Description
Multiple serious vulnerabilities have been found in IrfanView 4.44. Malicious users can exploit these vulnerabilities to cause a denial of service or execute arbitrary code.
Below is a complete list of vulnerabilities:
- An integer overflow vulnerability in the JPEG 2000 parser can be exploited remotely via a specially designed JPEG 2000 image to execute arbitrary code;
- Multiple buffer overflow vulnerabilities can be exploited locally via specially designed *.rle files to cause a denial of service or execute arbitrary code;
- Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.47 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
- A buffer overflow vulnerability related to “Data from Faulting Address controls Branch Selection starting at USER32!wvsprintfA+0x00000000000002f3.” issue can be exploited locally via a specially designed file to execute arbitrary code;
- A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.45 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
- A buffer overflow vulnerability can be exploited locally via specially designed *.mov files to execute arbitrary code;
- Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
- A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
- Multiple buffer overflow vulnerabilities in Irfan View 4.44 with TOOLS Plugin 4.50 can be exploited locally via specially designed files to cause a denial of service or execute arbitrary code;
- Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.svg file to cause a denial of service;
- A buffer overflow vulnerability can be exploited locally via a specially designed *.ani file to cause a denial of service;
- A buffer overflow vulnerability can be exploited locally via a specially designed *.djvu file to cause a denial of service;
- Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.pdf file to cause a denial of service and execute arbitrary code;
- A buffer overflow vulnerability can be exploited locally via a specially designed *.tif file to cause a denial of service.
Technical details
Vulnerability (1) occurs while viewing image in IrfanView or by using its thumbnailing feature.
Vulnerabilities (2) are related to:
- “User Mode Write AV starting at ntdll_77df0000!RtlpWaitOnCriticalSection+0x0000000000000121.”
- “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d96.”
- “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d80.”
- “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpAllocateHeap+0x0000000000000429.”
- “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
- “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
- “Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
- “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x00000000000003ca.”
Vulnerabilities (3) are related to:
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
Vulnerability (6) exists because of a User Mode Write AV near NULL.
Vulnerabilities (7) are related to:
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000000f53.”
“User Mode Write AV starting at FPX+0x000000000000176c.”
“User Mode Write AV starting at FPX+0x0000000000001555.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000a9b.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000017426.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000016e53.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014eb.”
“Read Access Violation on Control Flow starting at FPX!GetPlugInInfo+0x0000000000012bf2.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007822.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000cdb.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c995.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c998.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c99a.”
“Data from Faulting Address controls subsequent Write Address starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a525.”
“Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007236.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014e7.”
“Read Access Violation on Block Data Move starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b84f.”
Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007216
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpCoalesceFreeBlocks+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000006a98.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpLowFragHeapFree+0x000000000000001f.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX+0x000000000000688d.”
“Data from Faulting Address controls Branch Selection starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000031a0.”
“Read Access Violation starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000003714.”
“Read Access Violation starting at FPX+0x000000000000153a.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007053.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x0000000000000393.”
Vulnerabilities (9) are related to:
“Read Access Violation on Block Data Move starting at ntdll_77df0000!memcpy+0x0000000000000033.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlFreeHandle+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ntdll_77df0000!RtlFreeHandle+0x0000000000000218.”
“Data from Faulting Address controls Branch Selection starting at.” KERNELBASE!QueryOptionalDelayLoadedAPI+0x0000000000000c42.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResCompareResourceNames+0x0000000000000087.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResSearchResourceInsideDirectory+0x000000000000029e.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResGetMappingSize+0x00000000000003cc.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpCompareResourceNames_U+0x0000000000000062.”
Vulnerabilities (10) are related to:
“Data from Faulting Address controls Branch Selection starting at image00000000_00400000+0x000000000011d767.”
“Data from Faulting Address controls Branch Selection starting at CADIMAGE+0x000000000001f23e.”
Vulnerability (11) related to “Data from Faulting Address controls Branch Selection starting at ntdll_77130000!RtlpCoalesceFreeBlocks+0x00000000000004b4.”
Vulnerability (12) related to “Data from Faulting Address controls Branch Selection starting at DJVU!GetPlugInInfo+0x000000000001c613.”
Vulnerabilities 10-12 affect only 32-bit version of IrfanView.
Vulnerability (13) related to:
“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x000000000009174a.”
“Read Access Violation starting at PDF!xmlParserInputRead+0x0000000000161a9c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlParserInputRead+0x000000000011624a.”
“Data from Faulting Address may be used as a return value starting at PDF!xmlParserInputRead+0x0000000000129a59.”
“Possible Stack Corruption starting at PDF!xmlGetGlobalState+0x0000000000057b35.”
“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x0000000000048d0c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlListWalk+0x00000000000166c4.”
Vulnerability (14) related to:
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at image00000000_00400000+0x00000000000236e4.”
NB: Not every vulnerability already has CVSS rating, so cumulative CVSS rating can be not representative.
Original advisories
Exploitation
Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.
Related products
CVE list
- CVE-2017-15239 high
- CVE-2017-15240 high
- CVE-2017-15241 high
- CVE-2017-15242 high
- CVE-2017-15243 high
- CVE-2017-15244 high
- CVE-2017-15245 high
- CVE-2017-15246 high
- CVE-2017-15247 high
- CVE-2017-15248 high
- CVE-2017-15249 high
- CVE-2017-15250 high
- CVE-2017-15251 high
- CVE-2017-15252 high
- CVE-2017-15253 high
- CVE-2017-15254 high
- CVE-2017-15255 high
- CVE-2017-15256 high
- CVE-2017-15257 high
- CVE-2017-15258 high
- CVE-2017-15259 high
- CVE-2017-15260 high
- CVE-2017-15261 high
- CVE-2017-15262 high
- CVE-2017-15263 high
- CVE-2017-15264 high
- CVE-2017-10924 high
- CVE-2017-14693 warning
- CVE-2017-10926 high
- CVE-2017-14578 warning
- CVE-2017-8369 high
- CVE-2017-8370 high
- CVE-2017-8766 high
- CVE-2017-9534 high
- CVE-2017-9528 high
- CVE-2017-9530 warning
- CVE-2017-9531 high
- CVE-2017-9532 high
- CVE-2017-9533 high
- CVE-2017-2813 high
- CVE-2017-9535 high
- CVE-2017-9536 high
- CVE-2017-9873 high
- CVE-2017-9874 high
- CVE-2017-9875 high
- CVE-2017-9876 high
- CVE-2017-9877 high
- CVE-2017-9878 high
- CVE-2017-9879 high
- CVE-2017-9880 high
- CVE-2017-9881 high
- CVE-2017-9882 high
- CVE-2017-9883 high
- CVE-2017-9884 high
- CVE-2017-9885 high
- CVE-2017-9886 high
- CVE-2017-9887 high
- CVE-2017-9888 high
- CVE-2017-9889 high
- CVE-2017-9890 high
- CVE-2017-9891 high
- CVE-2017-9892 high
- CVE-2017-14539 warning
- CVE-2017-14540 warning
- CVE-2017-10729 high
- CVE-2017-10730 high
- CVE-2017-10731 high
- CVE-2017-10732 high
- CVE-2017-10733 high
- CVE-2017-10734 high
- CVE-2017-10735 high
- CVE-2017-10925 high
- CVE-2017-9915 high
- CVE-2017-9916 warning
- CVE-2017-9917 warning
- CVE-2017-9918 warning
- CVE-2017-9919 warning
- CVE-2017-9920 warning
- CVE-2017-9921 warning
- CVE-2017-9922 warning
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com