Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACDSee Free - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a (Hash=0x1f594f60.0xc37cb0eb)

Version 1.1.21

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000045_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000   ACDSee Free.exe
ModLoad: 770e0000 77270000   ntdll.dll
Page heap: pid 0x1324: page heap enabled with flags 0x3.
ModLoad: 712d0000 71334000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1324: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 73e20000 73fad000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 76c80000 76ca2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74040000 7415d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 76b80000 76c56000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 75770000 7582f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74380000 745dc000   C:\Windows\SysWOW64\combase.dll
ModLoad: 73a20000 73ae0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74160000 741e8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 74db0000 74df5000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 75830000 76b7a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74e00000 74e39000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 751a0000 7575a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 73d60000 73d6f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76c60000 76c79000   C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 73000000 73204000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 10000000 100a8000   Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 74280000 7437c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 70e40000 70e46000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 708b0000 70e31000   Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 05a90000 05b8c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 74a60000 74ac7000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 73ae0000 73c76000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 73fb0000 73fbe000   C:\Windows\SysWOW64\MSASN1.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 71240000 712ce000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 71190000 71233000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 72700000 72708000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 710f0000 7117e000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 71180000 7118e000   C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 6fda0000 6fe5e000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 6fd30000 6fd99000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 6f8d0000 6fd24000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 6fe60000 70292000   Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 704c0000 708a5000   C:\Windows\SysWOW64\msi.dll
ModLoad: 71080000 710bd000   C:\Windows\SysWOW64\STI.dll
ModLoad: 710c0000 710e1000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 71070000 7107c000   C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 72f30000 72f49000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 26340000 263c8000   Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 745e0000 74606000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 72ba0000 72bc3000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000   C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000   C:\Windows\SysWOW64\security.dll
ModLoad: 72b90000 72b9a000   C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 71050000 71063000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 71020000 7104f000   C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 096e0000 09b08000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 096e0000 09b08000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(1324.1aa4): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09b10000 09e06000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09b10000 09e06000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 74b20000 74c63000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 70fa0000 7101d000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 6f670000 6f8cd000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 70ee0000 70f6b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 70f70000 70f99000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 703e0000 704b6000   C:\Windows\SysWOW64\wintypes.dll
(1324.19ac): C++ EH exception - code e06d7363 (first chance)
(1324.19ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=08120436 ebx=00000100 ecx=00000030 edx=00000000 esi=08120376 edi=0dd24000
eip=09c40b5a esp=0e0ac84c ebp=0e0ac854 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
IDE_ACDStd!IEP_SetColorProfile+0xb9e7a:
09c40b5a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0e0ac854 09b6887d 0dd23cc0 08120036 00000400 IDE_ACDStd!IEP_SetColorProfile+0xb9e7a
01 0e0ac86c 09b6983b 0dd23cc0 00000400 0de2ed88 IDE_ACDStd!JPEGTransW+0x1a9d
02 0e0ac894 09b84bf4 0e0ac9ac 0de2f1ac 0043d8a7 IDE_ACDStd!JPEGTransW+0x2a5b
03 0e0ac8a0 0043d8a7 0a7f6f60 0e0ac9ac 0de2f1ac IDE_ACDStd!IDP_PageDecode+0x24
04 0e0ac8dc 004f4f48 0a7f6f60 0e0ac9ac 0de2f1ac ACDSee_Free+0x3d8a7
05 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xf4f48
0:003> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a (Hash=0x1f594f60.0xc37cb0eb)

User mode write access violations that are not near NULL are exploitable.