SSD Advisory – Iceni Infix Multiple Crashes
Credit to Author: SSD / Maor Schwartz| Date: Tue, 13 Jun 2017 11:18:28 +0000
Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
Crashes Summary
An independent security researcher has reported 36 different crashes in Iceni Infix. We decided to publish 1 sample out of the 36 crashes – if you want to get the remaining 35 crashes, please contact us via email ssd [at] beyondsecurity (dot) com.
“Infix PDF Editor and Infix PDF Editor Pro is popular PDF editing software that can be used to edit PDF text. The program is very simple to use when you want to edit the text size, font, font color and more. You can also use Infix PDF Editor to edit whole paragraphs of the PDF document or even completely reformat the text.
Infix works like a normal word processor, so it’s really easy to use. It’s easy and quick – change text, fonts, images and more. No interface gimmicks, no ribbons!”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Iceni has released patches to address these crashes “We have resolved these issues in Infix version 7.1.4 which is the current release.”
Crash example – infix.exe+0x29C59F Access violation while writing reserved but unallocated memory
Binary information
Stack
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | Infix.exe + 0x29C59F (id: 271) Infix.exe + 0x29C3E1 (id: 2e7) Infix.exe + 0x29AEB8 Infix.exe + 0x29B158 Infix.exe + 0x29A7D8 Infix.exe + 0x240F85 Infix.exe + 0x2408F5 Infix.exe + 0x2350FA Infix.exe + 0x235175 Infix.exe + 0x236029 Infix.exe + 0x1A3272 Infix.exe + 0x1A6EB8 Infix.exe + 0x15D3BE Infix.exe + 0x15D332 Infix.exe + 0x1B4F1F Infix.exe + 0x16EF52 Infix.exe + 0x15D003 Infix.exe + 0x15D2BB Infix.exe + 0x7441D Infix.exe + 0x7411A |
Registers
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | eax=003ad870 ebx=06ea0df8 ecx=e6777a7f edx=00000000 esi=fffdfeff edi=00000050 eip=0066c59f esp=003ad860 ebp=003ad8b0 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 fpcw=027F: rn 53 puozdi fpsw=0120: top=0 cc=0001 —p——– fptw=FFFF fopcode=0000 fpip=0000:007e92b2 fpdp=0000:003ad550 st0=–1.#SNAN0000000000000000e+0000 st1= 1.572516000000000024880e+0000 st2= 1.030792152334980468750e+0011 st3= 6.553500000000000000000e+0004 st4= 1.030792151040000000000e+0011 st5= 5.400000000000000000000e+0001 st6= 3.100000000000000000000e+0002 st7= 1.230800000000000000000e+0004 mm0=000000ff00ff00ff mm1=c948344c37e6f800 mm2=c00000040bfc0000 mm3=ffff000000000000 mm4=c000000000000000 mm5=d800000000000000 mm6=9b00000000000000 mm7=c050000000000000 xmm0=0 0 0 0 xmm1=–4.693e+034 –1.15741e+033 1.17955e–021 –5.29663e–029 xmm2=6.47301e–032 1.1341e–026 –1.48241e–015 –8.51349e–039 xmm3=4.49737e+012 8.63753e–021 2.71777e–018 4.53886e–029 xmm4=–5.05954e–033 –5.83838e–030 –5.33211e+011 1.87831e+018 xmm5=–6.38821e–023 –1.2114e–026 –2.21391e+034 –2.6204e+022 xmm6=–1.52191e–027 –1.45382e–020 –2.05735e–029 –7.57234e+037 xmm7=–8.75221e–020 –2.46577e+011 3.37054e–018 4.36897e+015 dr0=00000000 dr1=00000000 dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000 Infix+0x29c59f: 0066c59f c64435c000 mov byte ptr [ebp+esi–40h],0 ss:002b:0038d76f=?? |
Disassembly of stack frame 1 at Infix.exe + 0x29C59F
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | 0066c546 8104bb79feffff add dword ptr [ebx+edi*4],0FFFFFE79h 0066c54d 8b0e mov ecx,dword ptr [esi] 0066c54f 8b04bb mov eax,dword ptr [ebx+edi*4] 0066c552 8b748104 mov esi,dword ptr [ecx+eax*4+4] 0066c556 8d0481 lea eax,[ecx+eax*4] 0066c559 8b08 mov ecx,dword ptr [eax] 0066c55b 2bf1 sub esi,ecx 0066c55d 8955bc mov dword ptr [ebp–44h],edx 0066c560 3bf2 cmp esi,edx 0066c562 7e38 jle Infix+0x29c59c (0066c59c) 0066c564 8b55b4 mov edx,dword ptr [ebp–4Ch] 0066c567 8b4204 mov eax,dword ptr [edx+4] 0066c56a 8d4c08ff lea ecx,[eax+ecx–1] 0066c56e 894db8 mov dword ptr [ebp–48h],ecx 0066c571 8b55b8 mov edx,dword ptr [ebp–48h] 0066c574 8a02 mov al,byte ptr [edx] 0066c576 e805a0f7ff call Infix+0x216580 (005e6580) 0066c57b 85c0 test eax,eax 0066c57d 741a je Infix+0x29c599 (0066c599) 0066c57f 8b4db8 mov ecx,dword ptr [ebp–48h] 0066c582 8b45bc mov eax,dword ptr [ebp–44h] 0066c585 8a11 mov dl,byte ptr [ecx] 0066c587 885405c0 mov byte ptr [ebp+eax–40h],dl 0066c58b 40 inc eax 0066c58c 41 inc ecx 0066c58d 8945bc mov dword ptr [ebp–44h],eax 0066c590 894db8 mov dword ptr [ebp–48h],ecx 0066c593 3bc6 cmp eax,esi 0066c595 7cda jl Infix+0x29c571 (0066c571) 0066c597 eb03 jmp Infix+0x29c59c (0066c59c) 0066c599 8b75bc mov esi,dword ptr [ebp–44h] 0066c59c 8d45c0 lea eax,[ebp–40h] Infix+0x29c59f: 0066c59f c64435c000 mov byte ptr [ebp+esi–40h],0 // current instruction 0066c5a4 e8f7c1f1ff call Infix+0x1b87a0 (005887a0) 0066c5a9 8945bc mov dword ptr [ebp–44h],eax 0066c5ac 8b45b4 mov eax,dword ptr [ebp–4Ch] 0066c5af 8b4810 mov ecx,dword ptr [eax+10h] 0066c5b2 8b14b9 mov edx,dword ptr [ecx+edi*4] 0066c5b5 52 push edx 0066c5b6 8d75c0 lea esi,[ebp–40h] 0066c5b9 e8b2d1eaff call Infix+0x149770 (00519770) 0066c5be 8b4dfc mov ecx,dword ptr [ebp–4] 0066c5c1 8104bb87010000 add dword ptr [ebx+edi*4],187h 0066c5c8 8b45bc mov eax,dword ptr [ebp–44h] 0066c5cb 83c404 add esp,4 0066c5ce 33cd xor ecx,ebp 0066c5d0 5e pop esi 0066c5d1 e8f84c1700 call Infix+0x4112ce (007e12ce) |
Disassembly of stack frame 2 at Infix.exe + 0x29C3E1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | 0066c37d 7e36 jle Infix+0x29c3b5 (0066c3b5) 0066c37f 90 nop 0066c380 680842ca00 push offset Infix+0x8d4208 (00ca4208) 0066c385 b83c000000 mov eax,3Ch 0066c38a e8115bebff call Infix+0x151ea0 (00521ea0) 0066c38f 8b4dcc mov ecx,dword ptr [ebp–34h] 0066c392 8b5110 mov edx,dword ptr [ecx+10h] 0066c395 8904ba mov dword ptr [edx+edi*4],eax 0066c398 8b4110 mov eax,dword ptr [ecx+10h] 0066c39b 8b0cb8 mov ecx,dword ptr [eax+edi*4] 0066c39e 83c404 add esp,4 0066c3a1 51 push ecx 0066c3a2 bed8fac700 mov esi,offset Infix+0x8afad8 (00c7fad8) 0066c3a7 e8c4d3eaff call Infix+0x149770 (00519770) 0066c3ac 47 inc edi 0066c3ad 83c404 add esp,4 0066c3b0 3b7ddc cmp edi,dword ptr [ebp–24h] 0066c3b3 7ccb jl Infix+0x29c380 (0066c380) 0066c3b5 8b45c8 mov eax,dword ptr [ebp–38h] 0066c3b8 8b4dc0 mov ecx,dword ptr [ebp–40h] 0066c3bb 8d55d0 lea edx,[ebp–30h] 0066c3be 52 push edx 0066c3bf 50 push eax 0066c3c0 51 push ecx 0066c3c1 e8aa88f1ff call Infix+0x1b4c70 (00584c70) 0066c3c6 be01000000 mov esi,1 0066c3cb 83c40c add esp,0Ch 0066c3ce 3975d8 cmp dword ptr [ebp–28h],esi 0066c3d1 0f8ee3000000 jle Infix+0x29c4ba (0066c4ba) 0066c3d7 8b4dcc mov ecx,dword ptr [ebp–34h] 0066c3da 8bfe mov edi,esi 0066c3dc e8ff000000 call Infix+0x29c4e0 (0066c4e0) // call Infix+0x29c3e1: 0066c3e1 8b55c4 mov edx,dword ptr [ebp–3Ch] // return address 0066c3e4 8b0cb2 mov ecx,dword ptr [edx+esi*4] 0066c3e7 8d55d0 lea edx,[ebp–30h] 0066c3ea 52 push edx 0066c3eb 50 push eax 0066c3ec 8b45c0 mov eax,dword ptr [ebp–40h] 0066c3ef 50 push eax 0066c3f0 894dd4 mov dword ptr [ebp–2Ch],ecx 0066c3f3 c645d003 mov byte ptr [ebp–30h],3 0066c3f7 e87488f1ff call Infix+0x1b4c70 (00584c70) 0066c3fc 46 inc esi 0066c3fd 83c40c add esp,0Ch 0066c400 3b75d8 cmp esi,dword ptr [ebp–28h] 0066c403 7cd2 jl Infix+0x29c3d7 (0066c3d7) 0066c405 e9b0000000 jmp Infix+0x29c4ba (0066c4ba) 0066c40a b8802fbf00 mov eax,offset Infix+0x822f80 (00bf2f80) |
