IrfanView 4.35 - ANI (Windows Animated Cursor Format) Heap Overflow Vulnerability
fuzzing, security, blackbox, tests, i_view32.exe, LCE, ANI, heap overflow
IrfanView 4.35 - ANI (Windows Animated Cursor Format) Heap Overflow Vulnerability
FMA-2013-008
IrfanView
4.35
http://www.irfanview.com
i_view32.exe
4.3.5.0
37C340F0FCC41DCCD2B70532C36E38AB
Windows XP SP3 Professional Edition
2013.04.19
2013.04.25
2013.07.03
Heap Overflow vulnerability.
LCE
IrfanView does not properly sanitize values read from ANI file header. Tampering with header values, exploiter can force overflow of allocated buffer. Values read from ANIH structure are treated as a limit for loop counter. On second of attached screens, limit for loop counter is set to too high value 0x41414141 "AAAA" and copy loop writes data till end of allocated heap buffer. Access violation is raised because application tires to write to next memory address which has no memory allocated. A successful exploitation can lead to Code Execution.
Access violation exception raised when writing at invalid address.
00401771 8BBC24 0C010000 MOV EDI,DWORD PTR SS:[ESP+10C]
00401778 893C02 MOV DWORD PTR DS:[EDX+EAX],EDI ; [www.FuzzMyApp.com] Write
0040177B 8908 MOV DWORD PTR DS:[EAX],ECX ; [www.FuzzMyApp.com] Write
0040177D 8BBC24 F8000000 MOV EDI,DWORD PTR SS:[ESP+F8]
00401784 41 INC ECX ; [www.FuzzMyApp.com] Increment counter
00401785 83C0 04 ADD EAX,4
00401788 3BCF CMP ECX,EDI ; [www.FuzzMyApp.com] We control EDI
0040178A ^ 7C E5 JL SHORT i_view32.00401771 ; [www.FuzzMyApp.com] Loop
image01s.png
100
66
image01.png
Limit for loop counter.
Limit for loop counter.
image02s.png
100
66
image02.png
Access violation exception raised when writing at invalid address.
Access violation exception raised when writing at invalid address.
image03s.png
83
100
image03.png
Memory profile (Private Bytes) for exploit and pattern processing by IrfanView.
Memory profile (Private Bytes) for exploit and pattern processing by IrfanView.