Vulnerabilities > CVE-2016-9043 - Out-of-bounds Write vulnerability in Corel Coreldraw X8

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
corel
CWE-787
NVD
Published: 2018-04-24
Updated: 2022-12-14

Summary

An out of bound write vulnerability exists in the EMF parsing functionality of CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661). A specially crafted EMF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific EMF file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Corel
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary An out of bound write vulnerability exists in the EMF parsing functionality of CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661). A specially crafted EMF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific EMF file to trigger this vulnerability. ### Tested Versions Corel CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661) - x64 version ### Product URLs http://corel.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details A remote memory corruption vulnerability exists in the EMF parsing functionality of CorelDRAW. A specially crafted EMF file can cause a vulnerability resulting in potential memory corruption. Vulnerable code is located in the CdrGfx.dll library: ``` .text:0000000000176B1B corruption_label: ; CODE XREF: corel_bug_proc+52j .text:0000000000176B1B ; corel_bug_proc+91j .text:0000000000176B1B lea eax, [r13-1] .text:0000000000176B1F mov [rsi+rax*8], ebp .text:0000000000176B22 mov [rsi+rax*8+4], r15d .text:0000000000176B27 inc dword ptr [rdi+8] ``` Presented code gets executed when EMR_CREATEBRUSHINDIRECT (39) record from the EMF file is parsed. Such record is typically composed as follows [1]: ``` [RecordType] [RecordSize] [ihBrush] [LogBrush] ``` Attacker can control the RAX register value (see instructions at 0x176B1F and 0x176B22) by simply changing the ihBrush value in the EMF file (EMR_CREATEBRUSHINDIRECT record). This leads to memory corruption of where the destination address is controlled by attacker. Additionally this vulnerability can be triggered using other EMF records. Below is a list of records that can be used to trigger this problem. 38 - EMRCREATEPEN 39 - EMRCREATEBRUSHINDIRECT 40 - EMRDELETEOBJECT 82 - EMREXTCREATEFONTINDIRECTW 93 - EMRCREATEMONOBRUSH 94 - EMRCREATEDIBPATTERNBRUSHPT 95 - EMR_EXTCREATEPEN [1] - https://msdn.microsoft.com/en-us/library/cc230604.aspx ### Crash Information ``` FAULTING_IP: CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff 00007ffa`673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ffa673f6b1f (CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x00000000000023ff) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000023129b72850 Attempt to write to address 0000023129b72850 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) rax=00000000dddddddc rbx=0000000000000000 rcx=0000022a3ac83930 rdx=0000000000000020 rsi=0000022a3ac83970 rdi=000000e8986fd720 rip=00007ffa673f6b1f rsp=000000e8986fd440 rbp=0000000000000020 r8=0000000000000000 r9=000000e8986fd720 r10=00007ffa67290000 r11=000000e8986fd478 r12=0000022216b422e4 r13=00000000dddddddd r14=0000022a3ac60080 r15=0000000000000000 iopl=0 nv up ei ng nz ac po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff: 00007ffa`673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp ds:00000231`29b72850=???????? FAULTING_THREAD: 0000000000001ce8 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: CorelDRW-APP.exe ADDITIONAL_DEBUG_TEXT: You can run '.symfix; .reload' to try to fix the symbol path and load symbols. MODULE_NAME: CdrGfx FAULTING_MODULE: 00007ffa982c0000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 576deefd ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000023129b72850 WRITE_ADDRESS: 0000023129b72850 FOLLOWUP_IP: CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff 00007ffa`673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp APP: coreldrw-app.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre MANAGED_STACK: !dumpstack -EE OS Thread Id: 0x1ce8 (0) Current frame: Child-SP RetAddr Caller, Callee PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00007ffa673f7078 to 00007ffa673f6b1f STACK_TEXT: 000000e8`986fd440 00007ffa`673f7078 : 00000000`00000000 0000022a`3ac60080 00000000`00000000 000000e8`986fd5f1 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff 000000e8`986fd480 00007ffa`673f5a5a : 00000222`16b422e4 000000e8`986fd720 000000e8`986fd5f1 00000000`00000001 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x2958 000000e8`986fd4d0 00007ffa`673f4e3b : 0000022a`3ac5c700 00000222`16b40000 000000e8`986fd5f1 00000000`00000000 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x133a 000000e8`986fd500 00007ffa`9573fe02 : 0000022a`3ac5c700 00000222`16b40000 00000000`00000000 00000000`00000000 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x71b 000000e8`986fd530 00007ffa`973f15c1 : 00000222`16b40000 00007ffa`9573e4cf 00000000`ffffffff 000000e8`986fd7a0 : gdi32full!SetWinMetaFileBits+0xf62 000000e8`986fd650 00007ffa`673f4d60 : 00000000`00000000 000000e8`986fd7a0 00000000`4d461147 00000000`4d461147 : GDI32!EnumEnhMetaFileStub+0x51 000000e8`986fd6a0 00007ffa`673f46f0 : 00000000`00000001 0000022a`3acd7990 00000000`00000000 00000000`00000001 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x640 000000e8`986fe140 00007ffa`68370eb6 : 00000000`00000001 00007ffa`9573e6d7 0000022a`3ac5c3f0 00000000`00000001 : CdrGfx!EMF2UDI_PlayEMFFromFileName+0x90 000000e8`986fe210 00007ffa`5b6e3d64 : 0000022a`3ac78068 0000022a`3ac78068 ffffffff`cf461a8e 0000022a`3ac78068 : VGCore!StartApp+0xa056 000000e8`986fe260 00007ffa`5b6e251e : 00000000`00000001 00000000`00000001 00000000`00000001 00007ffa`761f2c0f : IEWMF!FilterEntry01+0x1914 000000e8`986fe2d0 00007ffa`75b6097d : 0000022a`3ab1e660 00000000`000000c0 ffffffff`fffffffe 00007ffa`6cf21bb0 : IEWMF!FilterEntry01+0xce 000000e8`986fe330 00007ffa`75b4e7ff : 00000000`00000000 00000000`00000001 0000022a`3ac78068 00000000`00000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d 000000e8`986fe370 00007ffa`678feb6c : 0000022a`00000000 0000022a`3acd7cc8 000000e8`986fe4a8 0000022a`3ac78060 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff 000000e8`986fe4a0 00007ffa`67a26ac5 : 0000022a`3acee8c0 00000222`1883aa28 0000022a`00000001 000000e8`986fe5f0 : CdrCore!WDrawFilterManager::ImportClip+0x4c 000000e8`986fe4f0 00007ffa`6844ff6b : 00000000`00000000 000000e8`986fe910 00000222`00000000 0000022a`3ac78060 : CdrCore!WOpenImport::Import+0xd75 000000e8`986fe910 00007ffa`68439012 : 0000022a`3abdddb0 00000222`1454bbb8 000000e8`986fea50 000000e8`00000000 : VGCore!CDrawlibDoc::Clone+0xa937b 000000e8`986fea00 00007ffa`683adaec : 00000222`18b0c2e0 00007ffa`761f8ad9 000000e8`986febf8 000000e8`986feb80 : VGCore!CDrawlibDoc::Clone+0x92422 000000e8`986feb30 00007ffa`683ad604 : 00000000`00000000 000000e8`986fec31 00000000`00000000 00000000`00000000 : VGCore!CDrawlibDoc::Clone+0x6efc 000000e8`986feba0 00007ffa`683795f8 : 000000e8`986fed30 0000022a`3a1865a0 000000e8`986fed68 00000222`1454bbb8 : VGCore!CDrawlibDoc::Clone+0x6a14 000000e8`986fec80 00007ffa`6839543e : 000000e8`986fee48 0000022a`00000000 00007ffa`68b4e154 0000022a`3aab19f8 : VGCore!StartApp+0x12798 000000e8`986fee20 00007ffa`683958c9 : 0000022a`3aa2db18 0000022a`392b90a0 0000022a`3aa29608 0000022a`3aa2db18 : VGCore!StartApp+0x2e5de 000000e8`986fee70 00007ffa`6838022c : 00000000`00000000 0000022a`3a2bf8c0 0000022a`3aa2db18 00000222`187c7820 : VGCore!StartApp+0x2ea69 000000e8`986fef40 00007ffa`683783fb : 00000000`00000000 00000000`00000001 00000222`18b0c2e0 00000222`18b07480 : VGCore!StartApp+0x193cc 000000e8`986fef90 00007ffa`6837e4d0 : 00000000`00000000 00000000`00000001 00000000`00000001 00000222`145611e0 : VGCore!StartApp+0x1159b 000000e8`986ff000 00007ffa`67e7fa1b : 00000222`18b08570 000000e8`986ff2b0 00000000`00000000 00000222`14561238 : VGCore!StartApp+0x17670 000000e8`986ff030 00007ffa`67e7f6e9 : 000000e8`986ff2b0 00000000`00000001 00000000`00000001 00000222`18b07480 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb 000000e8`986ff070 00007ffa`67e7f849 : 00000222`18b07480 000000e8`986ff2b0 000000e8`986ff240 4b18a26b`5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99 000000e8`986ff100 00007ffa`67e63e49 : 0000022a`3a38e668 00000222`18d64350 00000222`18d64350 00000222`18c2ed58 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69 000000e8`986ff140 00007ffa`683670dd : 00000222`145e3630 00000222`145e3630 00000222`145e3630 00000000`00000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9 000000e8`986ff510 00007ff7`94ec22a2 : 00000222`145f6238 000000e8`986ff680 00000000`00000000 00000222`14542501 : VGCore!StartApp+0x27d 000000e8`986ff5e0 00007ff7`94ec16be : 000000e8`986ff680 00000000`0000000a 00000000`00000000 00000000`00000003 : CorelDRW_APP+0x22a2 000000e8`986ff640 00007ff7`94ec78d6 : 00000000`00000000 00007ff7`94ed0de0 00000000`00000000 00000000`0000000a : CorelDRW_APP+0x16be 000000e8`986ff730 00007ffa`95b38364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CorelDRW_APP+0x78d6 000000e8`986ff770 00007ffa`98325e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 000000e8`986ff7a0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: cdrgfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff FOLLOWUP_NAME: MachineOwner IMAGE_NAME: CdrGfx.dll BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_CdrGfx.dll!EMF2UDI_PlayEMFFromEnhMetaFileHandle ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_cdrgfx.dll!emf2udi_playemffromenhmetafilehandle FAILURE_ID_HASH: {efbf1f89-ad00-39f3-3352-b0c702d36b36} Followup: MachineOwner --------- ``` ### Timeline * 2016-12-23 - Vendor Disclosure * 2017-07-20 - Public Release ### CREDIT * Discovered by Piotr Bania of Cisco Talos.
idSSV:96465
last seen2017-11-19
modified2017-09-13
published2017-09-13
reporterRoot
titleCorel CorelDRAW X8 EMF Parser Code Execution Vulnerability(CVE-2016-9043)

Talos

idTALOS-2016-0261
last seen2019-05-29
published2017-07-20
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0261
titleCorel CorelDRAW X8 EMF Parser Code Execution Vulnerability

References