IrfanView 4.27 - 4.32 ANI (Windows Animated Cursor) Denial of Service Vulnerability

IrfanView 4.27 - 4.32 ANI (Windows Animated Cursor) Denial of Service Vulnerability fuzzing, security, blackbox, tests, i_view32.exe, DoS, ANI, antivirus, ESET, KIS 2013, false positive IrfanView 4.27 - 4.32 ANI (Windows Animated Cursor) Denial of Service Vulnerability FMA-2010-005 IrfanView 4.27 - 4.32 http://www.irfanview.com i_view32.exe 4.32 89804B494D19D98BF54F9365909E626A Windows XP SP3 Home Edition Windows XP SP3 Professional Edition 2010.08.15 2012.02.15 2012.04.11 Denial of Service Vulnerability. DoS During processing of malformed ANI file, IrfanView calculates incorrectly data buffer address, no sanity check is performed which leads to application crash. After testing IrfanView, side research was conducted. Around year 2007 Windows ANI exploit was a very popular vulnerability exploited in the wild. Lots of security software (ex. antiviruses) was enhanced to detect ANI exploits. In 2010 we checked how current (at that time) ESET 4.0 AntiVirus was handling our set of fuzzed ANI samples generated with basic set of mutation patterns. Lots of samples were classified as variants of Win32/TrojanDownloader.Ani.Gen, which was of course invalid. So far, in 2013 we have revisited this issue and checked if there has been any improvement in false positive classification of malformed ANI files by popular antiviruses. ESET Smart Security 6.0 and Kaspersky Internet Security 2013 were selected for this test, unfortunately no improvements of false positive detection have been done yet. Access violation exception raised in module i_view32.exe when reading byte value form incorrectly calculated pointer. MOV EAX,DWORD PTR SS:[ESP+4] MOV DL,080h MOV CL,AL PUSH EBX AND CL,7 SHR DL,CL MOV ECX,DWORD PTR SS:[ESP+0Ch] SHR EAX,3 MOV BL,BYTE PTR DS:[EAX+ECX] ;read from DS:[00172BAF]=??? AND DL,BL POP EBX NEG DL SBB EDX,EDX NEG EDX MOV EAX,EDX RETN image01s.png 100 62 image01.png Access violation exception raised in module i_view32.exe. Access violation exception raised in module i_view32.exe. image02s.png 100 67 image02.png ESET 4.0 Antivirus false positive alerts for ANI fuzzed samples. ESET 4.0 Antivirus false positive alerts for ANI fuzzed samples. image03s.png 100 92 image03.png Fuzzed ANI samples preview in Explorer. Fuzzed ANI samples preview in Explorer. image04s.png 100 68 image04.png Kaspersky Internet Security 2013 false positive alerts for ANI fuzzed samples. Kaspersky Internet Security 2013 false positive alerts for ANI fuzzed samples.