CVE-2020-13880
📋 TL;DR
CVE-2020-13880 is a critical heap-based out-of-bounds write vulnerability in IrfanView's B3D plugin that allows remote code execution. Attackers can exploit this by tricking users into opening a malicious B3D file, potentially taking full control of the affected system. This affects all IrfanView users with the vulnerable B3D plugin installed.
💻 Affected Systems
- IrfanView with B3D PlugIns
📦 What is this software?
B3d by Irfanview
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control, installing malware, stealing data, and using the system as a foothold for lateral movement.
Likely Case
Remote code execution leading to malware installation, data theft, or ransomware deployment on individual user systems.
If Mitigated
Limited impact if proper application whitelisting, least privilege, and network segmentation are in place, though user data may still be compromised.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious file). Public proof-of-concept code exists in the referenced GitHub gist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.56 or later
Vendor Advisory: https://www.irfanview.com/main_history.htm
Restart Required: No
Instructions:
1. Download IrfanView 4.56 or later from the official website. 2. Run the installer. 3. Select 'Update' option if upgrading. 4. Complete installation. 5. Verify version in Help > About.
🔧 Temporary Workarounds
Remove B3D Plugin
windowsDelete or rename the vulnerable B3d.dll file to prevent exploitation
del "C:\Program Files\IrfanView\Plugins\B3d.dll"
ren "C:\Program Files\IrfanView\Plugins\B3d.dll" B3d.dll.bak
Disable B3D File Association
windowsRemove IrfanView as default handler for .b3d files
assoc .b3d=
ftype B3DFile=
🧯 If You Can't Patch
- Implement application whitelisting to block execution of IrfanView
- Use least privilege accounts to limit impact if exploited
🔍 How to Verify
Check if Vulnerable:
Check IrfanView version in Help > About. If version is below 4.56 and B3d.dll exists in Plugins folder, system is vulnerable.Check Version:
"C:\Program Files\IrfanView\i_view64.exe" /versioninfoVerify Fix Applied:
Verify IrfanView version is 4.56 or higher in Help > About. Check that B3d.dll file version has been updated.📡 Detection & Monitoring
Log Indicators:
- IrfanView process spawning unexpected child processes
- Crash logs from IrfanView with B3D-related errors
- Windows Event Logs showing IrfanView accessing suspicious files
Network Indicators:
- IrfanView making unexpected outbound connections after opening B3D files
- DNS requests to suspicious domains from user workstations running IrfanView
SIEM Query:
process_name:"i_view*.exe" AND (child_process:* OR network_connection:*)