KLA11064 Multiple vulnerabilities in IrfanView

Multiple serious vulnerabilities have been found in IrfanView 4.44. Malicious users can exploit these vulnerabilities to cause a denial of service or execute arbitrary code.

Below is a complete list of vulnerabilities:

1. An integer overflow vulnerability in the JPEG 2000 parser can be exploited remotely via a specially designed JPEG 2000 image to execute arbitrary code;
2. Multiple buffer overflow vulnerabilities can be exploited locally via specially designed *.rle files to cause a denial of service or execute arbitrary code;
3. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.47 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
4. A buffer overflow vulnerability related to “Data from Faulting Address controls Branch Selection starting at USER32!wvsprintfA+0x00000000000002f3.” issue can be exploited locally via a specially designed file to execute arbitrary code;
5. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.45 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
6. A buffer overflow vulnerability can be exploited locally via specially designed *.mov files to execute arbitrary code;
7. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
8. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
9. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with TOOLS Plugin 4.50 can be exploited locally via specially designed files to cause a denial of service or execute arbitrary code;
10. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.svg file to cause a denial of service;
11. A buffer overflow vulnerability can be exploited locally via a specially designed *.ani file to cause a denial of service;
12. A buffer overflow vulnerability can be exploited locally via a specially designed *.djvu file to cause a denial of service;
13. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.pdf file to cause a denial of service and execute arbitrary code;
14. A buffer overflow vulnerability can be exploited locally via a specially designed *.tif file to cause a denial of service.

Technical details

Vulnerability (1) occurs while viewing image in IrfanView or by using its thumbnailing feature.

Vulnerabilities (2) are related to:

1. “User Mode Write AV starting at ntdll_77df0000!RtlpWaitOnCriticalSection+0x0000000000000121.”
2. “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d96.”
3. “User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d80.”
4. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpAllocateHeap+0x0000000000000429.”
5. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
6. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.”
7. “Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
8. “Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x00000000000003ca.”

Vulnerabilities (3) are related to:

“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.”
“Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.”

Vulnerability (6) exists because of a User Mode Write AV near NULL.

Vulnerabilities (7) are related to:

“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000000f53.”
“User Mode Write AV starting at FPX+0x000000000000176c.”
“User Mode Write AV starting at FPX+0x0000000000001555.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000a9b.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000017426.”
“User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000016e53.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014eb.”
“Read Access Violation on Control Flow starting at FPX!GetPlugInInfo+0x0000000000012bf2.”
“User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007822.”
“User Mode Write AV starting at FPX!DE_Decode+0x0000000000000cdb.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c995.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c998.”
“Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c99a.”
“Data from Faulting Address controls subsequent Write Address starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a525.”
“Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007236.”
“Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014e7.”
“Read Access Violation on Block Data Move starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b84f.”
Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007216
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpCoalesceFreeBlocks+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000006a98.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpLowFragHeapFree+0x000000000000001f.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX+0x000000000000688d.”
“Data from Faulting Address controls Branch Selection starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000031a0.”
“Read Access Violation starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000003714.”
“Read Access Violation starting at FPX+0x000000000000153a.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007053.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x0000000000000393.”

Vulnerabilities (9) are related to:

“Read Access Violation on Block Data Move starting at ntdll_77df0000!memcpy+0x0000000000000033.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlFreeHandle+0x00000000000001b6.”
“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ntdll_77df0000!RtlFreeHandle+0x0000000000000218.”
“Data from Faulting Address controls Branch Selection starting at.” KERNELBASE!QueryOptionalDelayLoadedAPI+0x0000000000000c42.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResCompareResourceNames+0x0000000000000087.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResSearchResourceInsideDirectory+0x000000000000029e.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResGetMappingSize+0x00000000000003cc.”
“Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpCompareResourceNames_U+0x0000000000000062.”

Vulnerabilities (10) are related to:

“Data from Faulting Address controls Branch Selection starting at image00000000_00400000+0x000000000011d767.”
“Data from Faulting Address controls Branch Selection starting at CADIMAGE+0x000000000001f23e.”

Vulnerability (11) related to “Data from Faulting Address controls Branch Selection starting at ntdll_77130000!RtlpCoalesceFreeBlocks+0x00000000000004b4.”

Vulnerability (12) related to “Data from Faulting Address controls Branch Selection starting at DJVU!GetPlugInInfo+0x000000000001c613.”

Vulnerabilities 10-12 affect only 32-bit version of IrfanView.

Vulnerability (13) related to:

“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x000000000009174a.”
“Read Access Violation starting at PDF!xmlParserInputRead+0x0000000000161a9c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlParserInputRead+0x000000000011624a.”
“Data from Faulting Address may be used as a return value starting at PDF!xmlParserInputRead+0x0000000000129a59.”
“Possible Stack Corruption starting at PDF!xmlGetGlobalState+0x0000000000057b35.”
“Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x0000000000048d0c.”
“Data from Faulting Address controls Branch Selection starting at PDF!xmlListWalk+0x00000000000166c4.”

Vulnerability (14) related to:

“Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at image00000000_00400000+0x00000000000236e4.”

NB: Not every vulnerability already has CVSS rating, so cumulative CVSS rating can be not representative.

Original advisories

IrfanView PlugIns

Exploitation

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

IrfanView

CVE list

CVE-2017-15239 high

CVE-2017-15240 high

CVE-2017-15241 high

CVE-2017-15242 high

CVE-2017-15243 high

CVE-2017-15244 high

CVE-2017-15245 high

CVE-2017-15246 high

CVE-2017-15247 high

CVE-2017-15248 high

CVE-2017-15249 high

CVE-2017-15250 high

CVE-2017-15251 high

CVE-2017-15252 high

CVE-2017-15253 high

CVE-2017-15254 high

CVE-2017-15255 high

CVE-2017-15256 high

CVE-2017-15257 high

CVE-2017-15258 high

CVE-2017-15259 high

CVE-2017-15260 high

CVE-2017-15261 high

CVE-2017-15262 high

CVE-2017-15263 high

CVE-2017-15264 high

CVE-2017-10924 high

CVE-2017-14693 warning

CVE-2017-10926 high

CVE-2017-14578 warning

CVE-2017-8369 high

CVE-2017-8370 high

CVE-2017-8766 high

CVE-2017-9534 high

CVE-2017-9528 high

CVE-2017-9530 warning

CVE-2017-9531 high

CVE-2017-9532 high

CVE-2017-9533 high

CVE-2017-2813 high

CVE-2017-9535 high

CVE-2017-9536 high

CVE-2017-9873 high

CVE-2017-9874 high

CVE-2017-9875 high

CVE-2017-9876 high

CVE-2017-9877 high

CVE-2017-9878 high

CVE-2017-9879 high

CVE-2017-9880 high

CVE-2017-9881 high

CVE-2017-9882 high

CVE-2017-9883 high

CVE-2017-9884 high

CVE-2017-9885 high

CVE-2017-9886 high

CVE-2017-9887 high

CVE-2017-9888 high

CVE-2017-9889 high

CVE-2017-9890 high

CVE-2017-9891 high

CVE-2017-9892 high

CVE-2017-14539 warning

CVE-2017-14540 warning

CVE-2017-10729 high

CVE-2017-10730 high

CVE-2017-10731 high

CVE-2017-10732 high

CVE-2017-10733 high

CVE-2017-10734 high

CVE-2017-10735 high

CVE-2017-10925 high

CVE-2017-9915 high

CVE-2017-9916 warning

CVE-2017-9917 warning

CVE-2017-9918 warning

CVE-2017-9919 warning

CVE-2017-9920 warning

CVE-2017-9921 warning

CVE-2017-9922 warning

Solution

Update to the latest version

IrfanView – Official Homepage

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

• IrfanView version 4.44