Last time when we talked about bugs in XnView I was surprised 'how good' can be the response 'from the Vendor'. But when 'response' is not 'responsible' - responsible disclosure is pointless. So, here we go...
This time I used the same behaviour like before: I "started fuzzing XnView". But (just like before) I realized that XnView Classic is not XnView MP... So I fuzzed both. ;)
All cases were tested only with Windows 7 (32bit) so I'm not aware if you can get similar results on other operating systems. You can try that:) So...
We will start from XnView MP 0.93.1 - (TL;DR - XnView MP 0.93.1 pack):
01# - VCRUNTIME140!memcpy:
---<windbg>---
eax=00000000 ebx=038a6d40 ecx=00000018 edx=000000da esi=038edc40 edi=03941000
eip=72cc2c63 esp=05a3e580 ebp=05a3e598 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
VCRUNTIME140!memcpy+0x483:
72cc2c63 660f7f07 movdqa xmmword ptr [edi],xmm0 ds:0023:03941000=????????????????????????????????
---</windbg>---
02# - ntdll!RtlFreeHeap:
---<windbg>---
eax=20746665 ebx=af55275c ecx=6f6e3bf6 edx=00006f6e esi=6b26a2f2 edi=af550000
eip=772e205b esp=002abdb8 ebp=002abdec iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlFreeHeap+0x12a:
772e205b 8930 mov dword ptr [eax],esi ds:0023:20746665=????????
---</windbg>---
03# - ntdll!RtlpNtMakeTemporaryKey:
---<windbg>---
eax=0679f248 ebx=00000000 ecx=772907ed edx=0679efe5 esi=00330000 edi=03b9ffe8
eip=7733283b esp=0679f238 ebp=0679f2b0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a77:
7733283b eb12 jmp ntdll!RtlpNtMakeTemporaryKey+0x1a8b (7733284f)
---</windbg>---
04# - ntdll!RtlReAllocateHeap:
---<windbg>---
eax=0f710c33 ebx=0389e1f0 ecx=0389e1f7 edx=00713c3e esi=0389e1f8 edi=00270000
eip=772e7f78 esp=0465ee30 ebp=0465ef34 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlReAllocateHeap+0x124:
772e7f78 668b4010 mov ax,word ptr [eax+10h] ds:0023:0f710c43=????
---</windbg>---
(Yep, I will post here only cases described by Windbg as 'exploitable'.)
Now let's switch to XnView Classic version 2.48 - (TL;DR - XnView Classic 2.48 pack):
Here we go:
01# - xnview+0x38536c:
---<windbg>---
eax=00000000 ebx=00000000 ecx=00000010 edx=00000191 esi=002adc20 edi=00300fe0
eip=006d536c esp=001ed9f4 ebp=001eda10 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
xnview+0x38536c:
006d536c 660f7f5720 movdqa xmmword ptr [edi+20h],xmm2 ds:0023:00301000=????????????????????????????????
---</windbg>---
02# - ntdll!RtlPrefixUnicodeString:
---<windbg>---
eax=00324828 ebx=00325fe0 ecx=00000000 edx=00000000 esi=00324820 edi=002b0000
eip=77935fbd esp=030bf724 ebp=030bf74c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlPrefixUnicodeString+0x712:
77935fbd 8b4904 mov ecx,dword ptr [ecx+4] ds:0023:00000004=????????
---</windbg>---
03# - ntdll!RtlQueueWorkItem:
---<windbg>---
eax=34fce1ef ebx=00000000 ecx=779a3ab9 edx=00000000 esi=fffffff8 edi=003e0000
eip=7790bdc6 esp=002bd7c4 ebp=002bd800 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlQueueWorkItem+0x5e3:
7790bdc6 3106 xor dword ptr [esi],eax ds:0023:fffffff8=????????
---</windbg>---
#04 - xnview+0x385399:
---<windbg>---
eax=00000000 ebx=00000000 ecx=00000010 edx=000000da esi=00af5720 edi=00b2cf90
eip=003e5399 esp=0099dba4 ebp=0099dbc0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
xnview+0x385399:
003e5399 660f7f7f70 movdqa xmmword ptr [edi+70h],xmm7 ds:0023:00b2d000=????????????????????????????????
---</windbg>---
*** Updated 24.03.2019 12:00 ***
For now you can find them
also described as CVE-2019-9965, CVE-2019-9964, CVE-2019-9963,
CVE-2019-9962, CVE-2019-9966, CVE-2019-9967, CVE-2019-9968,
CVE-2019-9969.
See you next time.
Cheers
Brak komentarzy:
Prześlij komentarz