Kaspersky ID:
KLA11064
Detect Date:
10/11/2017
Updated:
01/22/2024

Description

Multiple serious vulnerabilities have been found in IrfanView 4.44. Malicious users can exploit these vulnerabilities to cause a denial of service or execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. An integer overflow vulnerability in the JPEG 2000 parser can be exploited remotely via a specially designed JPEG 2000 image to execute arbitrary code;
  2. Multiple buffer overflow vulnerabilities can be exploited locally via specially designed *.rle files to cause a denial of service or execute arbitrary code;
  3. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.47 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  4. A buffer overflow vulnerability related to “Data from Faulting Address controls Branch Selection starting at USER32!wvsprintfA+0x00000000000002f3.” issue can be exploited locally via a specially designed file to execute arbitrary code;
  5. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.45 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  6. A buffer overflow vulnerability can be exploited locally via specially designed *.mov files to execute arbitrary code;
  7. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  8. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  9. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with TOOLS Plugin 4.50 can be exploited locally via specially designed files to cause a denial of service or execute arbitrary code;
  10. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.svg file to cause a denial of service;
  11. A buffer overflow vulnerability can be exploited locally via a specially designed *.ani file to cause a denial of service;
  12. A buffer overflow vulnerability can be exploited locally via a specially designed *.djvu file to cause a denial of service;
  13. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.pdf file to cause a denial of service and execute arbitrary code;
  14. A buffer overflow vulnerability can be exploited locally via a specially designed *.tif file to cause a denial of service.

Technical details

Vulnerability (1) occurs while viewing image in IrfanView or by using its thumbnailing feature.

Vulnerabilities (2) are related to:

  1. “User Mode Write AV starting at ntdll_77df0000!RtlpWaitOnCriticalSection+0x0000000000000121.”
  2. “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d96.”
  3. “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d80.”
  4. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpAllocateHeap+0x0000000000000429.”
  5. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
  6. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
  7. “Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
  8. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x00000000000003ca.”

Vulnerabilities (3) are related to:

“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”

Vulnerability (6) exists because of a User Mode Write AV near NULL.

Vulnerabilities (7) are related to:

“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000000f53.”
“User Mode Write AV starting at FPX+0x000000000000176c.”
“User Mode Write AV starting at FPX+0x0000000000001555.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000a9b.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000017426.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000016e53.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014eb.”
“Read Access Violation on Control Flow starting at FPX!GetPlugInInfo+0x0000000000012bf2.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007822.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000cdb.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c995.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c998.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c99a.”
“Data from Faulting Address controls subsequent Write Address starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a525.”
“Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007236.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014e7.”
“Read Access Violation on Block Data Move starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b84f.”
Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007216
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpCoalesceFreeBlocks+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000006a98.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpLowFragHeapFree+0x000000000000001f.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX+0x000000000000688d.”
“Data from Faulting Address controls Branch Selection starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000031a0.”
“Read Access Violation starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000003714.”
“Read Access Violation starting at FPX+0x000000000000153a.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007053.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x0000000000000393.”

Vulnerabilities (9) are related to:

“Read Access Violation on Block Data Move starting at ntdll_77df0000!memcpy+0x0000000000000033.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlFreeHandle+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ntdll_77df0000!RtlFreeHandle+0x0000000000000218.”
“Data from Faulting Address controls Branch Selection starting at.” KERNELBASE!QueryOptionalDelayLoadedAPI+0x0000000000000c42.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResCompareResourceNames+0x0000000000000087.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResSearchResourceInsideDirectory+0x000000000000029e.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResGetMappingSize+0x00000000000003cc.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpCompareResourceNames_U+0x0000000000000062.”

Vulnerabilities (10) are related to:

“Data from Faulting Address controls Branch Selection starting at image00000000_00400000+0x000000000011d767.”
“Data from Faulting Address controls Branch Selection starting at CADIMAGE+0x000000000001f23e.”

Vulnerability (11) related to “Data from Faulting Address controls Branch Selection starting at ntdll_77130000!RtlpCoalesceFreeBlocks+0x00000000000004b4.”

Vulnerability (12) related to “Data from Faulting Address controls Branch Selection starting at DJVU!GetPlugInInfo+0x000000000001c613.”

Vulnerabilities 10-12 affect only 32-bit version of IrfanView.

Vulnerability (13) related to:

“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x000000000009174a.”
“Read Access Violation starting at PDF!xmlParserInputRead+0x0000000000161a9c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlParserInputRead+0x000000000011624a.”
“Data from Faulting Address may be used as a return value starting at PDF!xmlParserInputRead+0x0000000000129a59.”
“Possible Stack Corruption starting at PDF!xmlGetGlobalState+0x0000000000057b35.”
“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x0000000000048d0c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlListWalk+0x00000000000166c4.”

Vulnerability (14) related to:

“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at image00000000_00400000+0x00000000000236e4.”

NB: Not every vulnerability already has CVSS rating, so cumulative CVSS rating can be not representative.

Original advisories

Exploitation

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

CVE list

  • CVE-2017-15239
    high
  • CVE-2017-15240
    high
  • CVE-2017-15241
    high
  • CVE-2017-15242
    high
  • CVE-2017-15243
    high
  • CVE-2017-15244
    high
  • CVE-2017-15245
    high
  • CVE-2017-15246
    high
  • CVE-2017-15247
    high
  • CVE-2017-15248
    high
  • CVE-2017-15249
    high
  • CVE-2017-15250
    high
  • CVE-2017-15251
    high
  • CVE-2017-15252
    high
  • CVE-2017-15253
    high
  • CVE-2017-15254
    high
  • CVE-2017-15255
    high
  • CVE-2017-15256
    high
  • CVE-2017-15257
    high
  • CVE-2017-15258
    high
  • CVE-2017-15259
    high
  • CVE-2017-15260
    high
  • CVE-2017-15261
    high
  • CVE-2017-15262
    high
  • CVE-2017-15263
    high
  • CVE-2017-15264
    high
  • CVE-2017-10924
    high
  • CVE-2017-14693
    warning
  • CVE-2017-10926
    high
  • CVE-2017-14578
    warning
  • CVE-2017-8369
    high
  • CVE-2017-8370
    high
  • CVE-2017-8766
    high
  • CVE-2017-9534
    high
  • CVE-2017-9528
    high
  • CVE-2017-9530
    warning
  • CVE-2017-9531
    high
  • CVE-2017-9532
    high
  • CVE-2017-9533
    high
  • CVE-2017-2813
    high
  • CVE-2017-9535
    high
  • CVE-2017-9536
    high
  • CVE-2017-9873
    high
  • CVE-2017-9874
    high
  • CVE-2017-9875
    high
  • CVE-2017-9876
    high
  • CVE-2017-9877
    high
  • CVE-2017-9878
    high
  • CVE-2017-9879
    high
  • CVE-2017-9880
    high
  • CVE-2017-9881
    high
  • CVE-2017-9882
    high
  • CVE-2017-9883
    high
  • CVE-2017-9884
    high
  • CVE-2017-9885
    high
  • CVE-2017-9886
    high
  • CVE-2017-9887
    high
  • CVE-2017-9888
    high
  • CVE-2017-9889
    high
  • CVE-2017-9890
    high
  • CVE-2017-9891
    high
  • CVE-2017-9892
    high
  • CVE-2017-14539
    warning
  • CVE-2017-14540
    warning
  • CVE-2017-10729
    high
  • CVE-2017-10730
    high
  • CVE-2017-10731
    high
  • CVE-2017-10732
    high
  • CVE-2017-10733
    high
  • CVE-2017-10734
    high
  • CVE-2017-10735
    high
  • CVE-2017-10925
    high
  • CVE-2017-9915
    high
  • CVE-2017-9916
    warning
  • CVE-2017-9917
    warning
  • CVE-2017-9918
    warning
  • CVE-2017-9919
    warning
  • CVE-2017-9920
    warning
  • CVE-2017-9921
    warning
  • CVE-2017-9922
    warning

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.