Vulnerabilities > CVE-2013-3944 - Out-of-bounds Write vulnerability in Extensis Mrsid

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
extensis
CWE-787
nessus
NVD
Published: 2020-01-02
Updated: 2020-01-14

Summary

Stack-based buffer overflow in the MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via an IMAGE tag.

Vulnerable Configurations

Part Description Count
Application
Extensis
85

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idIRFANVIEW_MRSID_4_37.NASL
descriptionThe version of the IrfanView MrSID plugin (MrSID.dll) installed on the remote Windows host is a version prior to 4.37. It is, therefore, affected by multiple buffer overflow vulnerabilities : - A stack-based buffer overflow exists due to improper validation of the
last seen2020-06-01
modified2020-06-02
plugin id72394
published2014-02-07
reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/72394
titleIrfanView MrSID Plugin < 4.37 Multiple Buffer Overflows
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(72394);
  script_version("1.5");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id("CVE-2013-3944", "CVE-2013-3945", "CVE-2013-3946");
  script_bugtraq_id(64385, 64387, 64389);

  script_name(english:"IrfanView MrSID Plugin < 4.37 Multiple Buffer Overflows");
  script_summary(english:"Checks file version of MrSID.dll");

  script_set_attribute(
    attribute:"synopsis",
    value:
"An application on the remote host is affected by multiple buffer
overflow vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of the IrfanView MrSID plugin (MrSID.dll) installed on the
remote Windows host is a version prior to 4.37.  It is, therefore,
affected by multiple buffer overflow vulnerabilities :

  - A stack-based buffer overflow exists due to improper
    validation of the 'IMAGE' tag. (CVE-2013-3944)

  - A heap-based buffer overflow exists due to improper
    validation of the 'nband' tag. (CVE-2013-3945)

  - An integer overflow exists due to improper validation
    of the 'levels' header, which could lead to a heap-based
    buffer overflow. (CVE-2013-3946)

An attacker can exploit these issues by sending a specially crafted SID
file, which could result in a denial of service or arbitrary code
execution."
  );
  script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/advisories/54444/");
  script_set_attribute(attribute:"see_also", value:"https://www.irfanview.com/plugins.htm");
  script_set_attribute(attribute:"see_also", value:"https://www.irfanview.com/main_history.htm");
  script_set_attribute(attribute:"solution", value:"Upgrade the MrSID plugin to version 4.3.7.0 (4.37) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/12/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/12/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:irfanview:irfanview");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("irfanview_installed.nasl");
  script_require_keys("SMB/IrfanView/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

appname = "IrfanView MrSID plugin";
plugin = "MrSID.dll";
fix = '4.3.7.0';

kb_base = 'SMB/IrfanView/';
path = get_kb_item_or_exit(kb_base + 'Path');

path += "\Plugins\" + plugin;
plugin_version = get_kb_item_or_exit(kb_base + 'Plugin_Version/' + plugin);

if (ver_compare(ver:plugin_version, fix:fix) == -1)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + plugin_version +
      '\n  Fixed version     : ' + fix + ' (4.37)\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, appname, plugin_version);

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 64385 CVE(CAN) ID: CVE-2013-3944 IrfanView是一款快速、免费的图像查看器、浏览器、转换器。FORMATS插件可允许IrfanView读取不常见图形格式。 Formats PlugIn 4.36版本处理 &quot;IMAGE::&quot; 标签中,MrSID插件(MrSID.dll)存在边界错误,成功利用后可造成栈缓冲区溢出。 0 IrfanView Formats Plug-in 4.36 厂商补丁: IrfanView --------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.irfanview.net/
idSSV:61192
last seen2017-11-19
modified2013-12-18
published2013-12-18
reporterRoot
titleIrfanView Formats插件'MrSID.dll'栈缓冲区溢出漏洞

References