7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
82.7%
The version of XnView 2.x installed on the remote Windows host is earlier than 2.13. It is, therefore, reportedly affected by the following buffer overflow vulnerabilities:
A remote, heap-based buffer overflow vulnerability exists due to an error in the ‘xnview.exe’ file when processing BMP files. An attacker can exploit this issue through a specially crafted ‘biBitCount’ field.
(CVE-2013-3937)
A remote, heap-based buffer overflow vulnerability exists because XnView fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Specifically, this issue occurs due to a sign-extension error in the ‘xnview.exe’ file when processing RLE strip lengths in RGB files. An attacker can exploit this issue through a specially crafted RLE strip size field. (CVE-2013-3939)
A remote, heap-based buffer overflow vulnerability exists because XnView fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Specifically, this issue occurs in ‘Xjp2.dll’ when using the Csiz parameter of the SIZ marker and lqcd field of the QCD marker. An attacker can exploit this issue through a specially crafted JPEG2000 file. (CVE-2013-3941)
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(71864);
script_version("1.3");
script_cvs_date("Date: 2018/11/15 20:50:29");
script_cve_id("CVE-2013-3937", "CVE-2013-3939", "CVE-2013-3941");
script_bugtraq_id(64438, 64439, 64441);
script_name(english:"XnView 2.x < 2.13 Multiple Buffer Overflows");
script_summary(english:"Checks XnView.exe's product version number");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Windows host contains an application that is affected by
multiple buffer overflow vulnerabilities."
);
script_set_attribute(
attribute:"description",
value:
"The version of XnView 2.x installed on the remote Windows host is
earlier than 2.13. It is, therefore, reportedly affected by the
following buffer overflow vulnerabilities:
- A remote, heap-based buffer overflow vulnerability
exists due to an error in the 'xnview.exe' file when
processing BMP files. An attacker can exploit this issue
through a specially crafted 'biBitCount' field.
(CVE-2013-3937)
- A remote, heap-based buffer overflow vulnerability
exists because XnView fails to properly bounds-check
user-supplied input before copying it to an
insufficiently sized memory buffer. Specifically, this
issue occurs due to a sign-extension error in the
'xnview.exe' file when processing RLE strip lengths in
RGB files. An attacker can exploit this issue through a
specially crafted RLE strip size field. (CVE-2013-3939)
- A remote, heap-based buffer overflow vulnerability
exists because XnView fails to properly bounds-check
user-supplied input before copying it to an
insufficiently sized memory buffer. Specifically, this
issue occurs in 'Xjp2.dll' when using the Csiz parameter
of the SIZ marker and lqcd field of the QCD marker. An
attacker can exploit this issue through a specially
crafted JPEG2000 file. (CVE-2013-3941)"
);
# Release notes
script_set_attribute(attribute:"see_also", value:"https://newsgroup.xnview.com/viewtopic.php?f=35&t=29087");
script_set_attribute(attribute:"solution", value:"Upgrade to XnView version 2.13 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/12/12");
script_set_attribute(attribute:"patch_publication_date", value:"2013/12/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:xnview:xnview");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
script_dependencies("xnview_rgbe_overflow.nasl");
script_require_keys("SMB/XnView/Version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
kb_base = "SMB/XnView";
get_kb_item_or_exit(kb_base+"/Installed");
path = get_kb_item_or_exit(kb_base+"/Path");
version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
# Check the version number.
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
# 2.00 < 2.13
if (ver[0] == 2 && ver[1] < 13)
{
port = get_kb_item("SMB/transport");
if (!port) port = 445;
if (report_verbosity > 0)
{
report =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 2.13\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "XnView", version, path);
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
82.7%