czwartek, 21 marca 2019

Crashing XnView 2.48

Last time when we talked about bugs in XnView I was surprised 'how good' can be the response 'from the Vendor'. But when 'response' is not 'responsible' - responsible disclosure is pointless. So, here we go...
This time I used the same behaviour like before: I "started fuzzing XnView". But (just like before) I realized that XnView Classic is not XnView MP... So I fuzzed both. ;)

All cases were tested only with Windows 7 (32bit) so I'm not aware if you can get similar results on other operating systems. You can try that:) So...




We will start from XnView MP 0.93.1 - (TL;DR - XnView MP 0.93.1 pack):



01# - VCRUNTIME140!memcpy:

---<windbg>---
eax=00000000 ebx=038a6d40 ecx=00000018 edx=000000da esi=038edc40 edi=03941000
eip=72cc2c63 esp=05a3e580 ebp=05a3e598 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
VCRUNTIME140!memcpy+0x483:
72cc2c63 660f7f07        movdqa  xmmword ptr [edi],xmm0 ds:0023:03941000=????????????????????????????????
---</windbg>---

02# - ntdll!RtlFreeHeap:

---<windbg>---
eax=20746665 ebx=af55275c ecx=6f6e3bf6 edx=00006f6e esi=6b26a2f2 edi=af550000
eip=772e205b esp=002abdb8 ebp=002abdec iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlFreeHeap+0x12a:
772e205b 8930            mov     dword ptr [eax],esi  ds:0023:20746665=????????
---</windbg>---



03# - ntdll!RtlpNtMakeTemporaryKey:

---<windbg>---
eax=0679f248 ebx=00000000 ecx=772907ed edx=0679efe5 esi=00330000 edi=03b9ffe8
eip=7733283b esp=0679f238 ebp=0679f2b0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a77:
7733283b eb12            jmp     ntdll!RtlpNtMakeTemporaryKey+0x1a8b (7733284f)
---</windbg>---
 

04# - ntdll!RtlReAllocateHeap:

---<windbg>---
eax=0f710c33 ebx=0389e1f0 ecx=0389e1f7 edx=00713c3e esi=0389e1f8 edi=00270000
eip=772e7f78 esp=0465ee30 ebp=0465ef34 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlReAllocateHeap+0x124:
772e7f78 668b4010        mov     ax,word ptr [eax+10h]    ds:0023:0f710c43=????
---</windbg>---

(Yep, I will post here only cases described by Windbg as 'exploitable'.)

  
Now let's switch to XnView Classic version 2.48 - (TL;DR - XnView Classic 2.48 pack):


Here we go:

01#  - xnview+0x38536c:

---<windbg>---
eax=00000000 ebx=00000000 ecx=00000010 edx=00000191 esi=002adc20 edi=00300fe0
eip=006d536c esp=001ed9f4 ebp=001eda10 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
xnview+0x38536c:
006d536c 660f7f5720      movdqa  xmmword ptr [edi+20h],xmm2 ds:0023:00301000=????????????????????????????????
---</windbg>---


02# - ntdll!RtlPrefixUnicodeString:

---<windbg>---
eax=00324828 ebx=00325fe0 ecx=00000000 edx=00000000 esi=00324820 edi=002b0000
eip=77935fbd esp=030bf724 ebp=030bf74c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlPrefixUnicodeString+0x712:
77935fbd 8b4904          mov     ecx,dword ptr [ecx+4] ds:0023:00000004=????????
---</windbg>---


03# - ntdll!RtlQueueWorkItem:

---<windbg>---
eax=34fce1ef ebx=00000000 ecx=779a3ab9 edx=00000000 esi=fffffff8 edi=003e0000
eip=7790bdc6 esp=002bd7c4 ebp=002bd800 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlQueueWorkItem+0x5e3:
7790bdc6 3106            xor     dword ptr [esi],eax  ds:0023:fffffff8=????????
---</windbg>---

 
#04 - xnview+0x385399:

---<windbg>---
eax=00000000 ebx=00000000 ecx=00000010 edx=000000da esi=00af5720 edi=00b2cf90
eip=003e5399 esp=0099dba4 ebp=0099dbc0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
xnview+0x385399:
003e5399 660f7f7f70      movdqa  xmmword ptr [edi+70h],xmm7 ds:0023:00b2d000=????????????????????????????????
---</windbg>---



*** Updated 24.03.2019 12:00 ***

For now you can find them also described as CVE-2019-9965, CVE-2019-9964, CVE-2019-9963, CVE-2019-9962, CVE-2019-9966, CVE-2019-9967, CVE-2019-9968, CVE-2019-9969.

See you next time.

Cheers


Posted by at
Labels: , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)