IrfanView 4.27 - 4.32 ANI (Windows Animated Cursor) Denial of Service Vulnerability
fuzzing, security, blackbox, tests, i_view32.exe, DoS, ANI, antivirus, ESET, KIS 2013, false positive
IrfanView 4.27 - 4.32 ANI (Windows Animated Cursor) Denial of Service Vulnerability
FMA-2010-005
IrfanView
4.27 - 4.32
http://www.irfanview.com
i_view32.exe
4.32
89804B494D19D98BF54F9365909E626A
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
2010.08.15
2012.02.15
2012.04.11
Denial of Service Vulnerability.
DoS
During processing of malformed ANI file, IrfanView calculates incorrectly data buffer address, no sanity check is performed which leads to application crash. After testing IrfanView, side research was conducted. Around year 2007 Windows ANI exploit was a very popular vulnerability exploited in the wild. Lots of security software (ex. antiviruses) was enhanced to detect ANI exploits. In 2010 we checked how current (at that time) ESET 4.0 AntiVirus was handling our set of fuzzed ANI samples generated with basic set of mutation patterns. Lots of samples were classified as variants of Win32/TrojanDownloader.Ani.Gen, which was of course invalid. So far, in 2013 we have revisited this issue and checked if there has been any improvement in false positive classification of malformed ANI files by popular antiviruses. ESET Smart Security 6.0 and Kaspersky Internet Security 2013 were selected for this test, unfortunately no improvements of false positive detection have been done yet.
Access violation exception raised in module i_view32.exe when reading byte value form incorrectly calculated pointer.
MOV EAX,DWORD PTR SS:[ESP+4]
MOV DL,080h
MOV CL,AL
PUSH EBX
AND CL,7
SHR DL,CL
MOV ECX,DWORD PTR SS:[ESP+0Ch]
SHR EAX,3
MOV BL,BYTE PTR DS:[EAX+ECX] ;read from DS:[00172BAF]=???
AND DL,BL
POP EBX
NEG DL
SBB EDX,EDX
NEG EDX
MOV EAX,EDX
RETN
image01s.png
100
62
image01.png
Access violation exception raised in module i_view32.exe.
Access violation exception raised in module i_view32.exe.
image02s.png
100
67
image02.png
ESET 4.0 Antivirus false positive alerts for ANI fuzzed samples.
ESET 4.0 Antivirus false positive alerts for ANI fuzzed samples.
image03s.png
100
92
image03.png
Fuzzed ANI samples preview in Explorer.
Fuzzed ANI samples preview in Explorer.
image04s.png
100
68
image04.png
Kaspersky Internet Security 2013 false positive alerts for ANI fuzzed samples.
Kaspersky Internet Security 2013 false positive alerts for ANI fuzzed samples.