#######################################################################

                             Luigi Auriemma

Application:  ExpressView Browser Plug-in (MrSID)
              http://www.lizardtech.com/downloads/plugins.php
Versions:     <= 6.5.0.3330
Platforms:    Windows
Bugs:         various
Exploitation: remote via browser/file
Date:         11 Jan 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"The ExpressView Browser Plug-in (formerly the MrSID Browser Plug-in)
gives you the ability to view MrSID and JPEG 2000 images natively in
standard Windows Web browsers. The intuitive graphic user interface
allows you to view, magnify, measure, print and save images.
The ExpressView Browser Plug-in is free for individual use and is
easily installed as a plug-in for Internet Explorer and Firefox Web
browsers."


#######################################################################

=======
2) Bugs
=======


-------------------
A] integer overflow
-------------------

Integer overflow caused by a multiplication by 4 during the handling of
the informations available in the files.

  eax=05412570 ebx=039efdb8 ecx=00000000 edx=00000001 esi=00000092 edi=40000000
  eip=041b7abb esp=0012f37c ebp=0012f3a8 iopl=0         nv up ei pl nz na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
  npexview!OGR_SRSNode::GetValue+0x71b:
  041b7abb 8904b3          mov     dword ptr [ebx+esi*4],eax ds:0023:039f0000=78746341

Modified offset 0xe7 of the provided proof-of-concept.


-------------------
B] integer overflow
-------------------

Another integer overflow, code execution will happen when the file gets
reloaded a second time (for example through meta-refresh of the
browser).
Modified offset 0xef of the provided proof-of-concept.


-------------------
C] integer overflow
-------------------

Integer overflow which happens in the function at address 04271810 of
npexview.dll during the usage of the 64bit big endian number at offset
0x1a of the SID files and that allows to reach the following location:

  0ed06740 8b4018          mov     eax,dword ptr [eax+18h]  ; get the location
  0ed06743 0fb7d1          movzx   edx,cx                   ; via heap-spray
  0ed06746 0fb6c9          movzx   ecx,cl
  0ed06749 c1ea03          shr     edx,3
  0ed0674c 5f              pop     edi
  0ed0674d 03c2            add     eax,edx
  0ed0674f 83e107          and     ecx,7
  0ed06752 8a91dcb0180f    mov     dl,byte ptr expressview!OGRCoordinateTransformation::`vftable'+0x5890 (0f18b0dc)[ecx]
  0ed06758 0810            or      byte ptr [eax],dl        ; write


-----------------
D] code execution
-----------------

  eax=0012f5b4 ebx=00000000 ecx=baadf00d edx=045e929c esi=039da978 edi=039da978
  eip=0413a367 esp=0012f5a8 ebp=0012f728 iopl=0         nv up ei ng nz na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
  npexview!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::reserve+0x3427:
  0413a367 8b01            mov     eax,dword ptr [ecx]
  0413a369 8b5008          mov     edx,dword ptr [eax+8]
  0413a36c ffd2            call    edx

Modified offset 0x2a of expressview_1d.sid.


-----------------
E] code execution
-----------------

  eax=0012f374 ebx=ffffffff ecx=00000000 edx=abababab esi=00000001 edi=039d9f1c
  eip=041a0451 esp=0012f300 ebp=0012f4e8 iopl=0         nv up ei pl zr na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
  npexview!GDALRasterBlock::GetBand+0x5b91:
  041a0451 8b4204          mov     eax,dword ptr [edx+4]
  041a0454 8bcf            mov     ecx,edi
  041a0456 c784249401000003000000 mov dword ptr [esp+194h],3
  041a0461 ffd0            call    eax

  eax=0012f34c ebx=03a3a01c ecx=00000000 edx=abababab esi=00000001 edi=00000004
  eip=03ca03dc esp=0012f300 ebp=0012f4fc iopl=0         nv up ei pl zr na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
  npexview!GDALRasterBlock::GetBand+0x5b1c:
  03ca03dc 8b4204          mov     eax,dword ptr [edx+4]
  03ca03df 8bcb            mov     ecx,ebx
  03ca03e1 c784249401000008000000 mov dword ptr [esp+194h],8
  03ca03ec ffd0            call    eax

  eax=0012f464 ebx=00000003 ecx=039d9e0c edx=abababab esi=00000001 edi=00000003
  eip=042a05af esp=0012f300 ebp=0012f4e8 iopl=0         nv up ei pl zr na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
  npexview!GDALRasterBlock::GetBand+0x5cef:
  042a05af 8b4204          mov     eax,dword ptr [edx+4]
  042a05b2 c78424940100000b000000 mov dword ptr [esp+194h],0Bh
  042a05bd ffd0            call    eax

Modified offset 0x24, 0x31 and 0x31 of the relative proofs-of-concept.


All the bugs may be exploitable via browser's heap-spray.

Note that no additional research has been performed so some
informations may be not completely correct or redundant, those ones are
just some quick bugs found and documented on the fly.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/expressview_1.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################