IrfanView 4.35 - ANI (Windows Animated Cursor Format) Heap Overflow Vulnerability fuzzing, security, blackbox, tests, i_view32.exe, LCE, ANI, heap overflow FMA-2013-008 IrfanView 4.35 http://www.irfanview.com i_view32.exe 4.3.5.0 37C340F0FCC41DCCD2B70532C36E38AB Windows XP SP3 Professional Edition 2013.04.19 2013.04.25 2013.07.03 Heap Overflow vulnerability. LCE IrfanView does not properly sanitize values read from ANI file header. Tampering with header values, exploiter can force overflow of allocated buffer. Values read from ANIH structure are treated as a limit for loop counter. On second of attached screens, limit for loop counter is set to too high value 0x41414141 "AAAA" and copy loop writes data till end of allocated heap buffer. Access violation is raised because application tires to write to next memory address which has no memory allocated. A successful exploitation can lead to Code Execution. Access violation exception raised when writing at invalid address. 00401771 8BBC24 0C010000 MOV EDI,DWORD PTR SS:[ESP+10C] 00401778 893C02 MOV DWORD PTR DS:[EDX+EAX],EDI ; [www.FuzzMyApp.com] Write 0040177B 8908 MOV DWORD PTR DS:[EAX],ECX ; [www.FuzzMyApp.com] Write 0040177D 8BBC24 F8000000 MOV EDI,DWORD PTR SS:[ESP+F8] 00401784 41 INC ECX ; [www.FuzzMyApp.com] Increment counter 00401785 83C0 04 ADD EAX,4 00401788 3BCF CMP ECX,EDI ; [www.FuzzMyApp.com] We control EDI 0040178A ^ 7C E5 JL SHORT i_view32.00401771 ; [www.FuzzMyApp.com] Loop image01s.png 100 66 image01.png Limit for loop counter. Limit for loop counter. image02s.png 100 66 image02.png Access violation exception raised when writing at invalid address. Access violation exception raised when writing at invalid address. image03s.png 83 100 image03.png Memory profile (Private Bytes) for exploit and pattern processing by IrfanView. Memory profile (Private Bytes) for exploit and pattern processing by IrfanView.