KLA11064
Multiple vulnerabilities in IrfanView
Обновлено: 26/06/2019
Дата обнаружения
11/10/2017
Уровень угрозы
High
Описание

Multiple serious vulnerabilities have been found in IrfanView 4.44. Malicious users can exploit these vulnerabilities to cause a denial of service or execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. An integer overflow vulnerability in the JPEG 2000 parser can be exploited remotely via a specially designed JPEG 2000 image to execute arbitrary code;
  2. Multiple buffer overflow vulnerabilities can be exploited locally via specially designed *.rle files to cause a denial of service or execute arbitrary code;
  3. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.47 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  4. A buffer overflow vulnerability related to «Data from Faulting Address controls Branch Selection starting at USER32!wvsprintfA+0x00000000000002f3.» issue can be exploited locally via a specially designed file to execute arbitrary code;
  5. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.45 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  6. A buffer overflow vulnerability can be exploited locally via specially designed *.mov files to execute arbitrary code;
  7. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  8. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
  9. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with TOOLS Plugin 4.50 can be exploited locally via specially designed files to cause a denial of service or execute arbitrary code;
  10. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.svg file to cause a denial of service;
  11. A buffer overflow vulnerability can be exploited locally via a specially designed *.ani file to cause a denial of service;
  12. A buffer overflow vulnerability can be exploited locally via a specially designed *.djvu file to cause a denial of service;
  13. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.pdf file to cause a denial of service and execute arbitrary code;
  14. A buffer overflow vulnerability can be exploited locally via a specially designed *.tif file to cause a denial of service.

Technical details

Vulnerability (1) occurs while viewing image in IrfanView or by using its thumbnailing feature.

Vulnerabilities (2) are related to:

  1. «User Mode Write AV starting at ntdll_77df0000!RtlpWaitOnCriticalSection+0x0000000000000121.»
  2. «User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d96.»
  3. «User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d80.»
  4. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpAllocateHeap+0x0000000000000429.»
  5. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.»
  6. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.»
  7. «Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d.»
  8. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x00000000000003ca.»

Vulnerabilities (3) are related to:

«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.»
«Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.»
«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.»
«Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.»

Vulnerability (6) exists because of a User Mode Write AV near NULL.

Vulnerabilities (7) are related to:

«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000000f53.»
«User Mode Write AV starting at FPX+0x000000000000176c.»
«User Mode Write AV starting at FPX+0x0000000000001555.»
«User Mode Write AV starting at FPX!DE_Decode+0x0000000000000a9b.»
«User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000017426.»
«User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000016e53.»
«Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014eb.»
«Read Access Violation on Control Flow starting at FPX!GetPlugInInfo+0x0000000000012bf2.»
«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007822.»
«User Mode Write AV starting at FPX!DE_Decode+0x0000000000000cdb.»
«Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c995.»
«Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c998.»
«Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c99a.»
«Data from Faulting Address controls subsequent Write Address starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a525.»
«Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007236.»
«Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014e7.»
«Read Access Violation on Block Data Move starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b84f.»
Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007216
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpCoalesceFreeBlocks+0x00000000000001b6.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000006a98.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpLowFragHeapFree+0x000000000000001f.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX+0x000000000000688d.»
«Data from Faulting Address controls Branch Selection starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000031a0.»
«Read Access Violation starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000003714.»
«Read Access Violation starting at FPX+0x000000000000153a.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007053.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x0000000000000393.»

Vulnerabilities (9) are related to:

«Read Access Violation on Block Data Move starting at ntdll_77df0000!memcpy+0x0000000000000033.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlFreeHandle+0x00000000000001b6.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ntdll_77df0000!RtlFreeHandle+0x0000000000000218.»
«Data from Faulting Address controls Branch Selection starting at.» KERNELBASE!QueryOptionalDelayLoadedAPI+0x0000000000000c42.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResCompareResourceNames+0x0000000000000087.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResSearchResourceInsideDirectory+0x000000000000029e.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResGetMappingSize+0x00000000000003cc.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpCompareResourceNames_U+0x0000000000000062.»

Vulnerabilities (10) are related to:

«Data from Faulting Address controls Branch Selection starting at image00000000_00400000+0x000000000011d767.»
«Data from Faulting Address controls Branch Selection starting at CADIMAGE+0x000000000001f23e.»

Vulnerability (11) related to «Data from Faulting Address controls Branch Selection starting at ntdll_77130000!RtlpCoalesceFreeBlocks+0x00000000000004b4.»

Vulnerability (12) related to «Data from Faulting Address controls Branch Selection starting at DJVU!GetPlugInInfo+0x000000000001c613.»

Vulnerabilities 10-12 affect only 32-bit version of IrfanView.

Vulnerability (13) related to:

«Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x000000000009174a.»
«Read Access Violation starting at PDF!xmlParserInputRead+0x0000000000161a9c.»
«Data from Faulting Address controls Branch Selection starting at PDF!xmlParserInputRead+0x000000000011624a.»
«Data from Faulting Address may be used as a return value starting at PDF!xmlParserInputRead+0x0000000000129a59.»
«Possible Stack Corruption starting at PDF!xmlGetGlobalState+0x0000000000057b35.»
«Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x0000000000048d0c.»
«Data from Faulting Address controls Branch Selection starting at PDF!xmlListWalk+0x00000000000166c4.»

Vulnerability (14) related to:

«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at image00000000_00400000+0x00000000000236e4.»

NB: Not every vulnerability already has CVSS rating, so cumulative CVSS rating can be not representative.

Пораженные продукты

IrfanView version 4.44

Решение

Update to the latest version
IrfanView — Official Homepage

Первичный источник обнаружения
IrfanView PlugIns
Оказываемое влияние
?
ACE 
[?]

DoS 
[?]
Связанные продукты
IrfanView
CVE-IDS
CVE-2017-152396.8High
CVE-2017-152406.8High
CVE-2017-152416.8High
CVE-2017-152426.8High
CVE-2017-152436.8High
CVE-2017-152446.8High
CVE-2017-152456.8High
CVE-2017-152466.8High
CVE-2017-152476.8High
CVE-2017-152486.8High
CVE-2017-152496.8High
CVE-2017-152506.8High
CVE-2017-152516.8High
CVE-2017-152526.8High
CVE-2017-152536.8High
CVE-2017-152546.8High
CVE-2017-152556.8High
CVE-2017-152566.8High
CVE-2017-152576.8High
CVE-2017-152586.8High
CVE-2017-152596.8High
CVE-2017-152606.8High
CVE-2017-152616.8High
CVE-2017-152626.8High
CVE-2017-152636.8High
CVE-2017-152646.8High
CVE-2017-109246.8High
CVE-2017-146934.6Warning
CVE-2017-109266.8High
CVE-2017-145784.6Warning
CVE-2017-83696.8High
CVE-2017-83706.8High
CVE-2017-87666.8High
CVE-2017-95346.8High
CVE-2017-95286.8High
CVE-2017-95304.4Warning
CVE-2017-95316.8High
CVE-2017-95326.8High
CVE-2017-95336.8High
CVE-2017-28136.8High
CVE-2017-95356.8High
CVE-2017-95366.8High
CVE-2017-98736.8High
CVE-2017-98746.8High
CVE-2017-98756.8High
CVE-2017-98766.8High
CVE-2017-98776.8High
CVE-2017-98786.8High
CVE-2017-98796.8High
CVE-2017-98806.8High
CVE-2017-98816.8High
CVE-2017-98826.8High
CVE-2017-98836.8High
CVE-2017-98846.8High
CVE-2017-98856.8High
CVE-2017-98866.8High
CVE-2017-98876.8High
CVE-2017-98886.8High
CVE-2017-98896.8High
CVE-2017-98906.8High
CVE-2017-98916.8High
CVE-2017-98926.8High
CVE-2017-145394.6Warning
CVE-2017-145404.6Warning
CVE-2017-107296.8High
CVE-2017-107306.8High
CVE-2017-107316.8High
CVE-2017-107326.8High
CVE-2017-107336.8High
CVE-2017-107346.8High
CVE-2017-107356.8High
CVE-2017-109256.8High
CVE-2017-99156.8High
CVE-2017-99164.6Warning
CVE-2017-99174.4Warning
CVE-2017-99184.4Warning
CVE-2017-99194.4Warning
CVE-2017-99204.4Warning
CVE-2017-99214.4Warning
CVE-2017-99224.4Warning