XnView 1.99.6 KRO (Kolor Raw Format) Heap Overflow Vulnerability
fuzzing, security, blackbox, tests, xnview.exe, LCE, KRO, Kolor Raw Format
XnView 1.99.6 KRO (Kolor Raw Format) Heap Overflow Vulnerability
FMA-2012-035
XnView
1.99.6
http://www.xnview.com
xnview.exe
1.99.6
F5C67B2F2FCAF54971BAE9D317E0FF5A
Windows XP SP3 Professional Edition
2012.09.29
2013.02.04
2013.04.17
Heap Overflow vulnerability.
LCE
XnView does not properly sanitize values read from KRO file header. Tampering with header values, exploiter can force overflow/overwrite of the given data. Vulnerablity was first found in version 1.99.1 of XnView, later version 1.99.6 (the latest at the time of writing) was retested and the same vulnerability was detected. A successful exploitation can lead to Code Execution.
Access violation exception raised when writing at invalid address.
005C8DE0 $ 55 PUSH EBP
005C8DE1 . 8BEC MOV EBP,ESP
005C8DE3 . 57 PUSH EDI
005C8DE4 . 56 PUSH ESI
005C8DE5 . 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] ; [www.FuzzMyApp.com] Source, KRO file data starting at offset 014h
005C8DE8 . 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] ; [www.FuzzMyApp.com] Count
005C8DEB . 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] ; [www.FuzzMyApp.com] Destination (in example 0x00000000h)
005C8DEE . 8BC1 MOV EAX,ECX
005C8DF0 . 8BD1 MOV EDX,ECX
005C8DF2 . 03C6 ADD EAX,ESI
005C8DF4 . 3BFE CMP EDI,ESI
005C8DF6 . 76 08 JBE SHORT xnview.005C8E00
005C8DF8 . 3BF8 CMP EDI,EAX
005C8DFA . 0F82 78010000 JB xnview.005C8F78
005C8E00 > F7C7 03000000 TEST EDI,3
005C8E06 . 75 14 JNZ SHORT xnview.005C8E1C
005C8E08 . C1E9 02 SHR ECX,2
005C8E0B . 83E2 03 AND EDX,3
005C8E0E . 83F9 08 CMP ECX,8
005C8E11 . 72 29 JB SHORT xnview.005C8E3C
005C8E13 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
image01s.png
100
65
image01.png
Access violation exception raised when writing at invalid address.
Access violation exception raised when writing at invalid address.