,BYTE PTR DS:[EDI+EDX] 006E1EB8 . 897424 34 MOV DWORD PTR SS:[ESP+34],ESI 006E1EBC . 8859 FF MOV BYTE PTR DS:[ECX-1],BL 006E1EBF .^75 9A JNZ SHORT xnview.006E1E5B--------------------C] ICO heap overflow--------------------Heap overflow during the handling of an ICO file with a smaller numberof bits per pixels than how much specified in the main header.--------------------D] PCX heap overflow--------------------Heap overflow in the handling of the PCX files.The provided proof-of-concept should result in EIP 0x61616161.--------------------E] FLI heap overflow--------------------Heap overflow in the handling of the frames in the FLI files.#######################################################################===========3) The Code===========http://aluigi.org/poc/xnview_1.ziphttp://www.exploit-db.com/sploits/18491.zip#######################################################################======4) Fix======No fix.#######################################################################Sursa: XnView <= 1.98.5 Multiple Vulnerabilities Quote