XnView 1.99.6 KRO (Kolor Raw Format) Heap Overflow Vulnerability fuzzing, security, blackbox, tests, xnview.exe, LCE, KRO, Kolor Raw Format FMA-2012-035 XnView 1.99.6 http://www.xnview.com xnview.exe 1.99.6 F5C67B2F2FCAF54971BAE9D317E0FF5A Windows XP SP3 Professional Edition 2012.09.29 2013.02.04 2013.04.17 Heap Overflow vulnerability. LCE XnView does not properly sanitize values read from KRO file header. Tampering with header values, exploiter can force overflow/overwrite of the given data. Vulnerablity was first found in version 1.99.1 of XnView, later version 1.99.6 (the latest at the time of writing) was retested and the same vulnerability was detected. A successful exploitation can lead to Code Execution. Access violation exception raised when writing at invalid address. 005C8DE0 $ 55 PUSH EBP 005C8DE1 . 8BEC MOV EBP,ESP 005C8DE3 . 57 PUSH EDI 005C8DE4 . 56 PUSH ESI 005C8DE5 . 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] ; [www.FuzzMyApp.com] Source, KRO file data starting at offset 014h 005C8DE8 . 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] ; [www.FuzzMyApp.com] Count 005C8DEB . 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] ; [www.FuzzMyApp.com] Destination (in example 0x00000000h) 005C8DEE . 8BC1 MOV EAX,ECX 005C8DF0 . 8BD1 MOV EDX,ECX 005C8DF2 . 03C6 ADD EAX,ESI 005C8DF4 . 3BFE CMP EDI,ESI 005C8DF6 . 76 08 JBE SHORT xnview.005C8E00 005C8DF8 . 3BF8 CMP EDI,EAX 005C8DFA . 0F82 78010000 JB xnview.005C8F78 005C8E00 > F7C7 03000000 TEST EDI,3 005C8E06 . 75 14 JNZ SHORT xnview.005C8E1C 005C8E08 . C1E9 02 SHR ECX,2 005C8E0B . 83E2 03 AND EDX,3 005C8E0E . 83F9 08 CMP ECX,8 005C8E11 . 72 29 JB SHORT xnview.005C8E3C 005C8E13 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] image01s.png 100 65 image01.png Access violation exception raised when writing at invalid address. Access violation exception raised when writing at invalid address.