XnView JLS File Decompression Heap Overflow

看板Bugtraq作者joe.時間13年前 (2012/10/05 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

XnView JLS File Decompression Heap Overflow=20 Summary XnView Formats PlugIn is prone to an overflow condition. The JLS Plugin = (xjpegls.dll) library fails to properly sanitize user-supplied input = resulting in a heap-based buffer overflow. With a specially crafted JLS = compressed image file, a context-dependent attacker could potentially = execute arbitrary code. Advisory page: = http://www.reactionpenetrationtesting.co.uk/xnview-jls-heap.html POC file posted at: http://www.reactionpenetrationtesting.co.uk/vuln.jls CVE number: CVE-2012-4988 Impact: High Vendor homepage: http://www.xnview.com/ Vendor notified: 29/06/2012 Vendor response: Fix was promised for 1.99.1 but no fix was released Found by: Joseph Sheridan, Director of Reaction Information Security About ReactionIS Reaction Information Security is a leading independent pen test = consultancy specialising in delivering the highest quality services = including network pen testing and web application security testing. As a = CESG CHECK Service Provider we are authorised to carry out penetration = testing on classified government networks. Affected Products XnView 1.99 and 1.99.1, 'All Plugins 1.90' and Xjpegls.dll (version = 1.96.0.0) previous versions may also be affected. Details XnView Formats PlugIn is prone to an overflow condition. The JLS Plugin = (xjpegls.dll) library fails to properly sanitize user-supplied input = resulting in a heap-based buffer overflow. With a specially crafted JLS = compressed image file, a context-dependent attacker could potentially = execute arbitrary code. Impact If a user could be enticed to open a malicious JLS file, the attack = could result in remote code execution. Solution No solution at the time of writing. Never open files from untrusted = sources. Distribution In addition to posting on the website, a text version of this notice has = been posted to the following e-mail and Usenet news recipients. bugtraq () securityfocus com full-disclosure () lists grok org uk=20 Future updates of this advisory may or may not be actively announced on = mailing lists or newsgroups. Users concerned about this problem are = encouraged to check the advisory on our homepage at: http://www.reactionpenetrationtesting.co.uk/xnview-jls-heap.html Links: http://www.reactionpenetrationtesting.co.uk http://www.reactionpenetrationtesting.co.uk/security-whitepapers.html Joseph Sheridan Director CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP Tel: 07812052515 Web: www.reactionis.co.uk=20 Email: joe@reactionis.co.uk Reaction Information Security Limited. Registered in England No: 6929383 Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ =20 This email and any files transmitted with it are confidential and are = intended solely for the use of the individual to whom they are = addressed. If you are not the intended recipient please notify the = sender. Any unauthorised dissemination or copying of this email or its = attachments and any use or disclosure of any information contained in = them, is strictly prohibited. =EF=81=90 Please consider the environment before printing this email

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 joe. 的文章

文章代碼(AID): #1GRSxYsZ (Bugtraq)