Vulnerabilities > CVE-2013-3486 - Integer Overflow or Wraparound vulnerability in Irfanview Flashpix Plugin 4.3.4.0

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
irfanview
CWE-190
critical
nessus

Summary

IrfanView FlashPix Plugin 4.3.4 0 has an Integer Overflow Vulnerability

Vulnerable Configurations

Part Description Count
Application
Irfanview
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyWindows
    NASL idIRFANVIEW_FLASHPIX_INTEGER_OVERFLOW.NASL
    descriptionThe version of the IrfanView FlashPix plugin (Fpx.dll) was found to be earlier than 4.36. As such, it is affected by an integer overflow error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id66784
    published2013-06-04
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/66784
    titleIrfanView FlashPix Plugin < 4.36 Summary Information Property Set Handling Integer Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(66784);
      script_version("1.3");
      script_cvs_date("Date: 2018/11/15 20:50:27");
    
      script_cve_id("CVE-2013-3486");
      script_bugtraq_id(60232);
    
      script_name(english:"IrfanView FlashPix Plugin < 4.36 Summary Information Property Set Handling Integer Overflow");
      script_summary(english:"Checks version of Fpx.dll");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host has an application installed that is affected by a
    buffer overflow vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of the IrfanView FlashPix plugin (Fpx.dll) was found to be
    earlier than 4.36.  As such, it is affected by an integer overflow error
    within the 'Fpx.dll' module.  The 'Summary Information Property Set' is
    not properly validated, which could result in a heap-based buffer
    overflow, allowing an attacker to cause a denial of service or execute
    arbitrary code."
      );
      script_set_attribute(attribute:"see_also", value:"https://www.irfanview.com/plugins.htm");
      script_set_attribute(attribute:"solution", value:"Upgrade the FlashPix plugin to version 4.3.6.0 (4.36) or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/05/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:irfanview:irfanview");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:irfanview:flashpix_plugin");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
    
      script_dependencies("irfanview_installed.nasl");
      script_require_keys("SMB/IrfanView/Version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    plugin = "Fpx.dll";
    fix = '4.3.6.0';
    
    kb_base = 'SMB/IrfanView/';
    appname = "IrfanView " + plugin + " plugin";
    path = get_kb_item_or_exit(kb_base + 'Path');
    
    path += "\Plugins\" + plugin;
    plugin_version = get_kb_item_or_exit(kb_base + 'Plugin_Version/' + plugin);
    
    port = get_kb_item('SMB/transport');
    if (!port) port = 445;
    
    if (ver_compare(ver:plugin_version, fix:fix) == -1)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + plugin_version +
          '\n  Fixed version     : ' + fix + ' (4.36)\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, appname, plugin_version);
    
    
  • NASL familyWindows
    NASL idIRFANVIEW_436.NASL
    descriptionThe remote Windows host contains a version of IrfanView prior to version 4.36. It is, therefore, reportedly affected by multiple vulnerabilities : - A heap-based buffer overflow vulnerability exists when parsing ANI images. An attacker can exploit this issue with a specially crafted ANI file, potentially leading to arbitrary code execution. - A flaw exists where DCX file headers are not properly sanitized, which could potentially lead to a denial of service. - An integer overflow vulnerability exists in the FlashPix Plugin (Fpx.dll) when handling sections of Summary Information Property sets, which could lead to arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id68888
    published2013-07-15
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/68888
    titleIrfanView < 4.36 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68888);
      script_version("1.3");
      script_cvs_date("Date: 2018/11/15 20:50:27");
    
      script_cve_id("CVE-2013-3486");
      script_bugtraq_id(61000);
    
      script_name(english:"IrfanView < 4.36 Multiple Vulnerabilities");
      script_summary(english:"Checks version of IrfanView");
    
      script_set_attribute(attribute:"synopsis", value:
    "A graphic viewer installed on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host contains a version of IrfanView prior to
    version 4.36.  It is, therefore, reportedly affected by multiple
    vulnerabilities :
    
      - A heap-based buffer overflow vulnerability exists when
        parsing ANI images.  An attacker can exploit this issue
        with a specially crafted ANI file, potentially leading
        to arbitrary code execution.
    
      - A flaw exists where DCX file headers are not properly
        sanitized, which could potentially lead to a denial of
        service.
    
      - An integer overflow vulnerability exists in the FlashPix
        Plugin (Fpx.dll) when handling sections of Summary
        Information Property sets, which could lead to arbitrary
        code execution.");
      script_set_attribute(attribute:"see_also", value:"https://www.irfanview.com/main_history.htm");
      script_set_attribute(attribute:"see_also", value:"https://www.irfanview.com/history_old.htm");
      script_set_attribute(attribute:"see_also", value:"http://www.fuzzmyapp.com/advisories/FMA-2013-008/FMA-2013-008-EN.xml");
      script_set_attribute(attribute:"see_also", value:"http://www.fuzzmyapp.com/advisories/FMA-2012-028/FMA-2012-028-EN.xml");
      script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com//advisories/53579/");
      script_set_attribute(attribute:"solution", value:"Upgrade to IrfanView version 4.36 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/05/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:irfanview:irfanview");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
    
      script_dependencies("irfanview_installed.nasl");
      script_require_keys("SMB/IrfanView/Version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    version = get_kb_item_or_exit('SMB/IrfanView/Version');
    path = get_kb_item_or_exit('SMB/IrfanView/Path');
    
    fix = '4.3.6.0';
    if (ver_compare(ver:version, fix:fix) == -1)
    {
      port = get_kb_item('SMB/transport');
      if (!port) port = 445;
    
      if (report_verbosity > 0)
      {
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix + '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, "Irfanview", version, path);