Vulnerabilities > CVE-2011-1338 - Unspecified vulnerability in Xnview

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
xnview
nessus
NVD
Published: 2011-07-11
Updated: 2024-11-21

Summary

Untrusted search path vulnerability in XnView before 1.98.1 allows local users to gain privileges via a Trojan horse .exe file in a folder selected by the "Open containing folder" menu item.

Vulnerable Configurations

Part Description Count
Application
Xnview
106

Nessus

NASL familyWindows
NASL idXNVIEW_1_98_1.NASL
descriptionThe version of XnView installed on the remote Windows host is earlier than 1.98.1. As such, it reportedly uses unsafe methods for determining how to load executables. Specifically, there is an issue with the file search path, which could result in the insecure loading of executables when using the
last seen2020-06-01
modified2020-06-02
plugin id55535
published2011-07-07
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/55535
titleXnView < 1.98.1 Insecure Executable Loading
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(55535);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id("CVE-2011-1338");
  script_bugtraq_id(48562);

  script_name(english:"XnView < 1.98.1 Insecure Executable Loading");
  script_summary(english:"Checks XnView.exe's Product Version number");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host contains an application that loads
executables in an insecure manner."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The version of XnView installed on the remote Windows host is earlier
than 1.98.1.  As such, it reportedly uses unsafe methods for
determining how to load executables.  Specifically, there is an issue
with the file search path, which could result in the insecure loading
of executables when using the 'Open containing folder' function. 

An attacker may be able to exploit this to execute arbitrary code with
the privileges of the running application."
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000050.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to XnView version 1.98.1 or later as that reportedly resolves
the issue."
  );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:xnview:xnview");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("xnview_rgbe_overflow.nasl");
  script_require_keys("SMB/XnView/Version");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");


kb_base = "SMB/XnView";
get_kb_item_or_exit(kb_base+"/Installed");
version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
port = get_kb_item("SMB/transport");


# Check the version number.
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

if (
  ver[0] < 1 ||
  (
    ver[0] == 1 &&
    (
      ver[1] < 98 ||
      (ver[1] == 98 && ver[2] < 1)
    )
  )
)
{
  if (report_verbosity > 0)
  {
    path = get_kb_item(kb_base+"/Path");
    if (isnull(path)) path = "n/a";

    report = 
      '\n  Path              : ' + path + 
      '\n  Installed version : ' + version + 
      '\n  Fixed version     : 1.98.1\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(0, "The XnView " + version + " install is not affected.");

References