lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005b01d9fddd$4657cfe0$d3076fa0$@toccagni.info>
Date: Fri, 13 Oct 2023 15:57:53 +0200
From: <michele@...cagni.info>
To: <fulldisclosure@...lists.org>
Subject: [FD] XNSoft Nconvert 7.136 - Multiple Vulnerabilities

XNSoft Nconvert 7.136 - Multiple Vulnerabilities

============================================================================
===

 

Identifiers

-------------------------------------------------

1. CVE-2023-43250

2. CVE-2023-43251

3. CVE-2023-43252

 

 

CVSSv3.1 score

-------------------------------------------------

1. CVE-2023-43250: 7.8 -
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/U
I:R/S:U/C:H/I:H/A:H&version=3.1

2. CVE-2023-43251: 7.8 -
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/U
I:R/S:U/C:H/I:H/A:H&version=3.1

3. CVE-2023-43252: 7.8 -
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/U
I:R/S:U/C:H/I:H/A:H&version=3.1

 

 

Vendor

-------------------------------------------------

XnSoft - https://www.xnview.com/en/nconvert/

 

 

Product

-------------------------------------------------

NConvert is a powerful command line multi-platform batch image processor
with more than 80 commands. Compatible with 500 image formats. 

 

 

Affected versions

-------------------------------------------------

All versions prior to NConvert 7.155 for Windows.

 

 

Credit

-------------------------------------------------

Michele Toccagni - toccagni.info

 

 

Vulnerability summary

-------------------------------------------------

1. CVE-2023-43250: XNSoft Nconvert 7.136 is vulnerable to Buffer Overflow.
There is a User Mode Write AV via a crafted image file. Attackers could
exploit this issue for a Denial of Service (DoS) or possibly to achieve code
execution.

2. CVE-2023-43251: XNSoft Nconvert 7.136 has an Exception Handler Chain
Corrupted via a crafted image file. Attackers could exploit this issue for a
Denial of Service (DoS) or possibly to achieve code execution.

3. CVE-2023-43252: XNSoft Nconvert 7.136 is vulnerable to Buffer Overflow
via a crafted image file. Attackers could exploit this issue for a Denial of
Service (DoS) or possibly to achieve code execution.

 

 

Proof of concept

-------------------------------------------------

1. CVE-2023-43250:
https://github.com/mrtouch93/exploits/tree/main/NConvert7.136/User%20Mode%20
Write%20AV

2. CVE-2023-43251:
https://github.com/mrtouch93/exploits/tree/main/NConvert7.136/SEH

3. CVE-2023-43252:
https://github.com/mrtouch93/exploits/tree/main/NConvert7.136/Stack%20Buffer
%20Overrun

 

Solution

-------------------------------------------------

Upgrade to NConvert 7.155.

 

Timeline

-------------------------------------------------

Date              | Status

-----------------|---------------------

21-JUL-2023 | Reported to vendor

22-JUL-2023 | Vendor asked for details

22-JUL-2023 | Details sent to the vendor

08-SEP-2023 | Vulnerabilities fixed

12-SEP-2023 | Public Disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ