IrfanView 4.33 PIC (Softimage) Heap Overflow vulnerability

IrfanView 4.33 PIC (Softimage) Heap Overflow vulnerability fuzzing, security, blackbox, tests, i_view32.exe, LCE, PIC, Softimage IrfanView 4.33 PIC (Softimage) Heap Overflow vulnerability FMA-2012-022 IrfanView 4.3.3 http://www.irfanview.com i_view32.exe 4.3.3.0 072D046EDBA5528868DB40328A8E56F5 Formats.dll 4.3.3.0 7282404700216C187D7B73122654EE2D Windows XP SP3 Home Edition Windows XP SP3 Professional Edition Windows 7 SP1 Home Premium 2012.08.06 2012.08.07 2012.11.20 PIC(Softimage) heap overflow vulnerability LCE IrfanView does not sanitize image width property read from PIC header. Value is used as a loop counder during processing PIC file. Processed data is written into allocated buffer by processing loop. Tampering with with value, exploiter can force buffer overflow. A successful exploitation can lead to Code Exception. Access violation exception raised in Formats.dll dynamic library (loaded at 0x10000000) when writing BYTE value after end of allocated buffer (into unallocated VA space). 1004788A 83F9 02 CMP ECX,2 1004788D ^ 0F85 32FFFFFF JNZ 100477C5 10047893 8B6C24 38 MOV EBP,DWORD PTR SS:[ESP+38] 10047897 3BEF CMP EBP,EDI 10047899 ^ 0F86 26FFFFFF JBE 100477C5 1004789F 8B5C24 2C MOV EBX,DWORD PTR SS:[ESP+2C] 100478A3 53 PUSH EBX 100478A4 E8 DFF8FEFF CALL 10037188 100478A9 8BF0 MOV ESI,EAX 100478AB 83C4 04 ADD ESP,4 100478AE 81FE 80000000 CMP ESI,80 100478B4 72 7B JB SHORT 10047931 100478B6 75 0F JNZ SHORT 100478C7 100478B8 6A 02 PUSH 2 100478BA 53 PUSH EBX 100478BB E8 D0FDFFFF CALL 10047690 100478C0 83C4 08 ADD ESP,8 100478C3 8BF0 MOV ESI,EAX 100478C5 EB 03 JMP SHORT 100478CA 100478C7 83EE 7F SUB ESI,7F 100478CA 8D043E LEA EAX,DWORD PTR DS:[ESI+EDI] 100478CD 3BC5 CMP EAX,EBP 100478CF 894424 34 MOV DWORD PTR SS:[ESP+34],EAX 100478D3 0F87 D7000000 JA 100479B0 100478D9 8B6C24 10 MOV EBP,DWORD PTR SS:[ESP+10] 100478DD 33FF XOR EDI,EDI 100478DF 85ED TEST EBP,EBP 100478E1 76 12 JBE SHORT 100478F5 100478E3 53 PUSH EBX 100478E4 E8 9FF8FEFF CALL 10037188 100478E9 83C4 04 ADD ESP,4 100478EC 88443C 14 MOV BYTE PTR SS:[ESP+EDI+14],AL 100478F0 47 INC EDI 100478F1 3BFD CMP EDI,EBP 100478F3 ^ 72 EE JB SHORT 100478E3 100478F5 85F6 TEST ESI,ESI 100478F7 0F86 96000000 JBE 10047993 100478FD 33C0 XOR EAX,EAX 100478FF 85ED TEST EBP,EBP 10047901 76 1E JBE SHORT 10047921 10047903 8D7C24 18 LEA EDI,DWORD PTR SS:[ESP+18] 10047907 8B0F MOV ECX,DWORD PTR DS:[EDI] 10047909 83F9 03 CMP ECX,3 1004790C 74 0B JE SHORT 10047919 1004790E 8B5C24 30 MOV EBX,DWORD PTR SS:[ESP+30] 10047912 8A5404 14 MOV DL,BYTE PTR SS:[ESP+EAX+14] 10047916 881419 MOV BYTE PTR DS:[ECX+EBX],DL ; [www.FuzzMyApp.com] Write byte into allocated buffer 10047919 40 INC EAX 1004791A 83C7 04 ADD EDI,4 1004791D 3BC5 CMP EAX,EBP 1004791F ^ 72 E6 JB SHORT 10047907 10047921 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30] 10047925 83C1 03 ADD ECX,3 10047928 4E DEC ESI 10047929 894C24 30 MOV DWORD PTR SS:[ESP+30],ECX 1004792D ^ 75 CE JNZ SHORT 100478FD 1004792F EB 62 JMP SHORT 10047993 10047931 46 INC ESI 10047932 8D043E LEA EAX,DWORD PTR DS:[ESI+EDI] 10047935 3BC5 CMP EAX,EBP 10047937 894424 34 MOV DWORD PTR SS:[ESP+34],EAX 1004793B 0F87 93000000 JA 100479D4 10047941 85F6 TEST ESI,ESI 10047943 76 52 JBE SHORT 10047997 10047945 8BEE MOV EBP,ESI 10047947 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] 1004794B 85C0 TEST EAX,EAX 1004794D 76 36 JBE SHORT 10047985 1004794F 8D7C24 18 LEA EDI,DWORD PTR SS:[ESP+18] 10047953 8BD8 MOV EBX,EAX 10047955 8B37 MOV ESI,DWORD PTR DS:[EDI] 10047957 83FE 03 CMP ESI,3 1004795A 74 16 JE SHORT 10047972 1004795C 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C] 10047960 50 PUSH EAX 10047961 E8 22F8FEFF CALL 10037188 10047966 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+34] 1004796A 83C4 04 ADD ESP,4 1004796D 88040E MOV BYTE PTR DS:[ESI+ECX],AL 10047970 EB 0D JMP SHORT 1004797F 10047972 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C] 10047976 52 PUSH EDX 10047977 E8 0CF8FEFF CALL 10037188 1004797C 83C4 04 ADD ESP,4 1004797F 83C7 04 ADD EDI,4 10047982 4B DEC EBX 10047983 ^ 75 D0 JNZ SHORT 10047955 10047985 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30] 10047989 83C1 03 ADD ECX,3 1004798C 4D DEC EBP 1004798D 894C24 30 MOV DWORD PTR SS:[ESP+30],ECX 10047991 ^ 75 B4 JNZ SHORT 10047947 10047993 8B6C24 38 MOV EBP,DWORD PTR SS:[ESP+38] 10047997 8B7C24 34 MOV EDI,DWORD PTR SS:[ESP+34] 1004799B 3BFD CMP EDI,EBP 1004799D ^ 0F82 FCFEFFFF JB 1004789F ; [www.FuzzMyApp.com] Loop again? 100479A3 5F POP EDI 100479A4 5E POP ESI 100479A5 5D POP EBP 100479A6 B8 01000000 MOV EAX,1 100479AB 5B POP EBX 100479AC 83C4 18 ADD ESP,18 100479AF C3 RETN image01s.png 100 75 image01.png Before overflowing allocated buffer. Before overflowing allocated buffer. image02s.png 100 75 image02.png After overflowing allocated buffer. After overflowing allocated buffer.