KLA11064
Multiple vulnerabilities in IrfanView
Updated: 06/26/2019
Detect date
?
10/11/2017
Severity
?
High
Description

Multiple serious vulnerabilities have been found in IrfanView 4.44. Malicious users can exploit these vulnerabilities to cause a denial of service or execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. An integer overflow vulnerability in the JPEG 2000 parser can be exploited remotely via a specially designed JPEG 2000 image to execute arbitrary code;
  2. Multiple buffer overflow vulnerabilities can be exploited locally via specially designed *.rle files to cause a denial of service or execute arbitrary code;
  3. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.47 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  4. A buffer overflow vulnerability related to “Data from Faulting Address controls Branch Selection starting at USER32!wvsprintfA+0x00000000000002f3.” issue can be exploited locally via a specially designed file to execute arbitrary code;
  5. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.45 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  6. A buffer overflow vulnerability can be exploited locally via specially designed *.mov files to execute arbitrary code;
  7. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  8. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  9. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with TOOLS Plugin 4.50 can be exploited locally via specially designed files to cause a denial of service or execute arbitrary code;
  10. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.svg file to cause a denial of service;
  11. A buffer overflow vulnerability can be exploited locally via a specially designed *.ani file to cause a denial of service;
  12. A buffer overflow vulnerability can be exploited locally via a specially designed *.djvu file to cause a denial of service;
  13. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.pdf file to cause a denial of service and execute arbitrary code;
  14. A buffer overflow vulnerability can be exploited locally via a specially designed *.tif file to cause a denial of service.

Technical details

Vulnerability (1) occurs while viewing image in IrfanView or by using its thumbnailing feature.

Vulnerabilities (2) are related to:

  1. “User Mode Write AV starting at ntdll_77df0000!RtlpWaitOnCriticalSection+0x0000000000000121.”
  2. “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d96.”
  3. “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d80.”
  4. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpAllocateHeap+0x0000000000000429.”
  5. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
  6. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
  7. “Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
  8. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x00000000000003ca.”

Vulnerabilities (3) are related to:

“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”

Vulnerability (6) exists because of a User Mode Write AV near NULL.

Vulnerabilities (7) are related to:

“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000000f53.”
“User Mode Write AV starting at FPX+0x000000000000176c.”
“User Mode Write AV starting at FPX+0x0000000000001555.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000a9b.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000017426.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000016e53.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014eb.”
“Read Access Violation on Control Flow starting at FPX!GetPlugInInfo+0x0000000000012bf2.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007822.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000cdb.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c995.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c998.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c99a.”
“Data from Faulting Address controls subsequent Write Address starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a525.”
“Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007236.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014e7.”
“Read Access Violation on Block Data Move starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b84f.”
Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007216
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpCoalesceFreeBlocks+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000006a98.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpLowFragHeapFree+0x000000000000001f.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX+0x000000000000688d.”
“Data from Faulting Address controls Branch Selection starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000031a0.”
“Read Access Violation starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000003714.”
“Read Access Violation starting at FPX+0x000000000000153a.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007053.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x0000000000000393.”

Vulnerabilities (9) are related to:

“Read Access Violation on Block Data Move starting at ntdll_77df0000!memcpy+0x0000000000000033.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlFreeHandle+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ntdll_77df0000!RtlFreeHandle+0x0000000000000218.”
“Data from Faulting Address controls Branch Selection starting at.” KERNELBASE!QueryOptionalDelayLoadedAPI+0x0000000000000c42.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResCompareResourceNames+0x0000000000000087.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResSearchResourceInsideDirectory+0x000000000000029e.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResGetMappingSize+0x00000000000003cc.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpCompareResourceNames_U+0x0000000000000062.”

Vulnerabilities (10) are related to:

“Data from Faulting Address controls Branch Selection starting at image00000000_00400000+0x000000000011d767.”
“Data from Faulting Address controls Branch Selection starting at CADIMAGE+0x000000000001f23e.”

Vulnerability (11) related to “Data from Faulting Address controls Branch Selection starting at ntdll_77130000!RtlpCoalesceFreeBlocks+0x00000000000004b4.”

Vulnerability (12) related to “Data from Faulting Address controls Branch Selection starting at DJVU!GetPlugInInfo+0x000000000001c613.”

Vulnerabilities 10-12 affect only 32-bit version of IrfanView.

Vulnerability (13) related to:

“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x000000000009174a.”
“Read Access Violation starting at PDF!xmlParserInputRead+0x0000000000161a9c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlParserInputRead+0x000000000011624a.”
“Data from Faulting Address may be used as a return value starting at PDF!xmlParserInputRead+0x0000000000129a59.”
“Possible Stack Corruption starting at PDF!xmlGetGlobalState+0x0000000000057b35.”
“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x0000000000048d0c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlListWalk+0x00000000000166c4.”

Vulnerability (14) related to:

“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at image00000000_00400000+0x00000000000236e4.”

NB: Not every vulnerability already has CVSS rating, so cumulative CVSS rating can be not representative.

Affected products

IrfanView version 4.44

Solution

Update to the latest version
IrfanView – Official Homepage

Original advisories

IrfanView PlugIns

Impacts
?
ACE 
[?]

DoS 
[?]
CVE-IDS
?
CVE-2017-152396.8High
CVE-2017-152406.8High
CVE-2017-152416.8High
CVE-2017-152426.8High
CVE-2017-152436.8High
CVE-2017-152446.8High
CVE-2017-152456.8High
CVE-2017-152466.8High
CVE-2017-152476.8High
CVE-2017-152486.8High
CVE-2017-152496.8High
CVE-2017-152506.8High
CVE-2017-152516.8High
CVE-2017-152526.8High
CVE-2017-152536.8High
CVE-2017-152546.8High
CVE-2017-152556.8High
CVE-2017-152566.8High
CVE-2017-152576.8High
CVE-2017-152586.8High
CVE-2017-152596.8High
CVE-2017-152606.8High
CVE-2017-152616.8High
CVE-2017-152626.8High
CVE-2017-152636.8High
CVE-2017-152646.8High
CVE-2017-109246.8High
CVE-2017-146934.6Warning
CVE-2017-109266.8High
CVE-2017-145784.6Warning
CVE-2017-83696.8High
CVE-2017-83706.8High
CVE-2017-87666.8High
CVE-2017-95346.8High
CVE-2017-95286.8High
CVE-2017-95304.4Warning
CVE-2017-95316.8High
CVE-2017-95326.8High
CVE-2017-95336.8High
CVE-2017-28136.8High
CVE-2017-95356.8High
CVE-2017-95366.8High
CVE-2017-98736.8High
CVE-2017-98746.8High
CVE-2017-98756.8High
CVE-2017-98766.8High
CVE-2017-98776.8High
CVE-2017-98786.8High
CVE-2017-98796.8High
CVE-2017-98806.8High
CVE-2017-98816.8High
CVE-2017-98826.8High
CVE-2017-98836.8High
CVE-2017-98846.8High
CVE-2017-98856.8High
CVE-2017-98866.8High
CVE-2017-98876.8High
CVE-2017-98886.8High
CVE-2017-98896.8High
CVE-2017-98906.8High
CVE-2017-98916.8High
CVE-2017-98926.8High
CVE-2017-145394.6Warning
CVE-2017-145404.6Warning
CVE-2017-107296.8High
CVE-2017-107306.8High
CVE-2017-107316.8High
CVE-2017-107326.8High
CVE-2017-107336.8High
CVE-2017-107346.8High
CVE-2017-107356.8High
CVE-2017-109256.8High
CVE-2017-99156.8High
CVE-2017-99164.6Warning
CVE-2017-99174.4Warning
CVE-2017-99184.4Warning
CVE-2017-99194.4Warning
CVE-2017-99204.4Warning
CVE-2017-99214.4Warning
CVE-2017-99224.4Warning