Skip to content
cyberexploits
doswindowstext

IrfanView JLS Formats PlugIn - Heap Overflow

IrfanView JLS Formats PlugIn - Heap Overflow

Publié le 2012-06-30

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/dos/19483.txt7eac4c3a
raw
Summary

=======



IrfanView Formats PlugIn is prone to an overflow condition. The JLS Plugin 

(jpeg_ls.dll) library fails to properly sanitize user-supplied input 

resulting in a heap-based buffer overflow. With a specially crafted JLS 

compressed image file, a context-dependent attacker could potentially 

execute arbitrary code.



CVE number: CVE-2012-3585

Impact: high

Vendor Homepage: http://www.ifranview.com/

Vendor Notified: 16/06/2012

Found by: Joseph Sheridan of Reaction Information Security

href="http://www.reactionpenetrationtesting.co.uk/joseph-sheridan.html



This advisory is posted at:

http://www.reactionpenetrationtesting.co.uk/Irfanview-JLS-Heap-Overflow.

html



POC file posted at:

http://www.reactionpenetrationtesting.co.uk/vuln.jls

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19483.jls





Affected Products

=================



Irfanview Plugins version 4.33



Details

=======



IrfanView Formats PlugIn is prone to an overflow condition. The JLS Plugin 

(jpeg_ls.dll) library fails to properly sanitize user-supplied input 

resulting in a heap-based buffer overflow. With a specially crafted JLS 

compressed image file, a context-dependent attacker could potentially 

execute arbitrary code.



Impact

======



If a user could be enticed to open a malicious JLS file, the attack could 

result in remote code execution.



Solution

===========

Upgrade to Irfanview Plugins version 4.34



The following jls dll has been patched:

http://www.irfanview.net/plugins/jpeg_ls.zip



Distribution

============



In addition to posting on the website, a text version of this notice

is posted to the following e-mail and Usenet news recipients.



* bugtraq () securityfocus com

* full-disclosure () lists grok org uk

* oss [dash] security [dash] subscribe [at] lists [dot] openwall [dot] com or



Future updates of this advisory, if any, will be placed on the ReactionIS

corporate website, but may or may not be actively announced on

mailing lists or newsgroups. Users concerned about this problem are

encouraged to check the URL below for any updates:



http://www.reactionpenetrationtesting.co.uk/Irfanview-JLS-Heap-Overflow.

html



========================================================================

======



Reaction Information Security 

Lombard House Business Centre,

Suite 117,

12-17 Upper Bridge Street,

Canterbury, Kent, CT1 2NF



Phone: +44 (0)1227 785050

Email: research () reactionis {dot} co {dot} uk

Web: http://www.reactionpenetrationtesting.co.uk



Joseph Sheridan

Technical Director

Principal Consultant

CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP

Tel: 07812052515

Web: www.reactionis.com

Email: joe (at) reactionis.co (dot) uk [email concealed]



Reaction Information Security Limited.

Registered in England No: 6929383

Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ



This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited.



 Please consider the environment before printing this email
Voir sur GitHub