It seems version 7.163 for windows x86& x64, 7.155 for Linux x64, 7.39 for Linux x86 are affected.
Crash can be reproduced by
Code: Select all
nconvert.exe -out pzl -in xwd -o .\tmp.pzl .\poc.xwd
Code: Select all
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00400000 006a8000 D:\BugHunting\nconvert.exe
ModLoad: 775f0000 777a1000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6e3e0000 6e443000 C:\WINDOWS\SysWOW64\verifier.dll
ModLoad: 75b80000 75c70000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 752d0000 75544000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 77200000 773a8000 C:\WINDOWS\System32\USER32.dll
ModLoad: 76c50000 76c6a000 C:\WINDOWS\System32\win32u.dll
ModLoad: 758c0000 758e3000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 75c70000 75d52000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 76d30000 76da9000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 75650000 75762000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 75250000 752cf000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 76400000 764c4000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 765a0000 76625000 C:\WINDOWS\System32\sechost.dll
ModLoad: 757e0000 757fa000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 76c70000 76d2a000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 75d60000 763f8000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 771d0000 771f5000 C:\WINDOWS\System32\IMM32.DLL
(5fe8.2388): Access violation - code c0000005 (!!! second chance !!!)
eax=07813c00 ebx=00000000 ecx=0000fff8 edx=00010000 esi=07803c08 edi=07818000
eip=005a8eea esp=0019bb10 ebp=0019bb28 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010203
nconvert+0x1a8eea:
005a8eea f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
0:000> .load D:\windbg_ext\MSEC_x86.dll
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at nconvert+0x1a8eea (Hash=0x1a1d0618.0x3b1f4010)
User mode write access violations that are not near NULL are exploitable.