NConvert is vulnerable to Heap-based Buffer Overflow

Discussions on NConvert - the command line tool for image conversion and manipulation

Moderators: XnTriq, helmut, xnview

pwndorei1
Posts: 2
Joined: Sun Jan 14, 2024 12:51 pm

NConvert is vulnerable to Heap-based Buffer Overflow

Post by pwndorei1 »

NConvert was discovered that contains Heap-based Buffer Overflow vulnerability via converting crafted .xwd file to any other format.
It seems version 7.163 for windows x86& x64, 7.155 for Linux x64, 7.39 for Linux x86 are affected.

Crash can be reproduced by

Code: Select all

nconvert.exe -out pzl -in xwd -o .\tmp.pzl .\poc.xwd
Following is the result with pageheap enabled

Code: Select all

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00400000 006a8000   D:\BugHunting\nconvert.exe
ModLoad: 775f0000 777a1000   C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6e3e0000 6e443000   C:\WINDOWS\SysWOW64\verifier.dll
ModLoad: 75b80000 75c70000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 752d0000 75544000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 77200000 773a8000   C:\WINDOWS\System32\USER32.dll
ModLoad: 76c50000 76c6a000   C:\WINDOWS\System32\win32u.dll
ModLoad: 758c0000 758e3000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 75c70000 75d52000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 76d30000 76da9000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 75650000 75762000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 75250000 752cf000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 76400000 764c4000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 765a0000 76625000   C:\WINDOWS\System32\sechost.dll
ModLoad: 757e0000 757fa000   C:\WINDOWS\System32\bcrypt.dll
ModLoad: 76c70000 76d2a000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 75d60000 763f8000   C:\WINDOWS\System32\SHELL32.dll
ModLoad: 771d0000 771f5000   C:\WINDOWS\System32\IMM32.DLL
(5fe8.2388): Access violation - code c0000005 (!!! second chance !!!)
eax=07813c00 ebx=00000000 ecx=0000fff8 edx=00010000 esi=07803c08 edi=07818000
eip=005a8eea esp=0019bb10 ebp=0019bb28 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
nconvert+0x1a8eea:
005a8eea f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
0:000> .load D:\windbg_ext\MSEC_x86.dll
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at nconvert+0x1a8eea (Hash=0x1a1d0618.0x3b1f4010)

User mode write access violations that are not near NULL are exploitable.
The poc and report were sent to contact@xnview.com
User avatar
xnview
Author of XnView
Posts: 43611
Joined: Mon Oct 13, 2003 7:31 am
Location: France

Re: NConvert is vulnerable to Heap-based Buffer Overflow

Post by xnview »

received, i'll check asap
Pierre.
pwndorei1
Posts: 2
Joined: Sun Jan 14, 2024 12:51 pm

Re: NConvert is vulnerable to Heap-based Buffer Overflow

Post by pwndorei1 »

Thank you, I sent the email about two days ago. If you can't find it, i'll send it again