Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACDSee Free - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9c2f (Hash=0xfb57d905.0x39a1204c)

Version 1.1.21

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000091_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000   ACDSee Free.exe
ModLoad: 77660000 777f0000   ntdll.dll
Page heap: pid 0x40C: page heap enabled with flags 0x3.
ModLoad: 713d0000 71434000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x40C: page heap enabled with flags 0x3.
ModLoad: 77490000 77570000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 772a0000 77484000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 742f0000 7447d000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73580000 73784000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 76400000 764bf000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75e10000 7606c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 73f40000 7405d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 762d0000 76390000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 73f20000 73f40000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73f10000 73f1a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76240000 76298000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 74480000 744c4000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76070000 76087000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 001d0000 001f2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76510000 76674000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 74270000 742ed000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 76b50000 76c26000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74130000 741b8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 764c0000 76505000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 74970000 75cba000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74930000 74969000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 76c90000 7724a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 76090000 76108000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74260000 7426f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74910000 74928000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 77250000 77295000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76690000 76698000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 10000000 100a8000   Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 76210000 76229000   C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 76110000 7620c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 741c0000 74256000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 713c0000 713c6000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 70e30000 713b1000   Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 762a0000 762c2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76390000 763f7000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 766a0000 76836000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 76680000 7668e000   C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 70da0000 70e2e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 70cf0000 70d93000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 70ce0000 70cee000   C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 72c80000 72c88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 70c50000 70cde000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 70750000 7080e000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 70810000 70c42000   Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 706e0000 70749000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 6fef0000 70344000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 26340000 263c8000   Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 6f730000 6fb15000   C:\Windows\SysWOW64\msi.dll
ModLoad: 706a0000 706dd000   C:\Windows\SysWOW64\STI.dll
ModLoad: 6fe20000 6fe41000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 70690000 7069c000   C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 734b0000 734c9000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 74060000 74086000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 73400000 7347c000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 73120000 73143000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000   C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000   C:\Windows\SysWOW64\security.dll
ModLoad: 72c90000 72c9a000   C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 70670000 70683000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 70640000 7066f000   C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 09700000 09b28000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 09700000 09b28000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(40c.ea4): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09b30000 09e26000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09b30000 09e26000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 75cc0000 75e03000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 730a0000 7311d000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 72e40000 7309d000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 72db0000 72e3b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 72d80000 72da9000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 72ca0000 72d76000   C:\Windows\SysWOW64\wintypes.dll
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
(40c.ca4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fefefefe ebx=00000000 ecx=00003ffd edx=00000003 esi=0a8d0f60 edi=0a8d3000
eip=09c6090f esp=0859fda4 ebp=0a8d0f80 iopl=0         nv up ei pl nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
IDE_ACDStd!IEP_SetColorProfile+0xb9c2f:
09c6090f f3ab            rep stos dword ptr es:[edi]
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0859fda4 09b8917a 0a8d2ff8 000000fe 0000ffff IDE_ACDStd!IEP_SetColorProfile+0xb9c2f
01 0859fdc8 09b89c11 00000002 0958fbb0 09ba4c4f IDE_ACDStd!JPEGTransW+0x239a
02 0859fdd4 09ba4c4f 0859fe4c 0043db77 0a8d0f60 IDE_ACDStd!JPEGTransW+0x2e31
03 0859fddc 0043db77 0a8d0f60 0859fe4c 168a9c29 IDE_ACDStd!IDP_PageDecodeStep+0x1f
04 0859fe70 004e9d03 00000000 0859fec4 096be06c ACDSee_Free+0x3db77
05 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xe9d03
0:003> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9c2f (Hash=0xfb57d905.0x39a1204c)

User mode write access violations that are not near NULL are exploitable.