IrFanView v4.53 Overflow
Table of Contents
Information
-
CVE-2019-16887
-
IrFanView v4.53
-
location:
image00400000+0x000000000001dcfc (Hash=0x5adf8847.0x5fa6bccd)
Bug: 0x000000000001dcfc
CommandLine: C:\APP\InFranView\IrfanView\i_view32.exe C:\DEBUG\InfranView_Crashes\result-a171bd78\4f82cea78f48844ceca7be1fea181cfb90a3087a.bmp
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 005d9000 image00400000
ModLoad: 778a0000 77a3c000 ntdll.dll
Page heap: pid 0x1B58: page heap enabled with flags 0x3.
ModLoad: 6e820000 6e883000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1B58: page heap enabled with flags 0x3.
ModLoad: 75070000 75150000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76cb0000 76eaa000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 77390000 77529000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 74fa0000 74fb7000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 75040000 75063000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76fa0000 77106000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 76350000 763d0000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 75a50000 75b72000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 75c60000 761b1000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 76bf0000 76cb0000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75b80000 75bbb000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77740000 777c9000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 777d0000 7788f000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 74f00000 74f20000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 74ef0000 74efa000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76630000 76692000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 74f20000 74f99000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 77110000 77388000 C:\Windows\SysWOW64\combase.dll
ModLoad: 75240000 7583c000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 76eb0000 76f2e000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74fc0000 74fdc000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 76f30000 76f84000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77530000 77574000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 75a10000 75a1f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77720000 77732000 C:\Windows\SysWOW64\cryptsp.dll
ModLoad: 70d20000 70f2f000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\COMCTL32.dll
(1b58.c5c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=003e8000 ecx=9fb10000 edx=00000000 esi=03e7a890 edi=778b37ec
eip=7794f146 esp=0019fa24 ebp=0019fa50 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
7794f146 cc int 3
0:000> g
ModLoad: 75a20000 75a45000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72390000 7240b000 C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 758a0000 759dc000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 75bc0000 75c56000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 72430000 72456000 C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 77580000 77719000 C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 761c0000 761ce000 C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 71a40000 71ac6000 C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 70800000 70a6a000 C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 719b0000 71a3f000 C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 71930000 71959000 C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 70720000 707fb000 C:\Windows\SysWOW64\wintypes.dll
(1b58.c5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3fd332c6 ebx=0d3b0f88 ecx=3fd332c6 edx=00000282 esi=cd67dcc2 edi=4ba2ed3a
eip=0041dcfc esp=0019868c ebp=00000000 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
image00400000+0x1dcfc:
0041dcfc 8a11 mov dl,byte ptr [ecx] ds:002b:3fd332c6=??
0:000> k
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00000000 00000000 image00400000+0x1dcfc
0:000> .load msec
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at image00400000+0x000000000001dcfc (Hash=0x5adf8847.0x5fa6bccd)
The data from the faulting address is later used as the target for a later write.