Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACDSee Photo Studio Pro 2021 - User Mode Write AV starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e (Hash=0xfa88aee0.0x950205f3)

Version

ACDSee Photo Studio Studio Professional 2021
Version 14.0 (Build 1721)
Copyright (c) 2020 ACD Systems International Inc.

The bug


CommandLine: E:\acdsee\ACDSeePro14.exe E:\acdsee\bugs2\id_000022.bmp
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00007ff6`9e9a0000 00007ff6`9e9c3000   ACDSeePro14.exe
ModLoad: 00007ffc`f7620000 00007ffc`f7810000   ntdll.dll
ModLoad: 00007ffc`cf310000 00007ffc`cf381000   C:\Windows\System32\verifier.dll
Page heap: pid 0x2534: page heap enabled with flags 0x2.
ModLoad: 00007ffc`f7190000 00007ffc`f7242000   C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffc`f4fe0000 00007ffc`f5283000   C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffc`f27c0000 00007ffc`f284f000   C:\Windows\SYSTEM32\apphelp.dll
(2534.18c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffc`f76f11dc cc              int     3
0:000> g
ModLoad: 00000001`80000000 00000001`80bac000   C:\Program Files\ACD Systems\ACDSee Pro\14.0\PlugIns\IDE_ACDStd.apl
ModLoad: 00007ffc`f74d0000 00007ffc`f7522000   C:\Windows\System32\SHLWAPI.dll
ModLoad: 00007ffc`f65b0000 00007ffc`f664e000   C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffc`e7190000 00007ffc`e7239000   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.18362.476_none_2a2a02a24667b734\COMCTL32.dll
ModLoad: 00007ffc`f7530000 00007ffc`f75d3000   C:\Windows\System32\ADVAPI32.dll
ModLoad: 00007ffc`f6080000 00007ffc`f63b6000   C:\Windows\System32\combase.dll
ModLoad: 00007ffc`f67a0000 00007ffc`f6837000   C:\Windows\System32\sechost.dll
ModLoad: 00007ffc`f68c0000 00007ffc`f69e0000   C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffc`f4e80000 00007ffc`f4f7a000   C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffc`f5410000 00007ffc`f5490000   C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffc`f7010000 00007ffc`f7036000   C:\Windows\System32\GDI32.dll
ModLoad: 00007ffc`f56a0000 00007ffc`f56c1000   C:\Windows\System32\win32u.dll
ModLoad: 00007ffc`f56d0000 00007ffc`f5864000   C:\Windows\System32\USER32.dll
ModLoad: 00007ffc`f5500000 00007ffc`f5694000   C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffc`f5370000 00007ffc`f540e000   C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffc`f66d0000 00007ffc`f67a0000   C:\Windows\System32\COMDLG32.dll
ModLoad: 00007ffc`f58e0000 00007ffc`f5989000   C:\Windows\System32\shcore.dll
ModLoad: 00007ffc`e8070000 00007ffc`e80f9000   C:\Windows\SYSTEM32\WINSPOOL.DRV
ModLoad: 00007ffc`f4550000 00007ffc`f4561000   C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ffc`f5990000 00007ffc`f6075000   C:\Windows\System32\SHELL32.dll
ModLoad: 00007ffc`f5490000 00007ffc`f54da000   C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffc`f5290000 00007ffc`f52b6000   C:\Windows\System32\bcrypt.dll
ModLoad: 00007ffc`f06c0000 00007ffc`f07af000   C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffc`f3a10000 00007ffc`f3a4a000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffc`f7250000 00007ffc`f7314000   C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffc`f4700000 00007ffc`f4e7e000   C:\Windows\System32\windows.storage.dll
ModLoad: 00007ffc`f4570000 00007ffc`f458f000   C:\Windows\System32\profapi.dll
ModLoad: 00007ffc`f4500000 00007ffc`f454a000   C:\Windows\System32\powrprof.dll
ModLoad: 00007ffc`f44f0000 00007ffc`f4500000   C:\Windows\System32\UMPDC.dll
ModLoad: 00007ffc`f54e0000 00007ffc`f54f7000   C:\Windows\System32\cryptsp.dll
ModLoad: 00007ffc`f6eb0000 00007ffc`f7006000   C:\Windows\System32\ole32.dll
ModLoad: 00007ffc`f1700000 00007ffc`f195b000   C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffc`f1a30000 00007ffc`f1ff0000   C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffc`f31f0000 00007ffc`f32db000   C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ffc`f69f0000 00007ffc`f6a1e000   C:\Windows\System32\IMM32.dll
ModLoad: 00007ffc`e1a40000 00007ffc`e1be3000   C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.18362.476_none_17afa4006da19f63\gdiplus.dll
ModLoad: 00007ffc`e11e0000 00007ffc`e11e7000   C:\Windows\SYSTEM32\MSIMG32.dll
ModLoad: 00007ffc`e8360000 00007ffc`e83c5000   C:\Windows\SYSTEM32\OLEACC.dll
ModLoad: 00007ffc`f1270000 00007ffc`f1294000   C:\Windows\SYSTEM32\WINMM.dll
ModLoad: 00007ffc`deef0000 00007ffc`def18000   C:\Windows\SYSTEM32\VCOMP140.DLL
ModLoad: 00007ffc`efe60000 00007ffc`efe6a000   C:\Windows\SYSTEM32\VERSION.dll
ModLoad: 00007ffc`f3160000 00007ffc`f3180000   C:\Windows\SYSTEM32\dxcore.dll
ModLoad: 00007ffc`f1240000 00007ffc`f126d000   C:\Windows\SYSTEM32\WINMMBASE.dll
ModLoad: 00007ffc`f2870000 00007ffc`f2909000   C:\Windows\SYSTEM32\UxTheme.dll
(2534.18c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\ACD Systems\ACDSee Pro\14.0\PlugIns\IDE_ACDStd.apl - 
IDE_ACDStd!zlibVersion+0x4e5e:
00000001`803ecb4e f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
0:000> r
rax=0000023bdb2c2ff0 rbx=0000023bdb2b7ac0 rcx=00000000000083f1
rdx=0000000000001c00 rsi=0000023bdb2c4c00 rdi=0000023bdb2c3000
rip=00000001803ecb4e rsp=000000a5c7f5e368 rbp=0000000000000000
 r8=0000000000008401  r9=0000000180000000 r10=0000023bdb2c4bf0
r11=0000023bdb2c2ff0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000001 r15=0000000000008401
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
IDE_ACDStd!zlibVersion+0x4e5e:
00000001`803ecb4e f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
0:000> db 0000023bdb2c4be0 L40
0000023b`db2c4be0  40 42 8f cf 3b 02 00 00-00 00 00 00 bb bb ba dc  @B..;...........
0000023b`db2c4bf0  01 01 01 84 f8 f8 f8 f8-f8 f8 f8 f8 f8 f8 f8 f8  ................
0000023b`db2c4c00  f8 f8 f8 f8 f8 f8 f8 f8-f8 f8 f8 f8 f8 f8 f8 f8  ................
0000023b`db2c4c10  f8 f8 f8 f8 f8 f8 f8 f8-f8 f8 f8 f8 f8 f8 f8 f8  ................
0:000> db 0000023bdb2c2fe0 L40
0000023b`db2c2fe0  d0 41 8f cf 3b 02 00 00-00 00 00 00 bb bb ba dc  .A..;...........
0000023b`db2c2ff0  01 01 01 84 f8 f8 f8 f8-f8 f8 f8 f8 f8 f8 f8 f8  ................
0000023b`db2c3000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000023b`db2c3010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:000> .load msec
0:000> !exploitable

!exploitable 1.6.0.0
*** WARNING: Unable to verify checksum for ACDSeePro14.exe
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e (Hash=0xfa88aee0.0x950205f3)

User mode write access violations that are not near NULL are exploitable.