PowerISO ISO Parsing Use After Free(CVE-2017-2823)

2017-09-18T00:00:00
ID SSV:96511
Type seebug
Reporter Root
Modified 2017-09-18T00:00:00

Description

Summary

A use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .ISO file to trigger this vulnerability.

Tested Versions

PowerISO 6.8 (6, 8, 0, 0)

Product URLs

http://poweriso.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

This vulnerability can be triggered by providing a specially crafted .ISO file and opening it with PowerISO software. .text:0001BD5A loc_1BD5A: ; CODE XREF: bug_proc+88j .text:0001BD5A mov eax, [esi+0CCh] .text:0001BD60 mov ecx, ds:65CB0Ch .text:0001BD66 cmp eax, ecx .text:0001BD68 jge short loc_1BD83 .text:0001BD6A mov ecx, [esp+1Ch+arg_C] .text:0001BD6E mov edx, [esp+1Ch+arg_8] .text:0001BD72 push ebx .text:0001BD73 push ecx .text:0001BD74 push edx .text:0001BD75 lea eax, [eax+eax*8] .text:0001BD78 push edi .text:0001BD79 push esi .text:0001BD7A call dword ptr ds:65C834h[eax*4] .text:0001BD81 jmp short loc_1BDA3

The Instruction at 0x0001BD5A loads a pointer to EAX register from a memory region that was already freed at this point. This pointer after multiplication at 0x0001BD75 is later used as an operand of call instruction at 0x001BD7A. The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory.

Crash Information

``` 0:000:x86> !analyze -v *********** * * Exception Analysis * * ***********

FAULTING_IP: 
image00000000_00400000+1bd7a
0041bd7a ff148534c86500  call    dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4]

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000041bd7a (image00000000_00400000+0x000000000001bd7a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000000da01a1ac
Attempt to read from address 00000000da01a1ac

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
eax=f666f65e ebx=00000010 ecx=02e893f8 edx=00000000 esi=059f0048 edi=00000010
eip=0041bd7a esp=0019e958 ebp=feeefeee iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
image00000000_00400000+0x1bd7a:
0041bd7a ff148534c86500  call    dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4] ds:002b:da01a1ac=????????

FAULTING_THREAD:  000000000000105c

PROCESS_NAME:  image00000000`00400000

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  00000000da01a1ac

READ_ADDRESS:  00000000da01a1ac

FOLLOWUP_IP: 
image00000000_00400000+1bd7a
0041bd7a ff148534c86500  call    dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4]

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  image00000000`00400000

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from 000000000052e8b0 to 000000000041bd7a

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

STACK_TEXT:  
00000000`0019e958 00000000`0041bd7a image00000000+0x1bd7a
00000000`0019e988 00000000`0052e8b0 image00000000+0x12e8b0
00000000`0019e98c 00000000`004354bb image00000000+0x354bb
00000000`0052e8b8 ffffffff`e004247c unknown!unknown+0x0
00000000`0052e8bc 00000000`74ff2277 windows_storage!_tls_end+0x26f
00000000`0052e8c0 00000000`1ce80424 unknown!unknown+0x0
00000000`0052e8c4 ffffffff`85000000 unknown!unknown+0x0
00000000`0052e8c8 00000000`167559c0 unknown!unknown+0x0
00000000`0052e8cc 00000000`08244439 unknown!unknown+0x0
00000000`0052e8d0 00000000`74ff1074 windows_storage!DSROLE_NULL_THUNK_DATA_DLA+0x0
00000000`0052e8d4 00000000`54e80424 unknown!unknown+0x0
00000000`0052e8d8 ffffffff`85000059 unknown!unknown+0x0
00000000`0052e8dc ffffffff`de7559c0 unknown!unknown+0x0
00000000`0052e8e0 00000000`56c3c033 unknown!unknown+0x0
00000000`0052e8e4 00000000`0824748b unknown!unknown+0x0
00000000`0052e8e8 ffffffff`b15c353b unknown!unknown+0x0
00000000`0052e8ec 00000000`77570071 ole32!ext-ms-win-sxs-oleautomation-l1-1-0_NULL_THUNK_DATA_DLA <PERF> +0x0
00000000`0052e8f0 ffffffff`e8096a21 unknown!unknown+0x0


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00000000+1bd7a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00000000_00400000

IMAGE_NAME:  PowerISO.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  58932d2b

STACK_COMMAND:  .ecxr ; kb ; dps 19e958 ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_PowerISO.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK_image00000000+1bd7a

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_poweriso.exe!unknown

FAILURE_ID_HASH:  {ae0362d7-c487-042b-dd94-abc556299378}

Followup: MachineOwner
---------

```

Timeline

  • 2017-04-26 - Vendor Disclosure
  • 2017-05-05 - Public Release

CREDIT

  • Discovered by Piotr Bania of Cisco Talos.