#######################################################################
Luigi Auriemma
Application: XnView
http://www.xnview.com
Versions: <= 1.98.5
Platforms: Windows
Bugs: A] integer overflow in width/height calculation
B] jpeg heap overflow
C] ICO heap overflow
D] PCX heap overflow
E] FLI heap overflow
Exploitation: via file
Date: 16 Feb 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"XnView is an efficient multimedia viewer, browser and converter
supporting more than 400 graphics formats"
#######################################################################
=======
2) Bugs
=======
Note that this program has been tested only for a quick blind
experiment of some minutes so this advisory is not much completed or
detailed.
-----------------------------------------------
A] integer overflow in width/height calculation
-----------------------------------------------
The function that handles the width/height of the screen used for any
file format if affected by some integer overflow vulnerabilities:
0047DB20 /$ 83EC 18 SUB ESP,18
...
0047DB78 |> 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
0047DB7C |. 8B4C24 3C MOV ECX,DWORD PTR SS:[ESP+3C]
0047DB80 |. 8B6C24 34 MOV EBP,DWORD PTR SS:[ESP+34]
0047DB84 |. 8947 08 MOV DWORD PTR DS:[EDI+8],EAX
0047DB87 |. 894F 0C MOV DWORD PTR DS:[EDI+C],ECX
0047DB8A |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
0047DB8D |. 8957 10 MOV DWORD PTR DS:[EDI+10],EDX
0047DB90 |. 8B4D 04 MOV ECX,DWORD PTR SS:[EBP+4]
0047DB93 |. 8D1485 00000000 LEA EDX,DWORD PTR DS:[EAX*4] ; integer overflow
0047DB9A |. 894F 14 MOV DWORD PTR DS:[EDI+14],ECX
0047DB9D |. 52 PUSH EDX
0047DB9E |. E8 B8311400 CALL xnview.005C0D5B ; malloc
0047DBA3 |. 8907 MOV DWORD PTR DS:[EDI],EAX
0047DBA5 |. 8B47 0C MOV EAX,DWORD PTR DS:[EDI+C]
0047DBA8 |. C1E0 02 SHL EAX,2 ; integer overflow
0047DBAB |. 50 PUSH EAX
0047DBAC |. E8 AA311400 CALL xnview.005C0D5B ; malloc
0047DBB1 |. 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8]
0047DBB4 |. 8947 04 MOV DWORD PTR DS:[EDI+4],EAX
0047DBB7 |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
0047DBBA |. 83C4 08 ADD ESP,8
0047DBBD |. 3BC8 CMP ECX,EAX
0047DBBF |. 75 51 JNZ SHORT xnview.0047DC12
0047DBC1 |. 8B57 0C MOV EDX,DWORD PTR DS:[EDI+C]
0047DBC4 |. 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4]
0047DBC7 |. 3BD0 CMP EDX,EAX
0047DBC9 |. 75 47 JNZ SHORT xnview.0047DC12
0047DBCB |. 33C0 XOR EAX,EAX
0047DBCD |. 3BCE CMP ECX,ESI
0047DBCF |. 7E 16 JLE SHORT xnview.0047DBE7
0047DBD1 |> 33C9 /XOR ECX,ECX ; write loop
0047DBD3 |. 8B17 |MOV EDX,DWORD PTR DS:[EDI]
0047DBD5 |. 66:8B4D 0E |MOV CX,WORD PTR SS:[EBP+E]
0047DBD9 |. 0FAFC8 |IMUL ECX,EAX
0047DBDC |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX
0047DBDF |. 8B4F 08 |MOV ECX,DWORD PTR DS:[EDI+8]
0047DBE2 |. 40 |INC EAX
0047DBE3 |. 3BC1 |CMP EAX,ECX
0047DBE5 |.^7C EA \JL SHORT xnview.0047DBD1
0047DBE7 |> 8B4F 0C MOV ECX,DWORD PTR DS:[EDI+C]
0047DBEA |. 33C0 XOR EAX,EAX
0047DBEC |. 3BCE CMP ECX,ESI
0047DBEE |. 0F8E B6000000 JLE xnview.0047DCAA
0047DBF4 |> 8B4D 08 /MOV ECX,DWORD PTR SS:[EBP+8] ; write loop
0047DBF7 |. 8B75 28 |MOV ESI,DWORD PTR SS:[EBP+28]
0047DBFA |. 0FAFC8 |IMUL ECX,EAX
0047DBFD |. 8B57 04 |MOV EDX,DWORD PTR DS:[EDI+4]
0047DC00 |. 03CE |ADD ECX,ESI
0047DC02 |. 890C82 |MOV DWORD PTR DS:[EDX+EAX*4],ECX
0047DC05 |. 8B4F 0C |MOV ECX,DWORD PTR DS:[EDI+C]
0047DC08 |. 40 |INC EAX
0047DC09 |. 3BC1 |CMP EAX,ECX
0047DC0B |.^7C E7 \JL SHORT xnview.0047DBF4
0047DC0D |. E9 98000000 JMP xnview.0047DCAA
The content of the 32bit value to write depends by the file format and
the continuation of the execution after the exception may depend by the
system in use (more chances using Windows 7).
---------------------
B] jpeg heap overflow
---------------------
Heap overflow during the handling of the "Samples per Line" in the
Baseline DCT header:
006E1E5B > 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
006E1E5F . 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14]
006E1E63 > 33DB XOR EBX,EBX
006E1E65 . 83C1 03 ADD ECX,3
006E1E68 . 8A1C06 MOV BL,BYTE PTR DS:[ESI+EAX]
006E1E6B . 8BF3 MOV ESI,EBX
006E1E6D . 33DB XOR EBX,EBX
006E1E6F . 8A18 MOV BL,BYTE PTR DS:[EAX]
006E1E71 . 8BFB MOV EDI,EBX
006E1E73 . 33DB XOR EBX,EBX
006E1E75 . 8A1C28 MOV BL,BYTE PTR DS:[EAX+EBP]
006E1E78 . 8BEB MOV EBP,EBX
006E1E7A . 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
006E1E7E . 8B1CAB MOV EBX,DWORD PTR DS:[EBX+EBP*4]
006E1E81 . 03DE ADD EBX,ESI
006E1E83 . 8A1413 MOV DL,BYTE PTR DS:[EBX+EDX]
006E1E86 . 8851 FD MOV BYTE PTR DS:[ECX-3],DL
006E1E89 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
006E1E8D . 8B1CBA MOV EBX,DWORD PTR DS:[EDX+EDI*4]
006E1E90 . 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
006E1E94 . 031CAA ADD EBX,DWORD PTR DS:[EDX+EBP*4]
006E1E97 . 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
006E1E9B . C1FB 10 SAR EBX,10
006E1E9E . 03DE ADD EBX,ESI
006E1EA0 . 8A1C13 MOV BL,BYTE PTR DS:[EBX+EDX]
006E1EA3 . 8859 FE MOV BYTE PTR DS:[ECX-2],BL
006E1EA6 . 8B5C24 28 MOV EBX,DWORD PTR SS:[ESP+28]
006E1EAA . 8B3CBB MOV EDI,DWORD PTR DS:[EBX+EDI*4]
006E1EAD . 03FE ADD EDI,ESI
006E1EAF . 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34]
006E1EB3 . 40 INC EAX
006E1EB4 . 4E DEC ESI
006E1EB5 . 8A1C17 MOV BL,BYTE PTR DS:[EDI+EDX]
006E1EB8 . 897424 34 MOV DWORD PTR SS:[ESP+34],ESI
006E1EBC . 8859 FF MOV BYTE PTR DS:[ECX-1],BL
006E1EBF .^75 9A JNZ SHORT xnview.006E1E5B
--------------------
C] ICO heap overflow
--------------------
Heap overflow during the handling of an ICO file with a smaller number
of bits per pixels than how much specified in the main header.
--------------------
D] PCX heap overflow
--------------------
Heap overflow in the handling of the PCX files.
The provided proof-of-concept should result in EIP 0x61616161.
--------------------
E] FLI heap overflow
--------------------
Heap overflow in the handling of the frames in the FLI files.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/xnview_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18491.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################