CVE-2022-41992
A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
PowerISO PowerISO 8.3
PowerISO - https://www.poweriso.com/
7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
PowerISO is a disk image file processing tool supporting operations on various file formats, which also mounts images as virtual drives.
Virtual Hard Disk (VHD) image format is a common image format used in Microsoft virtualization products. It is used to store both hard disk images and snapshots.
For more details about this format see link.
Vulnerable code below:
0000000000442869 | 41:8B0C38 | mov ecx,dword ptr ds:[r8+rdi]
000000000044286D | 41:FFC1 | inc r9d
0000000000442870 | 8BC1 | mov eax,ecx
0000000000442872 | 8BD1 | mov edx,ecx
0000000000442874 | C1E9 08 | shr ecx,8
0000000000442877 | C1E2 10 | shl edx,10
000000000044287A | 41:23C5 | and eax,r13d
000000000044287D | 41:23CD | and ecx,r13d
0000000000442880 | 0BD0 | or edx,eax
0000000000442882 | 41:0FB64438 03 | movzx eax,byte ptr ds:[r8+rdi+3]
0000000000442888 | C1E2 08 | shl edx,8
000000000044288B | 0BD0 | or edx,eax
000000000044288D | 48:8B43 10 | mov rax,qword ptr ds:[rbx+10]
0000000000442891 | 0BD1 | or edx,ecx
0000000000442893 | 41:891400 | mov dword ptr ds:[r8+rax],edx
0000000000442897 | 49:83C0 04 | add r8,4
000000000044289B | 44:3B4B 18 | cmp r9d,dword ptr ds:[rbx+18] ; * Num of blocks from cxsparse record
000000000044289F | 72 C8 | jb poweriso.442869
Vulnerability exists because the “Num of blocks” value from the CXSPARSE record is not validated properly.
An attacker can control the loop counter, leading to arbitrary memory write.
PowerISO+0x42893:
00000000`00442893 41891400 mov dword ptr [r8+rax],edx ds:00000000`02b2f000=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.mSec
Value: 1281
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 17362
Key : Analysis.IO.Other.Mb
Value: 9
Key : Analysis.IO.Read.Mb
Value: 1
Key : Analysis.IO.Write.Mb
Value: 12
Key : Analysis.Init.CPU.mSec
Value: 406
Key : Analysis.Init.Elapsed.mSec
Value: 9616
Key : Analysis.Memory.CommitPeak.Mb
Value: 106
Key : Timeline.OS.Boot.DeltaSec
Value: 471002
Key : Timeline.Process.Start.DeltaSec
Value: 12
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
Key : WER.Process.Version
Value: 8.3.0.0
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0000000000442893 (PowerISO+0x0000000000042893)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000002c5f000
Attempt to write to address 0000000002c5f000
FAULTING_THREAD: 00000ba0
PROCESS_NAME: PowerISO.exe
WRITE_ADDRESS: 0000000002c5f000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000000002c5f000
STACK_TEXT:
00000000`0014de30 00000000`00442aad : 00000000`00000200 00000000`00000000 00000000`000007b3 00000000`3000cbfb : PowerISO+0x42893
00000000`0014e2b0 00000000`00442d2c : 00000000`05a603c0 00000000`00000000 78697463`656e6f63 00000000`00000001 : PowerISO+0x42aad
00000000`0014e520 00000000`004061ae : 00000000`00000001 00000000`00000688 00000000`03380f70 00000000`03380f70 : PowerISO+0x42d2c
00000000`0014e560 00000000`005d6cf6 : 00000000`0014e7a8 00000000`0014e7a8 00000000`00000001 00000000`02ba853c : PowerISO+0x61ae
00000000`0014e710 00000000`004f2733 : 00000000`0014e8b0 00000000`00000000 00000000`00000000 00007ff9`4a6dc9bb : PowerISO+0x1d6cf6
00000000`0014e830 00000000`004f2fc5 : 00000000`1c12beb3 00000000`0014ebc8 00000000`66076fb2 00000000`d88dfeb5 : PowerISO+0xf2733
00000000`0014eb90 00000000`005561ef : 00000000`00000004 00000000`0333ba1c 00000000`00000000 00000000`03348f60 : PowerISO+0xf2fc5
00000000`0014ebc0 00000000`004ee5ad : 00000000`0014ed00 00007ff9`35ff414e 00000000`00000004 00008731`00000002 : PowerISO+0x1561ef
00000000`0014ebf0 00000000`006280ed : 00000000`00000001 00007ff9`4a6deb96 00000000`00000363 00000000`00000001 : PowerISO+0xee5ad
00000000`0014f890 00000000`00624c83 : 00000000`02b50150 ffffffff`ffffffff 00000000`00000006 00000000`00000080 : PowerISO+0x2280ed
00000000`0014f9c0 00000000`004ebf6f : 00000000`00000000 00000000`00d3103e 00000000`03348f60 00000000`00000001 : PowerISO+0x224c83
00000000`0014fa20 00000000`00626410 : ffffffff`fffffffe 00000000`00000113 00000000`00000000 00000000`00000113 : PowerISO+0xebf6f
00000000`0014fa50 00000000`006265be : 00000000`008df500 00000000`00becb30 00000000`0333c920 00007ff9`02000002 : PowerISO+0x226410
00000000`0014fb10 00007ff9`4a6de858 : 00000000`008df4a0 00000000`00000113 00000000`00000001 00000000`00000000 : PowerISO+0x2265be
00000000`0014fb70 00007ff9`4a6de299 : 00000000`00d3103e 00000000`00626570 00000000`00d3103e 00000000`00000113 : USER32!UserCallWinProcCheckWow+0x2f8
00000000`0014fd00 00000000`00621c6d : 00000000`00626570 00000000`008df4a0 00000000`00000002 00000000`008df4a0 : USER32!DispatchMessageWorker+0x249
00000000`0014fd80 00000000`00621aa9 : 00000000`008df4a0 00000000`00400000 00000000`00000001 00000000`00000000 : PowerISO+0x221c6d
00000000`0014fdc0 00000000`0062aa57 : 00000000`006486d8 00000000`00000000 00000000`00648718 00000000`00648720 : PowerISO+0x221aa9
00000000`0014fe20 00000000`005f607b : 00000000`00000045 00000000`00000000 00000000`00000000 00000000`00400000 : PowerISO+0x22aa57
00000000`0014fe80 00007ff9`4a627034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1f607b
00000000`0014ff30 00007ff9`4a9426a1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`0014ff60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: PowerISO+42893
MODULE_NAME: PowerISO
IMAGE_NAME: PowerISO.exe
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 8.3.0.0
FAILURE_ID_HASH: {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}
Followup: MachineOwner
---------
2022-10-27 - Vendor Disclosure
2022-11-28 - Vendor Patch Release
2022-12-07 - Public Release
Discovered by Piotr Bania of Cisco Talos.