Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACDSee Free - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x0000000000002450 (Hash=0xec22af54.0x90452bcd)

Version 1.1.21

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000082_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000   ACDSee Free.exe
ModLoad: 77660000 777f0000   ntdll.dll
Page heap: pid 0x1BF0: page heap enabled with flags 0x3.
ModLoad: 713d0000 71434000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1BF0: page heap enabled with flags 0x3.
ModLoad: 77490000 77570000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 772a0000 77484000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 742f0000 7447d000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73580000 73784000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 76400000 764bf000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75e10000 7606c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 73f40000 7405d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 762d0000 76390000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 73f20000 73f40000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73f10000 73f1a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76240000 76298000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 76070000 76087000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 762a0000 762c2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76510000 76674000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 74270000 742ed000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 76b50000 76c26000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74130000 741b8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 764c0000 76505000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 74970000 75cba000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74930000 74969000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 76c90000 7724a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 76090000 76108000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74480000 744c4000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74260000 7426f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74910000 74928000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 77250000 77295000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 10000000 100a8000   Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 713c0000 713c6000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 70e30000 713b1000   Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 76690000 76698000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76110000 7620c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 741c0000 74256000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76390000 763f7000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 766a0000 76836000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 76680000 7668e000   C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 76210000 76229000   C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 70930000 709ee000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 709f0000 70e22000   Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 6fef0000 70344000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 708c0000 70929000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 26340000 263c8000   Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 704d0000 708b5000   C:\Windows\SysWOW64\msi.dll
ModLoad: 70440000 704ce000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 70390000 70433000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 72c80000 72c88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 70350000 7038d000   C:\Windows\SysWOW64\STI.dll
ModLoad: 734b0000 734c9000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 6fee0000 6feee000   C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 6fe50000 6fede000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 6fe20000 6fe41000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 6fe10000 6fe1c000   C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 74060000 74086000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 73400000 7347c000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 73120000 73143000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000   C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000   C:\Windows\SysWOW64\security.dll
ModLoad: 72c90000 72c9a000   C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 6fdf0000 6fe03000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 6fdc0000 6fdef000   C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 09a80000 09ea8000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 09a80000 09ea8000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(1bf0.498): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09eb0000 0a1a6000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09eb0000 0a1a6000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 75cc0000 75e03000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 730a0000 7311d000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 72e40000 7309d000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 72db0000 72e3b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 72d80000 72da9000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 72ca0000 72d76000   C:\Windows\SysWOW64\wintypes.dll
ModLoad: 09150000 09226000   C:\Windows\SysWOW64\wintypes.dll
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
(1bf0.ffc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0ab9b003 ebx=0000f600 ecx=ffffffea edx=06190058 esi=0ab98f60 edi=0000f6ff
eip=09f09230 esp=0875fdbc ebp=7fffffff iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
IDE_ACDStd!JPEGTransW+0x2450:
09f09230 8858fd          mov     byte ptr [eax-3],bl        ds:002b:0ab9b000=??
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0875fdc8 09f09c2d 00000002 0990fbb0 09f24c4f IDE_ACDStd!JPEGTransW+0x2450
01 0875fdd4 09f24c4f 0875fe4c 0043db77 0ab98f60 IDE_ACDStd!JPEGTransW+0x2e4d
02 0875fddc 0043db77 0ab98f60 0875fe4c a8c12313 IDE_ACDStd!IDP_PageDecodeStep+0x1f
03 0875fe70 004e9d03 00000000 0875fec4 09a3e06c ACDSee_Free+0x3db77
04 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xe9d03
0:003> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x0000000000002450 (Hash=0xec22af54.0x90452bcd)

User mode write access violations that are not near NULL are exploitable.