XnView 1.99 IFF (Interchange File Format) ILBM (Interleaved Planar Bitmap Data) header parsing multiple Vulnerabilities

XnView 1.99 IFF (Interchange File Format) ILBM (Interleaved Planar Bitmap Data) header parsing multiple Vulnerabilities fuzzing, security, blackbox, tests, xnview.exe, LCE, DoS, IFF, Interchange File Format XnView 1.99 IFF (Interchange File Format) ILBM (Interleaved Planar Bitmap Data) header parsing multiple Vulnerabilities FMA-2012-019 XnView 1.99 http://www.xnview.com xnview.exe 1.99 8C61C6452509A44052609BA35FCF5D4B Windows XP SP3 Home Edition Windows XP SP3 Professional Edition 2012.08.01 2012.09.05 2012.10.30 ILBM (Interleaved Planar Bitmap Data) number of bitplanes header value parsing vulnerability LCE XnView does not sanitize properly number of bitplanes property read from IFF file header. Tampering with header values: Bitplanes, Masking, Compress, Padding and data processing loop local variables, exploiter can force application to write BYTE value at any address. A successful exploitation can lead to Code Exception. Access violation exception raised in XnView.exe module (loaded at 0x00400000) when writing BYTE value. 00688D55 |> \66:83FD 18 ||CMP BP,18 ; [www.FuzzMyApp.com] Compare number of bitplanes 00688D59 |. 75 2D ||JNZ SHORT xnview.00688D88 00688D5B |. 8B4C24 18 ||MOV ECX,DWORD PTR SS:[ESP+18] 00688D5F |. 8BD0 ||MOV EDX,EAX 00688D61 |. C1EA 10 ||SHR EDX,10 00688D64 |. 8811 ||MOV BYTE PTR DS:[ECX],DL 00688D66 |. 41 ||INC ECX 00688D67 |. 894C24 18 ||MOV DWORD PTR SS:[ESP+18],ECX 00688D6B |. 8B4C24 1C ||MOV ECX,DWORD PTR SS:[ESP+1C] 00688D6F |. 8BD0 ||MOV EDX,EAX 00688D71 |. C1EA 08 ||SHR EDX,8 00688D74 |. 8811 ||MOV BYTE PTR DS:[ECX],DL 00688D76 |. 41 ||INC ECX 00688D77 |. 894C24 1C ||MOV DWORD PTR SS:[ESP+1C],ECX 00688D7B |. 8B4C24 20 ||MOV ECX,DWORD PTR SS:[ESP+20] 00688D7F |. 8801 ||MOV BYTE PTR DS:[ECX],AL 00688D81 |. 41 ||INC ECX 00688D82 |. 894C24 20 ||MOV DWORD PTR SS:[ESP+20],ECX 00688D86 |. EB 21 ||JMP SHORT xnview.00688DA9 00688D88 |> 0FBF4E 0A ||MOVSX ECX,WORD PTR DS:[ESI+A] 00688D8C |. 3BC1 ||CMP EAX,ECX 00688D8E |. 73 0D ||JNB SHORT xnview.00688D9D 00688D90 |. 8B4C24 24 ||MOV ECX,DWORD PTR SS:[ESP+24] ; [www.FuzzMyApp.com] If we can force local variable to point to our value 00688D94 |. 8801 ||MOV BYTE PTR DS:[ECX],AL ; [www.FuzzMyApp.com] Then we can write BYTE anywhere in VA space 00688D96 |. 41 ||INC ECX 00688D97 |. 894C24 24 ||MOV DWORD PTR SS:[ESP+24],ECX ; [www.FuzzMyApp.com] Update local variable of our interest image01s.png 100 63 image01.png Access violation exception. Access violation exception. ILBM (Interleaved Planar Bitmap Data) number of bitplanes header value parsing vulnerability LCE XnView does not sanitize properly number of bitplanes property read from IFF file header. Tampering with header values: Bitplanes, Top, and data processing loop local variables, exploiter can force application to write BYTE zero value at any address. A successful exploitation can lead to Code Exception. Access violation exception raised in XnView.exe module (loaded at 0x00400000) when writing BYTE zero value. 00688D55 |> \66:83FD 18 ||CMP BP,18 ; [www.FuzzMyApp.com] Compare number of bitplanes 00688D59 |. 75 2D ||JNZ SHORT xnview.00688D88 00688D5B |. 8B4C24 18 ||MOV ECX,DWORD PTR SS:[ESP+18] 00688D5F |. 8BD0 ||MOV EDX,EAX 00688D61 |. C1EA 10 ||SHR EDX,10 00688D64 |. 8811 ||MOV BYTE PTR DS:[ECX],DL 00688D66 |. 41 ||INC ECX 00688D67 |. 894C24 18 ||MOV DWORD PTR SS:[ESP+18],ECX 00688D6B |. 8B4C24 1C ||MOV ECX,DWORD PTR SS:[ESP+1C] 00688D6F |. 8BD0 ||MOV EDX,EAX 00688D71 |. C1EA 08 ||SHR EDX,8 00688D74 |. 8811 ||MOV BYTE PTR DS:[ECX],DL 00688D76 |. 41 ||INC ECX 00688D77 |. 894C24 1C ||MOV DWORD PTR SS:[ESP+1C],ECX 00688D7B |. 8B4C24 20 ||MOV ECX,DWORD PTR SS:[ESP+20] 00688D7F |. 8801 ||MOV BYTE PTR DS:[ECX],AL 00688D81 |. 41 ||INC ECX 00688D82 |. 894C24 20 ||MOV DWORD PTR SS:[ESP+20],ECX 00688D86 |. EB 21 ||JMP SHORT xnview.00688DA9 00688D88 |> 0FBF4E 0A ||MOVSX ECX,WORD PTR DS:[ESI+A] 00688D8C |. 3BC1 ||CMP EAX,ECX 00688D8E |. 73 0D ||JNB SHORT xnview.00688D9D 00688D90 |. 8B4C24 24 ||MOV ECX,DWORD PTR SS:[ESP+24] 00688D94 |. 8801 ||MOV BYTE PTR DS:[ECX],AL 00688D96 |. 41 ||INC ECX 00688D97 |. 894C24 24 ||MOV DWORD PTR SS:[ESP+24],ECX 00688D9B |. EB 0C ||JMP SHORT xnview.00688DA9 00688D9D |> 8B4424 24 ||MOV EAX,DWORD PTR SS:[ESP+24] ; [www.FuzzMyApp.com] If we can force local variable to point to our value 00688DA1 |. C600 00 ||MOV BYTE PTR DS:[EAX],0 ; [www.FuzzMyApp.com] Then we can write BYTE == 0 anywhere in VA space 00688DA4 |. 40 ||INC EAX 00688DA5 |. 894424 24 ||MOV DWORD PTR SS:[ESP+24],EAX ; [www.FuzzMyApp.com] Update local variable of our interest 00688DA9 |> 8A4424 13 ||MOV AL,BYTE PTR SS:[ESP+13] 00688DAD |. D0E8 ||SHR AL,1 00688DAF |. 884424 13 ||MOV BYTE PTR SS:[ESP+13],AL image02s.png 100 63 image02.png Access violation exception. Access violation exception.