GCC Productions Inc. Fade In XML parser use-after-free vulnerability
GCC Productions Inc.的Fade In 4.2.0版本中存在一个use-after-free漏洞,可能导致堆内存损坏和潜在的任意代码执行风险。该漏洞由Cisco Talos的研究人员发现。 2025-10-28 00:0:46 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
GCC Productions Inc.的Fade In 4.2.0版本中存在一个use-after-free漏洞,可能导致堆内存损坏和潜在的任意代码执行风险。该漏洞由Cisco Talos的研究人员发现。 2025-10-28 00:0:46 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY
A use-after-free vulnerability exists in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .xml file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
GCC Productions Inc. Fade In 4.2.0
PRODUCT URLS
Fade In - https://www.fadeinpro.com/
CVSSv3 SCORE
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-416 - Use After Free
DETAILS
Fade In Professional Screenwriting Software (also known simply as Fade In) is software for writing screenplays in the industry standard format.
Fade In uses .fadein file format which is a standard ZIP file with XML file inside.
Vulnerability exists in the XML parsing logic of the Fade In software. It expects to always detect “” xml pair. However if the closing command “</list>” is missing Fade In executes error reporting procedure but in the same procedure it corrupts the already freed heap memory.
Code below illustrates portion of the logged heap operations:
hooked_RtlAllocateHeap: Size: 0x00000368 Returned: 0x034AA230 - 0x034AA598 <-- allocated
hooked_RtlFreeHeap: [00015915] addr: 0x034AA230 <-- freed
Code responsible for memory corruption is provided here (NULL 32-bit value overwrite)
text:005EB68D loc_5EB68D: ; CODE XREF: sub_5EB270+3E6↑j
.text:005EB68D cmp [ebp+var_209], 0
.text:005EB694 jnz short loc_5EB6A1
.text:005EB696 sub esi, 1
.text:005EB699 jns loc_5EB600
.text:005EB69F jmp short loc_5EB6C6
.text:005EB6A1 ; ---------------------------------------------------------------------------
.text:005EB6A1
.text:005EB6A1 loc_5EB6A1: ; CODE XREF: sub_5EB270+424↑j
.text:005EB6A1 mov eax, [edi]
.text:005EB6A3 mov ecx, edi
.text:005EB6A5 push esi
.text:005EB6A6 call dword ptr [eax+3CCh]
.text:005EB6AC mov eax, [ebx+0E0h]
.text:005EB6B2 mov dword ptr [eax+1C4h], 0 ; heap corruption, modifying already freed region
.text:005EB6BC mov dword ptr [ebx+0E0h], 0
this leads to heap memory corruption:
HEAP[Fade In.exe]: HEAP: Free Heap block 074C5E08 modified at 074C5FD4 after it was freed
(455c.791c): Break instruction exception - code 80000003 (first chance)
eax=01135000 ebx=074c5e08 ecx=074c5e08 edx=012fc621 esi=00002ca0 edi=016a0000
eip=770f7ebf esp=012fc78c ebp=012fc92c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!RtlpAllocateHeap+0xbff:
770f7ebf cc int 3
0:000> !heap -s
************************************************************************************************************************
NT HEAP STATS BELOW
************************************************************************************************************************
NtGlobalFlag enables following debugging aids for new heaps:
tail checking
free checking
validate parameters
LFH Key : 0x69d2a1fb
Termination on corruption : ENABLED
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast
(k) (k) (k) (k) length blocks cont. heap
-----------------------------------------------------------------------------
016a0000 40000062 8176 4412 8176 70 787 4 0 6c
032b0000 40001062 60 24 60 3 5 1 0 0
01600000 40001062 60 40 60 7 8 1 0 0
-----------------------------------------------------------------------------
0:000> !ext.heap -p -a 0x074C5E08
address 074c5e08 found in
_HEAP @ 16a0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
074c5e08 0596 0000 [00] 074c5e10 02ca8 - (free)
0:000> db 074C5FD4
074c5fd4 00 00 00 00 ee fe ee fe-ee fe ee fe ee fe ee fe ................
074c5fe4 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
074c5ff4 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
074c6004 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
074c6014 ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
Although exploiting this particular corruption might be challenging due to modern heap mitigations, it still constitutes a use-after-free and heap metadata/data corruption scenario, which in the right conditions can lead to arbitrary code execution. Therefore, even if the practical exploitation path is complex, it still poses a legitimate security risk that must be addressed.
Additional requirement decreasing the likehood of exploitation is that the user needs to open .xml file through the Fade In software (.xml extension is not by default associated with Fade In software).
Crash Information
0:000> !analyze -v
Reloading current modules
....................................................
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Check Image - Checksum mismatch - Dump: 0x1a23f1, File: 0x1a7342 - C:\ProgramData\Dbg\sym\ntdll.dll\ADD4A73D1A4000\ntdll.dll
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1468
Key : Analysis.Elapsed.mSec
Value: 3100
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 1
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 843
Key : Analysis.Init.Elapsed.mSec
Value: 5444
Key : Analysis.Memory.CommitPeak.Mb
Value: 96
Key : Analysis.Version.DbgEng
Value: 10.0.27871.1001
Key : Analysis.Version.Description
Value: 10.2505.01.02 x86fre
Key : Analysis.Version.Ext
Value: 1.2505.1.2
Key : Failure.Bucket
Value: HEAP_CORRUPTION_80000003_Fade_In.exe!heap_corruption
Key : Failure.Exception.Code
Value: 0x80000003
Key : Failure.Exception.IP.Address
Value: 0x770f7ebf
Key : Failure.Exception.IP.Module
Value: ntdll
Key : Failure.Exception.IP.Offset
Value: 0x47ebf
Key : Failure.Hash
Value: {a1af831c-9a58-0013-1ab0-4425020722d4}
Key : Failure.ProblemClass.Primary
Value: HEAP_CORRUPTION
Key : Timeline.OS.Boot.DeltaSec
Value: 1204862
Key : Timeline.Process.Start.DeltaSec
Value: 5
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
Key : WER.Process.Version
Value: 4.2.0.1039
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 770f7ebf (ntdll!RtlpAllocateHeap+0x00000bff)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 00000000
FAULTING_THREAD: 20d0
PROCESS_NAME: Fade In.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {WYJ TEK} Punkt przerwania Osi gni to punkt przerwania.
EXCEPTION_CODE_STR: 80000003
EXCEPTION_PARAMETER1: 00000000
ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer
STACK_TEXT:
00000000 00000000 Fade In.exe!heap_corruption+0x0
00000000 00000000 unknown![~0s]+0x0
012fd61c 770f7ebf ntdll!RtlpAllocateHeap+0x0
012fd7c4 770f710c ntdll!RtlpAllocateHeapInternal+0x0
012fd860 770f60ae ntdll!RtlAllocateHeap+0x0
012fd878 7718f286 ntdll!RtlDebugAllocateHeap+0x0
012fd8e8 770f73b0 ntdll!RtlpAllocateHeap+0x0
012fda94 770f710c ntdll!RtlpAllocateHeapInternal+0x0
012fdb30 770f60ae ntdll!RtlAllocateHeap+0x0
012fdb48 6766f037 DUser!DUserRegisterGuts+0x0
012fdb6c 6766db15 DUser!FlowImpl<DuFlow,DUser::SGadget>::InitFlow+0x0
012fdb74 6766bf27 DUser!InitCtrl+0x0
012fdb78 67675a69 DUser!DllMain+0x0
012fdc2c 67674ecd DUser!__DllMainCRTStartup+0x0
012fdc8c 771231a6 ntdll!LdrxCallInitRoutine+0x0
012fdcac 770fe012 ntdll!LdrpCallInitRoutine+0x0
012fdcf8 77101d43 ntdll!LdrpInitializeNode+0x0
012fdd88 77101eb1 ntdll!LdrpInitializeGraphRecurse+0x0
012fddac 77102785 ntdll!LdrpPrepareModuleForExecution+0x0
012fddc8 770fe542 ntdll!LdrpLoadDllInternal+0x0
012fde10 770fedee ntdll!LdrpLoadForwardedDll+0x0
012fe0a8 770ffbf9 ntdll!LdrpGetDelayloadExportDll+0x0
012fe144 770ffce5 ntdll!LdrpHandleProtectedDelayload+0x0
012fe3f4 770fcecb ntdll!LdrResolveDelayLoadedAPI+0x0
012fe44c 720b046a COMCTL32!__delayLoadHelper2+0x0
012fe46c 720b66e2 COMCTL32!_tailMerge_duser_dll+0x0
012fe4b4 721090d2 COMCTL32!CTaskDialog::Show+0x0
012fe4d0 72109c66 COMCTL32!TaskDialogIndirect+0x0
012fe4e0 0077df1f Fade_In+0x0
012fe708 0026b22b Fade_In+0x0
012fe790 004d9cea Fade_In+0x0
012feb48 002fb8d5 Fade_In+0x0
012fedb0 002f83c1 Fade_In+0x0
012ff440 002fe181 Fade_In+0x0
012ff864 0025f4ca Fade_In+0x0
012ff9d4 008455cf Fade_In+0x0
012ff9e0 00844817 Fade_In+0x0
012ffa00 00842772 Fade_In+0x0
012ffa18 008437ed Fade_In+0x0
012ffa3c 008425ec Fade_In+0x0
012ffa70 008426b1 Fade_In+0x0
012ffaa4 0084325a Fade_In+0x0
012ffad0 006a2b97 Fade_In+0x0
012ffae8 006ed3a2 Fade_In+0x0
012ffb40 00904174 Fade_In+0x0
012ffb70 009041fa Fade_In+0x0
012ffba4 008456b3 Fade_In+0x0
012ffbd8 009062d2 Fade_In+0x0
012ffc0c 0088c862 Fade_In+0x0
012ffc44 006ecd58 Fade_In+0x0
012ffc54 001998c7 Fade_In+0x0
012ffc6c 009c972c Fade_In+0x0
012ffcb8 76c2fcc9 KERNEL32!BaseThreadInitThunk+0x0
012ffcc8 771182ae ntdll!__RtlUserThreadStart+0x0
012ffd24 7711827e ntdll!_RtlUserThreadStart+0x0
STACK_COMMAND: ** Pseudo Context ** Pseudo ** Value: ffffffff ** ; kb
SYMBOL_NAME: Fade In.exe!heap_corruption+0
MODULE_NAME: Fade_In
IMAGE_NAME: Fade In.exe
FAILURE_BUCKET_ID: HEAP_CORRUPTION_80000003_Fade_In.exe!heap_corruption
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
IMAGE_VERSION: 4.2.0.1039
FAILURE_ID_HASH: {a1af831c-9a58-0013-1ab0-4425020722d4}
Followup: MachineOwner
---------
TIMELINE
2025-08-20 - Initial Vendor Contact
2025-08-26 - Vendor Disclosure
2025-10-27 - Vendor Patch Release
2025-10-28 - Public Release
Discovered by Piotr Bania of Cisco Talos.
文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2252
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh