ACDSee Free - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x00000000000024ed (Hash=0xec22af54.0x9a44352d)
Version 1.1.21
The bug
Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000083_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000 ACDSee Free.exe
ModLoad: 77660000 777f0000 ntdll.dll
Page heap: pid 0x1278: page heap enabled with flags 0x3.
ModLoad: 713d0000 71434000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1278: page heap enabled with flags 0x3.
ModLoad: 77490000 77570000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 772a0000 77484000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 742f0000 7447d000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 73580000 73784000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 76400000 764bf000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75e10000 7606c000 C:\Windows\SysWOW64\combase.dll
ModLoad: 73f40000 7405d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 762d0000 76390000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 73f20000 73f40000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73f10000 73f1a000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76240000 76298000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 74480000 744c4000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 762a0000 762c2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76510000 76674000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 74270000 742ed000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 058f0000 05a7d000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 76070000 76087000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 10000000 100a8000 Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 00020000 00037000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 713c0000 713c6000 C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 70e30000 713b1000 Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 76090000 76108000 C:\Windows\SysWOW64\ADVAPI32.dll
ModLoad: 74970000 75cba000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 764c0000 76505000 C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 76110000 7620c000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 74930000 74969000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74130000 741b8000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 76c90000 7724a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74260000 7426f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74910000 74928000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 77250000 77295000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76690000 76698000 C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 741c0000 74256000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76390000 763f7000 C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 766a0000 76836000 C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 76680000 7668e000 C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 76210000 76229000 C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 76b50000 76c26000 C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 70d70000 70e2e000 Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 70980000 70d65000 C:\Windows\SysWOW64\msi.dll
ModLoad: 70500000 7053d000 C:\Windows\SysWOW64\STI.dll
ModLoad: 70470000 704fe000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 70540000 70972000 Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 6fef0000 70344000 C:\Windows\SysWOW64\WININET.dll
ModLoad: 70400000 70469000 Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 26340000 263c8000 Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 70350000 703f3000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 72c80000 72c88000 C:\Windows\SysWOW64\VERSION.dll
ModLoad: 6fee0000 6feee000 C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 6fe50000 6fede000 C:\Windows\SysWOW64\mscms.dll
ModLoad: 734b0000 734c9000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 6fe20000 6fe41000 C:\Windows\SysWOW64\USERENV.dll
ModLoad: 6fe10000 6fe1c000 C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 74060000 74086000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 73400000 7347c000 C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 73120000 73143000 C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000 C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000 C:\Windows\SysWOW64\security.dll
ModLoad: 72c90000 72c9a000 C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 6fdf0000 6fe03000 C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 6fdc0000 6fdef000 C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 09800000 09c28000 Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 09800000 09c28000 Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(1278.1ba8): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09c30000 09f26000 z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09c30000 09f26000 z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 75cc0000 75e03000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 730a0000 7311d000 C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 72e40000 7309d000 C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 72db0000 72e3b000 C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 72ca0000 72cc9000 C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 72cd0000 72da6000 C:\Windows\SysWOW64\wintypes.dll
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
(1278.1bd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0a9dd003 ebx=fff7d5f1 ecx=00000000 edx=060c007a esi=0a9c8f60 edi=fff7d5f1
eip=09c892cd esp=088cfdbc ebp=7fffffff iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
IDE_ACDStd!JPEGTransW+0x24ed:
09c892cd 8858fd mov byte ptr [eax-3],bl ds:002b:0a9dd000=??
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 088cfdc8 09c89bd9 00000002 0968fbb0 09ca4c4f IDE_ACDStd!JPEGTransW+0x24ed
01 088cfdd4 09ca4c4f 088cfe4c 0043db77 0a9c8f60 IDE_ACDStd!JPEGTransW+0x2df9
02 088cfddc 0043db77 0a9c8f60 088cfe4c 60a8b21c IDE_ACDStd!IDP_PageDecodeStep+0x1f
03 088cfe70 004e9d03 00000000 088cfec4 097be06c ACDSee_Free+0x3db77
04 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xe9d03
0:003> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x00000000000024ed (Hash=0xec22af54.0x9a44352d)
User mode write access violations that are not near NULL are exploitable.
