Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

IrFanView v4.53 Overflow

Information

  • CVE-2019-16887

  • IrFanView v4.53

  • location: image00400000+0x000000000001dcfc (Hash=0x5adf8847.0x5fa6bccd)

irfanview 4.53

Bug: 0x000000000001dcfc

CommandLine: C:\APP\InFranView\IrfanView\i_view32.exe C:\DEBUG\InfranView_Crashes\result-a171bd78\4f82cea78f48844ceca7be1fea181cfb90a3087a.bmp

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 005d9000   image00400000
ModLoad: 778a0000 77a3c000   ntdll.dll
Page heap: pid 0x1B58: page heap enabled with flags 0x3.
ModLoad: 6e820000 6e883000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1B58: page heap enabled with flags 0x3.
ModLoad: 75070000 75150000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76cb0000 76eaa000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 77390000 77529000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 74fa0000 74fb7000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 75040000 75063000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76fa0000 77106000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 76350000 763d0000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 75a50000 75b72000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 75c60000 761b1000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 76bf0000 76cb0000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75b80000 75bbb000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77740000 777c9000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 777d0000 7788f000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 74f00000 74f20000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 74ef0000 74efa000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76630000 76692000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 74f20000 74f99000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 77110000 77388000   C:\Windows\SysWOW64\combase.dll
ModLoad: 75240000 7583c000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 76eb0000 76f2e000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74fc0000 74fdc000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 76f30000 76f84000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77530000 77574000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 75a10000 75a1f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77720000 77732000   C:\Windows\SysWOW64\cryptsp.dll
ModLoad: 70d20000 70f2f000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\COMCTL32.dll
(1b58.c5c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=003e8000 ecx=9fb10000 edx=00000000 esi=03e7a890 edi=778b37ec
eip=7794f146 esp=0019fa24 ebp=0019fa50 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
7794f146 cc              int     3
0:000> g
ModLoad: 75a20000 75a45000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72390000 7240b000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 758a0000 759dc000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 75bc0000 75c56000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 72430000 72456000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 77580000 77719000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 761c0000 761ce000   C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 71a40000 71ac6000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 70800000 70a6a000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 719b0000 71a3f000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 71930000 71959000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 70720000 707fb000   C:\Windows\SysWOW64\wintypes.dll
(1b58.c5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3fd332c6 ebx=0d3b0f88 ecx=3fd332c6 edx=00000282 esi=cd67dcc2 edi=4ba2ed3a
eip=0041dcfc esp=0019868c ebp=00000000 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
image00400000+0x1dcfc:
0041dcfc 8a11            mov     dl,byte ptr [ecx]          ds:002b:3fd332c6=??
0:000> k
 # ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00000000 00000000 image00400000+0x1dcfc
0:000> .load msec
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at image00400000+0x000000000001dcfc (Hash=0x5adf8847.0x5fa6bccd)

The data from the faulting address is later used as the target for a later write.