Vulnerabilities > CVE-2016-8730 - Out-of-bounds Write vulnerability in Corel Coreldraw Photo Paint X8 18.1.0.661

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
corel
CWE-787

Summary

An of bound write / memory corruption vulnerability exists in the GIF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted GIF file can cause a vulnerability resulting in potential memory corruption resulting in code execution. An attacker can send the victim a specific GIF file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Corel
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary An of bound write / memory corruption vulnerability exists in the GIF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted GIF file can cause a vulnerability resulting in potential memory corruption resulting in code execution. An attacker can send the victim a specific GIF file to trigger this vulnerability. ### Tested Versions Corel PHOTO-PAINT X8 (Corel Import/Export Filter (64-Bit) - 18.1.0.661) - x64 version ### Product URLs http://corel.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details A memory corruption vulnerability exists in the GIF parsing functionality of Corel PHOTO-PAINT. A specially crafted GIF file can cause a vulnerability resulting in potential memory corruption. The vulnerable code is located in the IEGIF.flt library: ``` .text:00000001800097E0 over_write: ; CODE XREF: bug_proc+1DBj .text:00000001800097E0 mov [rax], cl ; write, source cl (increased every cycle) .text:00000001800097E2 lea rax, [rax+1] ; rax++ .text:00000001800097E6 inc ecx ; ecx = loop counter, and dest byte .text:00000001800097E8 cmp ecx, r8d ; r8d = total number of loop executions .text:00000001800097EB jb short over_write ``` The total number of loop executions (r8d value) is calculated below: ``` .text:0000000180009729 call sub_18000A780 .text:000000018000972E movzx r9d, al ; al=function result=used for shl .text:0000000180009732 xor esi, esi .text:0000000180009734 mov eax, 8 .text:0000000180009739 mov [rsp+0D8h+var_58], r9d .text:0000000180009741 mov ecx, r9d .text:0000000180009744 mov [rsp+0D8h+var_80], esi .text:0000000180009748 xor r15d, r15d .text:000000018000974B mov [rsp+0D8h+var_88], esi .text:000000018000974F xor ebp, ebp .text:0000000180009751 mov r8d, 1 .text:0000000180009757 shl r8d, cl ; r8d = 1 << cl = 1 << output from sub_18000A780 ``` An attacker can create a malicious GIF file which can force the total number of loop cycles to be extremely big (lile r8d=0x8000000000, 0x100000, ...). This causes the loop to overwrite arbitrary memory data. In order to trigger this vulnerability the GlobalColorTableFlag from the LOGICALSCREENDESCRIPTOR_PACKEDFIELDS needs to be 1 and the SizeOfGlobalColorTable needs to be set to 7. Additionally, the value returned by sub_18000A780 (later used for shif-logical-left operation - CL register (count)) is taken directly from the poc file (offset 0x3f2). ### Crash Information ``` FAULTING_IP: IEGIF!FilterEntry01+75c0 00007ffb`e81897e0 8808 mov byte ptr [rax],cl EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ffbe81897e0 (IEGIF!FilterEntry01+0x00000000000075c0) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 00000205dca6e000 Attempt to write to address 00000205dca6e000 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) rax=00000205dca6e000 rbx=00000205dc8a1460 rcx=0000000000005000 rdx=0000000020000001 rsi=0000000000000000 rdi=00000205dc8a2c0f rip=00007ffbe81897e0 rsp=000000e5dc79c690 rbp=0000000000000000 r8=0000000020000000 r9=00000000000000dd r10=00007ffc064615c0 r11=00000205dca6a030 r12=00000205dca64ae0 r13=0000000000000000 r14=0000000020000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287 IEGIF!FilterEntry01+0x75c0: 00007ffb`e81897e0 8808 mov byte ptr [rax],cl ds:00000205`dca6e000=?? FAULTING_THREAD: 0000000000001f20 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: CorelPP-APP.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 00000205dca6e000 WRITE_ADDRESS: 00000205dca6e000 FOLLOWUP_IP: IEGIF!FilterEntry01+75c0 00007ffb`e81897e0 8808 mov byte ptr [rax],cl NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: corelpp-app.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre MANAGED_STACK: !dumpstack -EE OS Thread Id: 0x1f20 (0) Current frame: Child-SP RetAddr Caller, Callee PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00007ffbe818360b to 00007ffbe81897e0 STACK_TEXT: 000000e5`dc79c690 00007ffb`e818360b : 00000000`00000000 00007ffb`00000000 00000000`00000000 00007ffb`002b40d5 : IEGIF! FilterEntry01+0x75c0 000000e5`dc79c770 00007ffb`e818215a : 00000205`00000000 00000205`dc9e3ff0 00000205`dc9e3ff0 00000000`00000000 : IEGIF! FilterEntry01+0x13eb 000000e5`dc79c860 00007ffb`eca9097d : 000001fd`b0790280 00000000`00000118 ffffffff`fffffffe 00000000`00000001 : IEGIF! FilterEntry+0x9a 000000e5`dc79c890 00007ffb`eca7e7ff : 00000000`00000000 00000000`00000001 00000205`dc9e3ff0 00000000`00000000 : CDRFLT! FLTCLIPDATA::GetClrUsed+0x101d 000000e5`dc79c8d0 00007ffb`e52f2298 : 00000205`00000000 00000000`06040002 00000000`00000000 00000000`00000001 : CDRFLT! CPT_DROP_SHADOW::LoadFrom+0x4ff 000000e5`dc79ca00 00007ffb`e52eac66 : feeefeee`00000009 00000205`00000001 000000e5`dc79ce1c 00000205`dc48d8c0 : corelpp! CTool::GetAutoScroll+0x630a8 000000e5`dc79cb00 00007ffb`e52e7e91 : 000001fd`acc60000 00000000`00000038 00000000`00000001 00007ffc`06387ad7 : corelpp! CTool::GetAutoScroll+0x5ba76 000000e5`dc79cd40 00007ffb`e52e761c : 00000205`dc9e3160 00000205`dc9e3ff0 00000205`dca190f0 00000205`dc9e3160 : corelpp! CTool::GetAutoScroll+0x58ca1 000000e5`dc79d480 00007ffb`e51eea42 : 00000205`dc9e4960 00000205`dc9e3160 000001fd`b0ba9b10 00007ffb`e5238f56 : corelpp! CTool::GetAutoScroll+0x5842c 000000e5`dc79e1c0 00007ffb`e51efc79 : 00000205`dc9e3160 00007ffb`e57390d0 00000205`dc9e4960 00000205`dc9e4960 : corelpp! CPntCom::CPntCom+0x28b32 000000e5`dc79e2f0 00007ffb`e52384b7 : 00007ffb`e57390d0 000000e5`dc79e6f0 00000205`dc9e4960 000001fd`b12400a8 : corelpp! CPntCom::CPntCom+0x29d69 000000e5`dc79e460 00007ffb`e5239f6b : 00007ffb`e5a03ba0 000000e5`dc79e6f0 00000205`dc9e4960 00000000`0200fb70 : corelpp! CPntCom::CPntCom+0x725a7 000000e5`dc79e4a0 00007ffb`e52383aa : 000000e5`dc79e5f0 000000e5`dc79f298 000000e5`dc79e6f0 00000205`dc9e4960 : corelpp! CPntCom::CPntCom+0x7405b 000000e5`dc79e5a0 00007ffb`e560ab4e : 000000e5`dc79f298 000000e5`dc79e6f0 000001fd`b12400a8 000000e5`dc79e5f0 : corelpp! CPntCom::CPntCom+0x7249a 000000e5`dc79e5f0 00007ffb`e56094d9 : 000000e5`dc79f260 00000205`db2e9a90 00000000`00000000 00000205`dac6e3a8 : corelpp! GetComponentTool+0xa58de 000000e5`dc79f1e0 00007ffb`e5606d26 : 000001fd`acd5e480 000001fd`accb8d68 00000205`db2e9448 00007ffb`dec803d0 : corelpp! GetComponentTool+0xa4269 000000e5`dc79f310 00007ffb`e51a9c7e : 000000e5`dc79f368 000001fd`b14d88d0 00007ffb`e583bbe4 00000205`dc626028 : corelpp! GetComponentTool+0xa1ab6 000000e5`dc79f340 00007ffb`e51a4f29 : 00000205`db2e81b8 000001fd`b14d88d0 00000205`dc626028 00007ffb`e13d3d66 : corelpp! CTool::GetNumStrokes+0x231e 000000e5`dc79f390 00007ffb`e51dc3cc : 00000000`00000000 00000205`db2e81b8 000001fd`b0ba9b10 000001fd`b14a7d70 : corelpp! StartApp+0xc139 000000e5`dc79f460 00007ffb`e560d6f8 : 00000000`00000000 00000000`00000001 000001fd`b0ba9b10 00000000`00000000 : corelpp! CPntCom::CPntCom+0x164bc 000000e5`dc79f4b0 00007ffb`e5198c87 : 00000205`dc9a4238 00000205`00000000 000000e5`dc79f7b0 00000000`00000000 : corelpp! GetComponentTool+0xa8488 000000e5`dc79f500 00007ffb`de81fa1b : 000001fd`b0b876a0 000000e5`dc79f7b0 00000000`00000000 000001fd`acc812e8 : corelpp! CTool::GetToolMode+0x4ac7 000000e5`dc79f530 00007ffb`de81f6e9 : 000000e5`dc79f7b0 00000000`00000001 00000000`00000001 000001fd`b0b89910 : CrlFrmWk! WCmnUI_FrameWorkApp::OnIdle+0xdb 000000e5`dc79f570 00007ffb`de81f849 : 000001fd`b0b89910 000000e5`dc79f7b0 000000e5`dc79f740 4b18a26b`5f3d1849 : CrlFrmWk! WCmnUI_FrameWorkApp::RunMessageLoop+0x99 000000e5`dc79f600 00007ffb`de803e49 : 000001fd`accac588 000001fd`b104eaf0 000001fd`b104eaf0 000001fd`b0a963e8 : CrlFrmWk! WCmnUI_FrameWorkApp::Run+0x69 000000e5`dc79f640 00007ffb`e5199069 : 00007ffb`ea866a58 000001fd`accf7b30 00007ffb`ea866a58 00000000`00000000 : CrlFrmWk! IAppFramework::GetInstance+0x11a9 000000e5`dc79fa10 00007ff7`f4ad1d92 : 000000e5`dc79fb90 000000e5`dc79fb90 00000000`00000000 000001fd`acc62501 : corelpp! StartApp+0x279 000000e5`dc79faf0 00007ff7`f4ad15a6 : 000000e5`dc79fb90 00000000`0000000a 00000000`00000000 00000000`00000003 : CorelPP_APP+0x1d92 000000e5`dc79fb50 00007ff7`f4ad7466 : 00000000`00000000 00007ff7`f4adfd90 00000000`00000000 00000000`00000000 : CorelPP_APP+0x15a6 000000e5`dc79fc40 00007ffc`04158364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CorelPP_APP+0x7466 000000e5`dc79fc80 00007ffc`063b5e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32! BaseThreadInitThunk+0x14 000000e5`dc79fcb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll! RtlUserThreadStart+0x21 STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: iegif!FilterEntry01+75c0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: IEGIF IMAGE_NAME: IEGIF.FLT DEBUG_FLR_IMAGE_TIMESTAMP: 576defce FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_IEGIF.FLT!FilterEntry01 BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_iegif!FilterEntry01+75c0 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_iegif.flt!filterentry01 FAILURE_ID_HASH: {35a39316-5ab9-f773-eb46-0f3e7294b8ec} Followup: MachineOwner --------- ``` ### Timeline * 2016-12-01 - Vendor Disclosure * 2017-07-20 - Public Release ### CREDIT * Discovered by Piotr Bania of Cisco Talos.
idSSV:96462
last seen2017-11-19
modified2017-09-13
published2017-09-13
reporterRoot
titleCorel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability(CVE-2016-8730)

Talos

idTALOS-2016-0244
last seen2019-05-29
published2017-07-20
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0244
titleCorel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability