XnView 1.98 - 1.99 TIF(JPEG Compression) ImageLength and ImageWidth Parsing Vulnerability
fuzzing, security, blackbox, tests, xnview.exe, LCE, TIF
XnView 1.98 - 1.99 TIF(JPEG Compression) ImageLength and ImageWidth Parsing Vulnerability
FMA-2011-016
XnView
1.98
http://www.xnview.com
xnview.exe
1.98.0.0
EBE200D81A095D296E94E887DC40E607
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
Windows 7 SP1 Home Premium
2011.06.27
2012.07.24
2012.09.09
Tagged Image File Format (TIF) with JPEG Compression, header properties ImageLength and ImageWidth parsing vulnerability
LCE
XnView is not properly validating header ImageLength and ImageWidth properties in TIF(JPEG) (Tagged Image File Format) format files. As a successful fuzzing result we received samples with malformed both length fields. Properties are used as coping loop counter, which leads to heap overflow. If successfully exploited, this may lead to a local code execution.
Access Violation Exception when writing BYTE value.
006D041A > /8A19 MOV BL,BYTE PTR DS:[ECX] ; [FuzzMyApp.com] read byte from source
006D041C . |41 INC ECX
006D041D . |8818 MOV BYTE PTR DS:[EAX],BL ; [FuzzMyApp.com] write byte at destination
006D041F . |03C2 ADD EAX,EDX
006D0421 . |4F DEC EDI ; [FuzzMyApp.com] decrement counter (set to 0x0000DEAD)
006D0422 .^\75 F6 JNZ SHORT xnview.006D041A ; [FuzzMyApp.com] loop
image01s.png
100
52
image01.png
Before heap overflow.
Before heap overflow.
image02s.png
100
52
image02.png
After heap overflow.
After heap overflow.