Talos Vulnerability Report

TALOS-2022-1644

PowerISO VHD File Format parsing CXSPARSE record memory corruption vulnerability

December 7, 2022
CVE Number

CVE-2022-41992

SUMMARY

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

PowerISO PowerISO 8.3

PRODUCT URLS

PowerISO - https://www.poweriso.com/

CVSSv3 SCORE

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

DETAILS

PowerISO is a disk image file processing tool supporting operations on various file formats, which also mounts images as virtual drives.

Virtual Hard Disk (VHD) image format is a common image format used in Microsoft virtualization products. It is used to store both hard disk images and snapshots.
For more details about this format see link.

Vulnerable code below:

    0000000000442869 | 41:8B0C38                | mov ecx,dword ptr ds:[r8+rdi]
    000000000044286D | 41:FFC1                  | inc r9d
    0000000000442870 | 8BC1                     | mov eax,ecx
    0000000000442872 | 8BD1                     | mov edx,ecx
    0000000000442874 | C1E9 08                  | shr ecx,8
    0000000000442877 | C1E2 10                  | shl edx,10
    000000000044287A | 41:23C5                  | and eax,r13d
    000000000044287D | 41:23CD                  | and ecx,r13d
    0000000000442880 | 0BD0                     | or edx,eax
    0000000000442882 | 41:0FB64438 03           | movzx eax,byte ptr ds:[r8+rdi+3]
    0000000000442888 | C1E2 08                  | shl edx,8
    000000000044288B | 0BD0                     | or edx,eax
    000000000044288D | 48:8B43 10               | mov rax,qword ptr ds:[rbx+10]
    0000000000442891 | 0BD1                     | or edx,ecx
    0000000000442893 | 41:891400                | mov dword ptr ds:[r8+rax],edx
    0000000000442897 | 49:83C0 04               | add r8,4
    000000000044289B | 44:3B4B 18               | cmp r9d,dword ptr ds:[rbx+18]       ; * Num of blocks from cxsparse record
    000000000044289F | 72 C8                    | jb poweriso.442869

Vulnerability exists because the “Num of blocks” value from the CXSPARSE record is not validated properly.
An attacker can control the loop counter, leading to arbitrary memory write.

Crash Information

	PowerISO+0x42893:
	00000000`00442893 41891400        mov     dword ptr [r8+rax],edx ds:00000000`02b2f000=????????


	0:000> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	KEY_VALUES_STRING: 1

		Key  : AV.Fault
		Value: Write

		Key  : Analysis.CPU.mSec
		Value: 1281

		Key  : Analysis.DebugAnalysisManager
		Value: Create

		Key  : Analysis.Elapsed.mSec
		Value: 17362

		Key  : Analysis.IO.Other.Mb
		Value: 9

		Key  : Analysis.IO.Read.Mb
		Value: 1

		Key  : Analysis.IO.Write.Mb
		Value: 12

		Key  : Analysis.Init.CPU.mSec
		Value: 406

		Key  : Analysis.Init.Elapsed.mSec
		Value: 9616

		Key  : Analysis.Memory.CommitPeak.Mb
		Value: 106

		Key  : Timeline.OS.Boot.DeltaSec
		Value: 471002

		Key  : Timeline.Process.Start.DeltaSec
		Value: 12

		Key  : WER.OS.Branch
		Value: vb_release

		Key  : WER.OS.Timestamp
		Value: 2019-12-06T14:06:00Z

		Key  : WER.OS.Version
		Value: 10.0.19041.1

		Key  : WER.Process.Version
		Value: 8.3.0.0


	NTGLOBALFLAG:  0

	PROCESS_BAM_CURRENT_THROTTLED: 0

	PROCESS_BAM_PREVIOUS_THROTTLED: 0

	APPLICATION_VERIFIER_FLAGS:  0

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 0000000000442893 (PowerISO+0x0000000000042893)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 0000000000000001
	   Parameter[1]: 0000000002c5f000
	Attempt to write to address 0000000002c5f000

	FAULTING_THREAD:  00000ba0

	PROCESS_NAME:  PowerISO.exe

	WRITE_ADDRESS:  0000000002c5f000 

	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_CODE_STR:  c0000005

	EXCEPTION_PARAMETER1:  0000000000000001

	EXCEPTION_PARAMETER2:  0000000002c5f000

	STACK_TEXT:  
	00000000`0014de30 00000000`00442aad     : 00000000`00000200 00000000`00000000 00000000`000007b3 00000000`3000cbfb : PowerISO+0x42893
	00000000`0014e2b0 00000000`00442d2c     : 00000000`05a603c0 00000000`00000000 78697463`656e6f63 00000000`00000001 : PowerISO+0x42aad
	00000000`0014e520 00000000`004061ae     : 00000000`00000001 00000000`00000688 00000000`03380f70 00000000`03380f70 : PowerISO+0x42d2c
	00000000`0014e560 00000000`005d6cf6     : 00000000`0014e7a8 00000000`0014e7a8 00000000`00000001 00000000`02ba853c : PowerISO+0x61ae
	00000000`0014e710 00000000`004f2733     : 00000000`0014e8b0 00000000`00000000 00000000`00000000 00007ff9`4a6dc9bb : PowerISO+0x1d6cf6
	00000000`0014e830 00000000`004f2fc5     : 00000000`1c12beb3 00000000`0014ebc8 00000000`66076fb2 00000000`d88dfeb5 : PowerISO+0xf2733
	00000000`0014eb90 00000000`005561ef     : 00000000`00000004 00000000`0333ba1c 00000000`00000000 00000000`03348f60 : PowerISO+0xf2fc5
	00000000`0014ebc0 00000000`004ee5ad     : 00000000`0014ed00 00007ff9`35ff414e 00000000`00000004 00008731`00000002 : PowerISO+0x1561ef
	00000000`0014ebf0 00000000`006280ed     : 00000000`00000001 00007ff9`4a6deb96 00000000`00000363 00000000`00000001 : PowerISO+0xee5ad
	00000000`0014f890 00000000`00624c83     : 00000000`02b50150 ffffffff`ffffffff 00000000`00000006 00000000`00000080 : PowerISO+0x2280ed
	00000000`0014f9c0 00000000`004ebf6f     : 00000000`00000000 00000000`00d3103e 00000000`03348f60 00000000`00000001 : PowerISO+0x224c83
	00000000`0014fa20 00000000`00626410     : ffffffff`fffffffe 00000000`00000113 00000000`00000000 00000000`00000113 : PowerISO+0xebf6f
	00000000`0014fa50 00000000`006265be     : 00000000`008df500 00000000`00becb30 00000000`0333c920 00007ff9`02000002 : PowerISO+0x226410
	00000000`0014fb10 00007ff9`4a6de858     : 00000000`008df4a0 00000000`00000113 00000000`00000001 00000000`00000000 : PowerISO+0x2265be
	00000000`0014fb70 00007ff9`4a6de299     : 00000000`00d3103e 00000000`00626570 00000000`00d3103e 00000000`00000113 : USER32!UserCallWinProcCheckWow+0x2f8
	00000000`0014fd00 00000000`00621c6d     : 00000000`00626570 00000000`008df4a0 00000000`00000002 00000000`008df4a0 : USER32!DispatchMessageWorker+0x249
	00000000`0014fd80 00000000`00621aa9     : 00000000`008df4a0 00000000`00400000 00000000`00000001 00000000`00000000 : PowerISO+0x221c6d
	00000000`0014fdc0 00000000`0062aa57     : 00000000`006486d8 00000000`00000000 00000000`00648718 00000000`00648720 : PowerISO+0x221aa9
	00000000`0014fe20 00000000`005f607b     : 00000000`00000045 00000000`00000000 00000000`00000000 00000000`00400000 : PowerISO+0x22aa57
	00000000`0014fe80 00007ff9`4a627034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1f607b
	00000000`0014ff30 00007ff9`4a9426a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
	00000000`0014ff60 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


	STACK_COMMAND:  ~0s ; .cxr ; kb

	SYMBOL_NAME:  PowerISO+42893

	MODULE_NAME: PowerISO

	IMAGE_NAME:  PowerISO.exe

	FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown

	OS_VERSION:  10.0.19041.1

	BUILDLAB_STR:  vb_release

	OSPLATFORM_TYPE:  x64

	OSNAME:  Windows 10

	IMAGE_VERSION:  8.3.0.0

	FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}

	Followup:     MachineOwner
	---------
TIMELINE

2022-10-27 - Vendor Disclosure
2022-11-28 - Vendor Patch Release
2022-12-07 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.