CVE-2024-11950
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on XnSoft XnView Classic installations by tricking users into opening malicious RWZ files. The integer underflow during RWZ file parsing enables memory corruption leading to remote code execution. Users of XnView Classic who open untrusted RWZ files are affected.
💻 Affected Systems
- XnSoft XnView Classic
📦 What is this software?
Xnview by Xnview
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the user's system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to user account compromise, data exfiltration, and installation of persistent malware.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting only in application crash.
🎯 Exploit Status
Exploitation requires user interaction but is technically straightforward once a malicious RWZ file is crafted. ZDI has confirmed the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.51.6
Vendor Advisory: https://www.xnview.com/en/xnview/#downloads
Restart Required: No
Instructions:
1. Download XnView Classic 2.51.6 or later from the official website. 2. Install the update over your existing installation. 3. Verify the version in Help > About.
🔧 Temporary Workarounds
Disable RWZ file association
windowsRemove the file association for .rwz files to prevent automatic opening in XnView
Windows: Use 'Default Programs' or registry editor to remove .rwz association with XnView
Application sandboxing
allRun XnView in a sandboxed environment to limit potential damage
Use Windows Sandbox, Firejail (Linux), or similar sandboxing tools
🧯 If You Can't Patch
- Block RWZ files at network perimeter and email gateways
- Implement application control policies to restrict XnView execution in high-risk environments
🔍 How to Verify
Check if Vulnerable:
Check XnView version in Help > About menu. If version is below 2.51.6, the system is vulnerable.Check Version:
On Windows: xnview.exe --version or check Help > About in GUIVerify Fix Applied:
Verify version is 2.51.6 or higher in Help > About. Test with known safe RWZ files to ensure proper parsing.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing RWZ files
- Unexpected process creation from XnView
Network Indicators:
- Downloads of RWZ files from untrusted sources
- Outbound connections from XnView process to unknown IPs
SIEM Query:
Process Creation where Image contains 'xnview' AND CommandLine contains '.rwz'