Talos Vulnerability Report

TALOS-2017-0324

PowerISO ISO Parsing Use After Free

May 5, 2017
CVE Number

CVE-2017-2823

Summary

A use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .ISO file to trigger this vulnerability.

Tested Versions

  • PowerISO 6.8 (6, 8, 0, 0)

Product URLs

http://poweriso.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

This vulnerability can be triggered by providing a specially crafted .ISO file and opening it with PowerISO software.

    .text:0001BD5A loc_1BD5A:                              ; CODE XREF: bug_proc+88j
    .text:0001BD5A                 mov     eax, [esi+0CCh]
    .text:0001BD60                 mov     ecx, ds:65CB0Ch
    .text:0001BD66                 cmp     eax, ecx
    .text:0001BD68                 jge     short loc_1BD83
    .text:0001BD6A                 mov     ecx, [esp+1Ch+arg_C]
    .text:0001BD6E                 mov     edx, [esp+1Ch+arg_8]
    .text:0001BD72                 push    ebx
    .text:0001BD73                 push    ecx
    .text:0001BD74                 push    edx
    .text:0001BD75                 lea     eax, [eax+eax*8]
    .text:0001BD78                 push    edi
    .text:0001BD79                 push    esi
    .text:0001BD7A                 call    dword ptr ds:65C834h[eax*4]
    .text:0001BD81                 jmp     short loc_1BDA3

The Instruction at 0x0001BD5A loads a pointer to EAX register from a memory region that was already freed at this point. This pointer after multiplication at 0x0001BD75 is later used as an operand of call instruction at 0x001BD7A.

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory.

Crash Information

    0:000:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************


    FAULTING_IP: 
    image00000000_00400000+1bd7a
    0041bd7a ff148534c86500  call    dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4]

    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 000000000041bd7a (image00000000_00400000+0x000000000001bd7a)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: 00000000da01a1ac
    Attempt to read from address 00000000da01a1ac

    CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
    eax=f666f65e ebx=00000010 ecx=02e893f8 edx=00000000 esi=059f0048 edi=00000010
    eip=0041bd7a esp=0019e958 ebp=feeefeee iopl=0         nv up ei ng nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
    image00000000_00400000+0x1bd7a:
    0041bd7a ff148534c86500  call    dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4] ds:002b:da01a1ac=????????

    FAULTING_THREAD:  000000000000105c

    PROCESS_NAME:  image00000000`00400000

    ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  00000000da01a1ac

    READ_ADDRESS:  00000000da01a1ac 

    FOLLOWUP_IP: 
    image00000000_00400000+1bd7a
    0041bd7a ff148534c86500  call    dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4]

    NTGLOBALFLAG:  70

    APPLICATION_VERIFIER_FLAGS:  0

    APP:  image00000000`00400000

    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

    LAST_CONTROL_TRANSFER:  from 000000000052e8b0 to 000000000041bd7a

    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK

    PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

    DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

    STACK_TEXT:  
    00000000`0019e958 00000000`0041bd7a image00000000+0x1bd7a
    00000000`0019e988 00000000`0052e8b0 image00000000+0x12e8b0
    00000000`0019e98c 00000000`004354bb image00000000+0x354bb
    00000000`0052e8b8 ffffffff`e004247c unknown!unknown+0x0
    00000000`0052e8bc 00000000`74ff2277 windows_storage!_tls_end+0x26f
    00000000`0052e8c0 00000000`1ce80424 unknown!unknown+0x0
    00000000`0052e8c4 ffffffff`85000000 unknown!unknown+0x0
    00000000`0052e8c8 00000000`167559c0 unknown!unknown+0x0
    00000000`0052e8cc 00000000`08244439 unknown!unknown+0x0
    00000000`0052e8d0 00000000`74ff1074 windows_storage!DSROLE_NULL_THUNK_DATA_DLA+0x0
    00000000`0052e8d4 00000000`54e80424 unknown!unknown+0x0
    00000000`0052e8d8 ffffffff`85000059 unknown!unknown+0x0
    00000000`0052e8dc ffffffff`de7559c0 unknown!unknown+0x0
    00000000`0052e8e0 00000000`56c3c033 unknown!unknown+0x0
    00000000`0052e8e4 00000000`0824748b unknown!unknown+0x0
    00000000`0052e8e8 ffffffff`b15c353b unknown!unknown+0x0
    00000000`0052e8ec 00000000`77570071 ole32!ext-ms-win-sxs-oleautomation-l1-1-0_NULL_THUNK_DATA_DLA <PERF> +0x0
    00000000`0052e8f0 ffffffff`e8096a21 unknown!unknown+0x0


    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  image00000000+1bd7a

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: image00000000_00400000

    IMAGE_NAME:  PowerISO.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  58932d2b

    STACK_COMMAND:  .ecxr ; kb ; dps 19e958 ; kb

    FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_PowerISO.exe!Unknown

    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK_image00000000+1bd7a

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_poweriso.exe!unknown

    FAILURE_ID_HASH:  {ae0362d7-c487-042b-dd94-abc556299378}

    Followup: MachineOwner
    ---------

Timeline

2017-04-26 - Vendor Disclosure
2017-05-05 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.