211 lines
No EOL
7.9 KiB
Text
211 lines
No EOL
7.9 KiB
Text
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: XnView
|
|
http://www.xnview.com
|
|
Versions: <= 1.98.5
|
|
Platforms: Windows
|
|
Bugs: A] integer overflow in width/height calculation
|
|
B] jpeg heap overflow
|
|
C] ICO heap overflow
|
|
D] PCX heap overflow
|
|
E] FLI heap overflow
|
|
Exploitation: via file
|
|
Date: 16 Feb 2012
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bugs
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
"XnView is an efficient multimedia viewer, browser and converter
|
|
supporting more than 400 graphics formats"
|
|
|
|
|
|
#######################################################################
|
|
|
|
=======
|
|
2) Bugs
|
|
=======
|
|
|
|
|
|
Note that this program has been tested only for a quick blind
|
|
experiment of some minutes so this advisory is not much completed or
|
|
detailed.
|
|
|
|
|
|
-----------------------------------------------
|
|
A] integer overflow in width/height calculation
|
|
-----------------------------------------------
|
|
|
|
The function that handles the width/height of the screen used for any
|
|
file format if affected by some integer overflow vulnerabilities:
|
|
|
|
0047DB20 /$ 83EC 18 SUB ESP,18
|
|
...
|
|
0047DB78 |> 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
|
|
0047DB7C |. 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C]
|
|
0047DB80 |. 8B6C24 34 MOV EBP,DWORD PTR SS:[ESP+34]
|
|
0047DB84 |. 8947 08 MOV DWORD PTR DS:[EDI+8],EAX
|
|
0047DB87 |. 894F 0C MOV DWORD PTR DS:[EDI+C],ECX
|
|
0047DB8A |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
|
|
0047DB8D |. 8957 10 MOV DWORD PTR DS:[EDI+10],EDX
|
|
0047DB90 |. 8B4D 04 MOV ECX,DWORD PTR SS:[EBP+4]
|
|
0047DB93 |. 8D1485 00000000 LEA EDX,DWORD PTR DS:[EAX*4] ; integer overflow
|
|
0047DB9A |. 894F 14 MOV DWORD PTR DS:[EDI+14],ECX
|
|
0047DB9D |. 52 PUSH EDX
|
|
0047DB9E |. E8 B8311400 CALL xnview.005C0D5B ; malloc
|
|
0047DBA3 |. 8907 MOV DWORD PTR DS:[EDI],EAX
|
|
0047DBA5 |. 8B47 0C MOV EAX,DWORD PTR DS:[EDI+C]
|
|
0047DBA8 |. C1E0 02 SHL EAX,2 ; integer overflow
|
|
0047DBAB |. 50 PUSH EAX
|
|
0047DBAC |. E8 AA311400 CALL xnview.005C0D5B ; malloc
|
|
0047DBB1 |. 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8]
|
|
0047DBB4 |. 8947 04 MOV DWORD PTR DS:[EDI+4],EAX
|
|
0047DBB7 |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
|
|
0047DBBA |. 83C4 08 ADD ESP,8
|
|
0047DBBD |. 3BC8 CMP ECX,EAX
|
|
0047DBBF |. 75 51 JNZ SHORT xnview.0047DC12
|
|
0047DBC1 |. 8B57 0C MOV EDX,DWORD PTR DS:[EDI+C]
|
|
0047DBC4 |. 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4]
|
|
0047DBC7 |. 3BD0 CMP EDX,EAX
|
|
0047DBC9 |. 75 47 JNZ SHORT xnview.0047DC12
|
|
0047DBCB |. 33C0 XOR EAX,EAX
|
|
0047DBCD |. 3BCE CMP ECX,ESI
|
|
0047DBCF |. 7E 16 JLE SHORT xnview.0047DBE7
|
|
0047DBD1 |> 33C9 /XOR ECX,ECX ; write loop
|
|
0047DBD3 |. 8B17 |MOV EDX,DWORD PTR DS:[EDI]
|
|
0047DBD5 |. 66:8B4D 0E |MOV CX,WORD PTR SS:[EBP+E]
|
|
0047DBD9 |. 0FAFC8 |IMUL ECX,EAX
|
|
0047DBDC |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX
|
|
0047DBDF |. 8B4F 08 |MOV ECX,DWORD PTR DS:[EDI+8]
|
|
0047DBE2 |. 40 |INC EAX
|
|
0047DBE3 |. 3BC1 |CMP EAX,ECX
|
|
0047DBE5 |.^7C EA \JL SHORT xnview.0047DBD1
|
|
0047DBE7 |> 8B4F 0C MOV ECX,DWORD PTR DS:[EDI+C]
|
|
0047DBEA |. 33C0 XOR EAX,EAX
|
|
0047DBEC |. 3BCE CMP ECX,ESI
|
|
0047DBEE |. 0F8E B6000000 JLE xnview.0047DCAA
|
|
0047DBF4 |> 8B4D 08 /MOV ECX,DWORD PTR SS:[EBP+8] ; write loop
|
|
0047DBF7 |. 8B75 28 |MOV ESI,DWORD PTR SS:[EBP+28]
|
|
0047DBFA |. 0FAFC8 |IMUL ECX,EAX
|
|
0047DBFD |. 8B57 04 |MOV EDX,DWORD PTR DS:[EDI+4]
|
|
0047DC00 |. 03CE |ADD ECX,ESI
|
|
0047DC02 |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX
|
|
0047DC05 |. 8B4F 0C |MOV ECX,DWORD PTR DS:[EDI+C]
|
|
0047DC08 |. 40 |INC EAX
|
|
0047DC09 |. 3BC1 |CMP EAX,ECX
|
|
0047DC0B |.^7C E7 \JL SHORT xnview.0047DBF4
|
|
0047DC0D |. E9 98000000 JMP xnview.0047DCAA
|
|
|
|
The content of the 32bit value to write depends by the file format and
|
|
the continuation of the execution after the exception may depend by the
|
|
system in use (more chances using Windows 7).
|
|
|
|
|
|
---------------------
|
|
B] jpeg heap overflow
|
|
---------------------
|
|
|
|
Heap overflow during the handling of the "Samples per Line" in the
|
|
Baseline DCT header:
|
|
|
|
006E1E5B > 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
|
|
006E1E5F . 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14]
|
|
006E1E63 > 33DB XOR EBX,EBX
|
|
006E1E65 . 83C1 03 ADD ECX,3
|
|
006E1E68 . 8A1C06 MOV BL,BYTE PTR DS:[ESI+EAX]
|
|
006E1E6B . 8BF3 MOV ESI,EBX
|
|
006E1E6D . 33DB XOR EBX,EBX
|
|
006E1E6F . 8A18 MOV BL,BYTE PTR DS:[EAX]
|
|
006E1E71 . 8BFB MOV EDI,EBX
|
|
006E1E73 . 33DB XOR EBX,EBX
|
|
006E1E75 . 8A1C28 MOV BL,BYTE PTR DS:[EAX+EBP]
|
|
006E1E78 . 8BEB MOV EBP,EBX
|
|
006E1E7A . 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
|
|
006E1E7E . 8B1CAB MOV EBX,DWORD PTR DS:[EBX+EBP*4]
|
|
006E1E81 . 03DE ADD EBX,ESI
|
|
006E1E83 . 8A1413 MOV DL,BYTE PTR DS:[EBX+EDX]
|
|
006E1E86 . 8851 FD MOV BYTE PTR DS:[ECX-3],DL
|
|
006E1E89 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
|
|
006E1E8D . 8B1CBA MOV EBX,DWORD PTR DS:[EDX+EDI*4]
|
|
006E1E90 . 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
|
|
006E1E94 . 031CAA ADD EBX,DWORD PTR DS:[EDX+EBP*4]
|
|
006E1E97 . 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
|
|
006E1E9B . C1FB 10 SAR EBX,10
|
|
006E1E9E . 03DE ADD EBX,ESI
|
|
006E1EA0 . 8A1C13 MOV BL,BYTE PTR DS:[EBX+EDX]
|
|
006E1EA3 . 8859 FE MOV BYTE PTR DS:[ECX-2],BL
|
|
006E1EA6 . 8B5C24 28 MOV EBX,DWORD PTR SS:[ESP+28]
|
|
006E1EAA . 8B3CBB MOV EDI,DWORD PTR DS:[EBX+EDI*4]
|
|
006E1EAD . 03FE ADD EDI,ESI
|
|
006E1EAF . 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34]
|
|
006E1EB3 . 40 INC EAX
|
|
006E1EB4 . 4E DEC ESI
|
|
006E1EB5 . 8A1C17 MOV BL,BYTE PTR DS:[EDI+EDX]
|
|
006E1EB8 . 897424 34 MOV DWORD PTR SS:[ESP+34],ESI
|
|
006E1EBC . 8859 FF MOV BYTE PTR DS:[ECX-1],BL
|
|
006E1EBF .^75 9A JNZ SHORT xnview.006E1E5B
|
|
|
|
|
|
--------------------
|
|
C] ICO heap overflow
|
|
--------------------
|
|
|
|
Heap overflow during the handling of an ICO file with a smaller number
|
|
of bits per pixels than how much specified in the main header.
|
|
|
|
|
|
--------------------
|
|
D] PCX heap overflow
|
|
--------------------
|
|
|
|
Heap overflow in the handling of the PCX files.
|
|
The provided proof-of-concept should result in EIP 0x61616161.
|
|
|
|
|
|
--------------------
|
|
E] FLI heap overflow
|
|
--------------------
|
|
|
|
Heap overflow in the handling of the frames in the FLI files.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/xnview_1.zip
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/18491.zip
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |