IrfanView 4.33 NLM (Nokia Logo File) Use After Free vulnerability

IrfanView 4.33 NLM (Nokia Logo File) Use After Free vulnerability fuzzing, security, blackbox, tests, i_view32.exe, LCE, NLM, Nokia Logo File IrfanView 4.33 NLM (Nokia Logo File) Use After Free vulnerability FMA-2012-023 IrfanView 4.3.3 http://www.irfanview.com i_view32.exe 4.3.3.0 072D046EDBA5528868DB40328A8E56F5 LogoManager.dll n/a A0D834D33A6C23B546AC62D9F570C03A Windows XP SP3 Home Edition Windows XP SP3 Professional Edition 2012.08.06 2012.08.21 2012.11.20 NLM (Nokia Logo File) Use After Free vulnerability LCE IrfanView does not sanitize image width and height properties read from NLM file header. Tampering with with values, exploiter can force application to read more data than required, underflowing allocated buffers with uninitalized data. After unitialized block ends, we can force application to copy freed memory block to allocated buffer. A successful exploitation can lead to Code Exception. Access violation exception raised in LogoManager.dll dynamic library (loaded at 0x10000000) when reading DWORD value after end of allocated buffer. 1000247B 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+20] ; [www.FuzzMyApp.com] How many DWORDs will be copied 1000247F 03F3 ADD ESI,EBX 10002481 8BC1 MOV EAX,ECX 10002483 8BFD MOV EDI,EBP 10002485 C1E9 02 SHR ECX,2 10002488 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; [www.FuzzMyApp.com] Copy data 1000248A 8BC8 MOV ECX,EAX 1000248C 83E1 03 AND ECX,3 1000248F 03D8 ADD EBX,EAX 10002491 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 10002493 8B7424 44 MOV ESI,DWORD PTR SS:[ESP+44] 10002497 8B7C24 2C MOV EDI,DWORD PTR SS:[ESP+2C] 1000249B EB 1F JMP SHORT 100024BC 1000249D 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18] 100024A1 57 PUSH EDI 100024A2 8D1433 LEA EDX,DWORD PTR DS:[EBX+ESI] 100024A5 51 PUSH ECX 100024A6 52 PUSH EDX 100024A7 6A 00 PUSH 0 100024A9 55 PUSH EBP 100024AA E8 21EEFFFF CALL 100012D0 100024AF 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C] 100024B3 83C4 14 ADD ESP,14 100024B6 03C7 ADD EAX,EDI 100024B8 894424 18 MOV DWORD PTR SS:[ESP+18],EAX 100024BC 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30] 100024C0 8B48 1C MOV ECX,DWORD PTR DS:[EAX+1C] 100024C3 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24] 100024C7 83C1 03 ADD ECX,3 100024CA 83E1 FC AND ECX,FFFFFFFC 100024CD 03E9 ADD EBP,ECX 100024CF 48 DEC EAX 100024D0 894424 24 MOV DWORD PTR SS:[ESP+24],EAX 100024D4 ^ 75 9D JNZ SHORT 10002473 ; [www.FuzzMyApp.com] Loop again? counter(EAX) image01s.png 100 79 image01.png Use after free. Use after free. image02s.png 100 79 image02.png End of source buffer, access violation exception. End of source buffer, access violation exception.