Vulnerabilities > CVE-2017-2823 - Use After Free vulnerability in Poweriso 6.8

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
poweriso
CWE-416

Summary

A use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .ISO file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Poweriso
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary A use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .ISO file to trigger this vulnerability. ### Tested Versions PowerISO 6.8 (6, 8, 0, 0) ### Product URLs http://poweriso.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details This vulnerability can be triggered by providing a specially crafted .ISO file and opening it with PowerISO software. ``` .text:0001BD5A loc_1BD5A: ; CODE XREF: bug_proc+88j .text:0001BD5A mov eax, [esi+0CCh] .text:0001BD60 mov ecx, ds:65CB0Ch .text:0001BD66 cmp eax, ecx .text:0001BD68 jge short loc_1BD83 .text:0001BD6A mov ecx, [esp+1Ch+arg_C] .text:0001BD6E mov edx, [esp+1Ch+arg_8] .text:0001BD72 push ebx .text:0001BD73 push ecx .text:0001BD74 push edx .text:0001BD75 lea eax, [eax+eax*8] .text:0001BD78 push edi .text:0001BD79 push esi .text:0001BD7A call dword ptr ds:65C834h[eax*4] .text:0001BD81 jmp short loc_1BDA3 ``` The Instruction at 0x0001BD5A loads a pointer to EAX register from a memory region that was already freed at this point. This pointer after multiplication at 0x0001BD75 is later used as an operand of call instruction at 0x001BD7A. The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system's reuse of the freed memory. ### Crash Information ``` 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: image00000000_00400000+1bd7a 0041bd7a ff148534c86500 call dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4] EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000000041bd7a (image00000000_00400000+0x000000000001bd7a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 00000000da01a1ac Attempt to read from address 00000000da01a1ac CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=f666f65e ebx=00000010 ecx=02e893f8 edx=00000000 esi=059f0048 edi=00000010 eip=0041bd7a esp=0019e958 ebp=feeefeee iopl=0 nv up ei ng nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282 image00000000_00400000+0x1bd7a: 0041bd7a ff148534c86500 call dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4] ds:002b:da01a1ac=???????? FAULTING_THREAD: 000000000000105c PROCESS_NAME: image00000000`00400000 ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: 00000000da01a1ac READ_ADDRESS: 00000000da01a1ac FOLLOWUP_IP: image00000000_00400000+1bd7a 0041bd7a ff148534c86500 call dword ptr image00000000_00400000+0x25c834 (0065c834)[eax*4] NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: image00000000`00400000 ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre LAST_CONTROL_TRANSFER: from 000000000052e8b0 to 000000000041bd7a BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ DEFAULT_BUCKET_ID: INVALID_POINTER_READ STACK_TEXT: 00000000`0019e958 00000000`0041bd7a image00000000+0x1bd7a 00000000`0019e988 00000000`0052e8b0 image00000000+0x12e8b0 00000000`0019e98c 00000000`004354bb image00000000+0x354bb 00000000`0052e8b8 ffffffff`e004247c unknown!unknown+0x0 00000000`0052e8bc 00000000`74ff2277 windows_storage!_tls_end+0x26f 00000000`0052e8c0 00000000`1ce80424 unknown!unknown+0x0 00000000`0052e8c4 ffffffff`85000000 unknown!unknown+0x0 00000000`0052e8c8 00000000`167559c0 unknown!unknown+0x0 00000000`0052e8cc 00000000`08244439 unknown!unknown+0x0 00000000`0052e8d0 00000000`74ff1074 windows_storage!DSROLE_NULL_THUNK_DATA_DLA+0x0 00000000`0052e8d4 00000000`54e80424 unknown!unknown+0x0 00000000`0052e8d8 ffffffff`85000059 unknown!unknown+0x0 00000000`0052e8dc ffffffff`de7559c0 unknown!unknown+0x0 00000000`0052e8e0 00000000`56c3c033 unknown!unknown+0x0 00000000`0052e8e4 00000000`0824748b unknown!unknown+0x0 00000000`0052e8e8 ffffffff`b15c353b unknown!unknown+0x0 00000000`0052e8ec 00000000`77570071 ole32!ext-ms-win-sxs-oleautomation-l1-1-0_NULL_THUNK_DATA_DLA <PERF> +0x0 00000000`0052e8f0 ffffffff`e8096a21 unknown!unknown+0x0 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: image00000000+1bd7a FOLLOWUP_NAME: MachineOwner MODULE_NAME: image00000000_00400000 IMAGE_NAME: PowerISO.exe DEBUG_FLR_IMAGE_TIMESTAMP: 58932d2b STACK_COMMAND: .ecxr ; kb ; dps 19e958 ; kb FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_PowerISO.exe!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_ZEROED_STACK_image00000000+1bd7a ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_poweriso.exe!unknown FAILURE_ID_HASH: {ae0362d7-c487-042b-dd94-abc556299378} Followup: MachineOwner --------- ``` ### Timeline * 2017-04-26 - Vendor Disclosure * 2017-05-05 - Public Release ### CREDIT * Discovered by Piotr Bania of Cisco Talos.
idSSV:96511
last seen2017-11-19
modified2017-09-18
published2017-09-18
reporterRoot
titlePowerISO ISO Parsing Use After Free(CVE-2017-2823)

Talos

idTALOS-2017-0324
last seen2019-05-29
published2017-05-05
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0324
titlePowerISO ISO Parsing Use After Free