Application: Cam2pc BMP Image Processing Integer Overflow Vulnerability Platforms: Windows Versions : The vulnerability is confirmed in version 4.6.2 Freeware Edition Other versions may also be affected. Date : 2013-03-32 Contact : kavehghaemmaghami () googlemail com Twitter : @coolkaveh tested : Windows XP SP3 ENG Discovered by : Kaveh Ghaemmaghami AKA (coolkaveh) ------------------------------ 1) Introduction 2) Report Timeline 3) Technical details 4) POC ------------------------------ =============== 1) Introduction =============== Cam2pc is the tool for digital camera: from picture download to browsing and viewing, cam2pc has all The features to ease digital imaging life. Editing images, and manage all the processes (rotate, zoom, adjust brightness and contrast, fix red eyes). Browse and fine your media files, view Images and videos, transfer photos from digital camera, produce fun content out of your favorite images: Make Web albums, galleries, and slideshows. (http://www.nabocorp.com/) ------------------------------ ============================ 2) Report Timeline ============================ 2013-01-15: Vulnerability reported to vendor No response has been received 2013-02-05: Vulnerability reported again to vendor No response has been received 2013-02-26: Vulnerability reported again to vendor No response has been received 2013-03-012: Public Disclosure ------------------------------ ============================ 3) Technical details ============================ The vulnerability is caused due to an integer overflow error in the cam2pc.exe When allocating memory For BITMAPINFOHEADER(biHeight) values. This can be exploited to cause a heap-based buffer overflow Via a specially crafted BMP,JPG,TIF file. Successful exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious file. ------------------------------ =========== 4) POC =========== See attached file Password for attached rar file is 123