Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACDSee Free - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000001172b0 (Hash=0x61f80bbd.0x93f51cb6)

Version 1.1.21

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190326220106\id_000050_00w.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000   ACDSee Free.exe
ModLoad: 77660000 777f0000   ntdll.dll
Page heap: pid 0x12F0: page heap enabled with flags 0x3.
ModLoad: 713d0000 71434000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x12F0: page heap enabled with flags 0x3.
ModLoad: 77490000 77570000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 772a0000 77484000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 742f0000 7447d000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 76070000 76087000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 73580000 73784000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 76400000 764bf000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75e10000 7606c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 762a0000 762c2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76510000 76674000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 74270000 742ed000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73f40000 7405d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 76b50000 76c26000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 05830000 05a8c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 762d0000 76390000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 73f20000 73f40000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73f10000 73f1a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76240000 76298000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 74480000 744c4000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 10000000 100a8000   Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 74130000 741b8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 764c0000 76505000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 713c0000 713c6000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 70e30000 713b1000   Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
ModLoad: 74970000 75cba000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74930000 74969000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 76c90000 7724a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 76090000 76108000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74260000 7426f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74910000 74928000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 77250000 77295000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76690000 76698000   C:\Windows\SysWOW64\FLTLIB.DLL
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 76210000 76229000   C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 76110000 7620c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 741c0000 74256000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76390000 763f7000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 766a0000 76836000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 76680000 7668e000   C:\Windows\SysWOW64\MSASN1.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 70da0000 70e2e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 70ce0000 70cee000   C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 72c80000 72c88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 70cf0000 70d93000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 70c50000 70cde000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 70810000 70c42000   Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 70750000 7080e000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 706e0000 70749000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 6fef0000 70344000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 6f730000 6fb15000   C:\Windows\SysWOW64\msi.dll
ModLoad: 26340000 263c8000   Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 6fe20000 6fe41000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 706d0000 706dc000   C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 734b0000 734c9000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 70690000 706cd000   C:\Windows\SysWOW64\STI.dll
ModLoad: 74060000 74086000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 73400000 7347c000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 73120000 73143000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000   C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000   C:\Windows\SysWOW64\security.dll
ModLoad: 72c90000 72c9a000   C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 70670000 70683000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 70640000 7066f000   C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 09850000 09c78000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 09850000 09c78000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(12f0.1840): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09c80000 09f76000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09c80000 09f76000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 75cc0000 75e03000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 730a0000 7311d000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 72db0000 7300d000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 73010000 7309b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 72d80000 72da9000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 72ca0000 72d76000   C:\Windows\SysWOW64\wintypes.dll
(12f0.920): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10503000 ebx=10502ff0 ecx=100caf94 edx=105030ff esi=0f810e60 edi=100caf80
eip=09e0df90 esp=0f5efd00 ebp=0f5efd00 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
IDE_ACDStd!IEP_SetColorProfile+0x1172b0:
09e0df90 8810            mov     byte ptr [eax],dl          ds:002b:10503000=??
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0f5efd00 09ce5dff 100caf94 10503000 0000000a IDE_ACDStd!IEP_SetColorProfile+0x1172b0
01 00000000 00000000 00000000 00000000 00000000 IDE_ACDStd!JPEGTransW+0xf01f
0:003> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000001172b0 (Hash=0x61f80bbd.0x93f51cb6)

User mode write access violations that are not near NULL are exploitable.