Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DivFix++ 0.34 - Denial of Service

🗓️ 31 Jul 2017 00:00:00Reported by qflb.wuType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 29 Views

DivFix++ 0.34 Denial of Service vulnerability via crafted avi file - invalid memory writ

Related
Code
ReporterTitlePublishedViews
Family
0day.today		DivFix++ 0.34 - Denial of Service Exploit
31 Jul 201700:00
zdt
CNVD		DivFix++ 'DivFixppCore::avi_header_fix' function denial of service vulnerability
3 Aug 201700:00
cnvd
CVE		CVE-2017-11330
31 Jul 201713:00
cve
Cvelist		CVE-2017-11330
31 Jul 201713:00
cvelist
EUVD		EUVD-2017-2964
7 Oct 202500:30
euvd
exploitpack		DivFix++ 0.34 - Denial of Service
31 Jul 201700:00
exploitpack
NVD		CVE-2017-11330
31 Jul 201713:29
nvd
OSV		CVE-2017-11330
31 Jul 201713:29
osv
Prion		Design/Logic Flaw
31 Jul 201713:29
prion
DivFix++ denial of service vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
DivFix++ is FREE AVI Video Fix & Preview program.


Affected version:
=====
v0.34


Vulnerability Description:
==========================
the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.


./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
#1  0x00000000004239d8 in DivFixppCore::avi_header_fix() ()
#2  0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
#3  0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
#4  0x0000000000414f6e in DivFixppApp::OnInit() ()
#5  0x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
#6  0x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
   from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
#7  0x0000000000411e70 in main ()
(gdb) 


-------------------
(gdb) disassemble 0x00000000004239b0,0x00000000004239df
Dump of assembler code from 0x4239b0 to 0x4239df:
   0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add    %al,(%rax)
   0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov    %eax,%edi
   0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq  0x434eaf <_Z17make_littleendianIiERT_S0_>
   0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov    -0x138(%rbp),%rdx
   0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov    0x38(%rdx),%rdx
   0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea    0x10(%rdx),%rcx
   0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov    $0x4,%edx
   0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov    %rax,%rsi
   0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov    %rcx,%rdi
=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq  0x40fcc0 <memcpy@plt>
   0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov    -0x138(%rbp),%rax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) i r 
rax            0x6615286690088
rbx            0x00
rcx            0x1016
rdx            0x44
rsi            0x6615286690088
rdi            0x1016
rbp            0x7fffffffcf100x7fffffffcf10
rsp            0x7fffffffcdd00x7fffffffcdd0
r8             0x8049308407344
r9             0x7ffff7fc1a40140737353882176
r10            0x640000006e429496729710
r11            0x00
r12            0x11
r13            0x11
r14            0x00
r15            0x00
rip            0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
eflags         0x246[ PF ZF IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb)


POC:
DivFix++_v0.34_invalid_memory_write.avi
CVE:
CVE-2017-11330


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42396.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Jul 2017 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 24.3
CVSS 35.5
EPSS0.03066
divfix++ core functionavi filememory writesegmentation faultvulnerabilitydosexploitcve-2017-11330
29