XnSoft NConvert 7.230 are vulnerable to Stack Buffer Overrun via a crafted .tiff file
- nconvert.exe
- NConvert 7.230
- Denial of Service
- Denial of Service
- cmdline used nconvert.exe -out tiff id_000003_00
Microsoft (R) Windows Debugger Version 10.0.17763.132 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:\Users\Chipset\Desktop\NConvert\nconvert.exe -out tiff id_000003_00
Starting directory: C:\Users\Chipset\Desktop\NConvert
Symbol search path is: srv*
Executable search path is:
ModLoad: 00400000 0070c000 nconvert.exe
ModLoad: 77d70000 77f22000 ntdll.dll
ModLoad: 75b90000 75c80000 C:\WINDOWS\SysWOW64\KERNEL32.DLL
ModLoad: 77ad0000 77d52000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
ModLoad: 758f0000 75996000 C:\WINDOWS\SysWOW64\apphelp.dll
ModLoad: 76350000 764f9000 C:\WINDOWS\SysWOW64\USER32.dll
ModLoad: 759a0000 759ba000 C:\WINDOWS\SysWOW64\win32u.dll
ModLoad: 76e00000 76e23000 C:\WINDOWS\SysWOW64\GDI32.dll
ModLoad: 76f00000 76fe2000 C:\WINDOWS\SysWOW64\gdi32full.dll
ModLoad: 77a40000 77ab9000 C:\WINDOWS\SysWOW64\msvcp_win.dll
ModLoad: 75ec0000 75fd2000 C:\WINDOWS\SysWOW64\ucrtbase.dll
ModLoad: 76150000 761cf000 C:\WINDOWS\SysWOW64\ADVAPI32.dll
ModLoad: 77970000 77a34000 C:\WINDOWS\SysWOW64\msvcrt.dll
ModLoad: 776a0000 77725000 C:\WINDOWS\SysWOW64\sechost.dll
ModLoad: 761f0000 7620a000 C:\WINDOWS\SysWOW64\bcrypt.dll
ModLoad: 77740000 777fa000 C:\WINDOWS\SysWOW64\RPCRT4.dll
ModLoad: 76ff0000 77695000 C:\WINDOWS\SysWOW64\SHELL32.dll
(114b8.1270c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=194a0000 edx=00000000 esi=00ae2a60 edi=002f3000
eip=77e28957 esp=0019f7f4 ebp=0019f820 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77e28957 cc int 3
0:000> g
ModLoad: 76dd0000 76df5000 C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 7c230000 7c2ac000 C:\Users\Chipset\Desktop\NConvert\Plugins\libwebp.dll
ModLoad: 7c2b0000 7c2d5000 C:\Users\Chipset\Desktop\NConvert\Plugins\libsharpyuv.dll
(114b8.1270c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
*** ERROR: Module load completed but symbols could not be loaded for nconvert.exe
eax=00000001 ebx=00b164a8 ecx=00000002 edx=000001f8 esi=000029f0 edi=00b16128
eip=005e5968 esp=0019b158 ebp=0019b47c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
nconvert+0x1e5968:
005e5968 cd29 int 29h
0:000> !load msec; !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at nconvert+0x00000000001e5968 (Hash=0x6647ade4.0x18a6c6ee)
An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.