CVE-2017-2823
A use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .ISO file to trigger this vulnerability.
http://poweriso.com
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability can be triggered by providing a specially crafted .ISO file and opening it with PowerISO software.
.text:0001BD5A loc_1BD5A: ; CODE XREF: bug_proc+88j
.text:0001BD5A mov eax, [esi+0CCh]
.text:0001BD60 mov ecx, ds:65CB0Ch
.text:0001BD66 cmp eax, ecx
.text:0001BD68 jge short loc_1BD83
.text:0001BD6A mov ecx, [esp+1Ch+arg_C]
.text:0001BD6E mov edx, [esp+1Ch+arg_8]
.text:0001BD72 push ebx
.text:0001BD73 push ecx
.text:0001BD74 push edx
.text:0001BD75 lea eax, [eax+eax*8]
.text:0001BD78 push edi
.text:0001BD79 push esi
.text:0001BD7A call dword ptr ds:65C834h[eax*4]
.text:0001BD81 jmp short loc_1BDA3
The Instruction at 0x0001BD5A loads a pointer to EAX register from a memory region that was already freed at this point. This pointer after multiplication at 0x0001BD75 is later used as an operand of call instruction at 0x001BD7A.
The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory.
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
image00000000_00400000+1bd7a
0041bd7a ff148534c86500 call dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000041bd7a (image00000000_00400000+0x000000000001bd7a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000000da01a1ac
Attempt to read from address 00000000da01a1ac
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
eax=f666f65e ebx=00000010 ecx=02e893f8 edx=00000000 esi=059f0048 edi=00000010
eip=0041bd7a esp=0019e958 ebp=feeefeee iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
image00000000_00400000+0x1bd7a:
0041bd7a ff148534c86500 call dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4] ds:002b:da01a1ac=????????
FAULTING_THREAD: 000000000000105c
PROCESS_NAME: image00000000`00400000
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00000000da01a1ac
READ_ADDRESS: 00000000da01a1ac
FOLLOWUP_IP:
image00000000_00400000+1bd7a
0041bd7a ff148534c86500 call dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4]
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
APP: image00000000`00400000
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
LAST_CONTROL_TRANSFER: from 000000000052e8b0 to 000000000041bd7a
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
STACK_TEXT:
00000000`0019e958 00000000`0041bd7a image00000000+0x1bd7a
00000000`0019e988 00000000`0052e8b0 image00000000+0x12e8b0
00000000`0019e98c 00000000`004354bb image00000000+0x354bb
00000000`0052e8b8 ffffffff`e004247c unknown!unknown+0x0
00000000`0052e8bc 00000000`74ff2277 windows_storage!_tls_end+0x26f
00000000`0052e8c0 00000000`1ce80424 unknown!unknown+0x0
00000000`0052e8c4 ffffffff`85000000 unknown!unknown+0x0
00000000`0052e8c8 00000000`167559c0 unknown!unknown+0x0
00000000`0052e8cc 00000000`08244439 unknown!unknown+0x0
00000000`0052e8d0 00000000`74ff1074 windows_storage!DSROLE_NULL_THUNK_DATA_DLA+0x0
00000000`0052e8d4 00000000`54e80424 unknown!unknown+0x0
00000000`0052e8d8 ffffffff`85000059 unknown!unknown+0x0
00000000`0052e8dc ffffffff`de7559c0 unknown!unknown+0x0
00000000`0052e8e0 00000000`56c3c033 unknown!unknown+0x0
00000000`0052e8e4 00000000`0824748b unknown!unknown+0x0
00000000`0052e8e8 ffffffff`b15c353b unknown!unknown+0x0
00000000`0052e8ec 00000000`77570071 ole32!ext-ms-win-sxs-oleautomation-l1-1-0_NULL_THUNK_DATA_DLA <PERF> +0x0
00000000`0052e8f0 ffffffff`e8096a21 unknown!unknown+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: image00000000+1bd7a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: image00000000_00400000
IMAGE_NAME: PowerISO.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 58932d2b
STACK_COMMAND: .ecxr ; kb ; dps 19e958 ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_PowerISO.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK_image00000000+1bd7a
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_poweriso.exe!unknown
FAILURE_ID_HASH: {ae0362d7-c487-042b-dd94-abc556299378}
Followup: MachineOwner
---------
2017-04-26 - Vendor Disclosure
2017-05-05 - Public Release
Discovered by Piotr Bania of Cisco Talos.