Vulnerabilities > CVE-2017-2803 - Out-of-bounds Write vulnerability in Corel Coreldraw Photo Paint X8 18.1.0.661

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
corel
CWE-787

Summary

A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 version 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability. This vulnerability only exists in the 64-bit version.

Vulnerable Configurations

Part Description Count
Application
Corel
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 version 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability. This vulnerability only exists in the 64-bit version. ### Tested Versions Corel PHOTO-PAINT X8 (Corel TIFF Import/Export Filter (64-Bit) - 18.1.0.661) - x64 version ### Product URLs http://corel.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-787 - Out-of-bounds Write ### Details An remote memory corruption vulnerability exists in the TIFF parsing functionality of Corel PHOTO-PAINT. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. Module used in this advisory: ``` 0:000> lm vm IETIF start end module name 00000000`0fc10000 00000000`0fc39000 IETIF (export symbols) c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT Loaded symbol image file: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT Image path: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT Image name: IETIF.FLT Timestamp: Fri Jun 24 20:44:10 2016 (576DEFFA) CheckSum: 0002F213 ImageSize: 00029000 File version: 18.1.0.661 Product version: 18.1.0.661 ``` While parsing the TIFF IFD entries, a crafted TIFF file can cause an underflow resulting in a large value being passed as the size to a memset. ``` .text:0000000040010AFA 088 movzx eax, word ptr [rdx+r9+1B8A6h] ; Data coming from IETIF.flt binary itself [0] .text:0000000040010B03 088 mov edi, [rsp+88h+var_54] ; [1] .text:0000000040010B07 088 sub edi, eax ; underflow causing large memset size .text:0000000040010B09 088 jmp short loc_40010B0F ... .text:0000000040010B0F 088 test ebx, ebx .text:0000000040010B11 088 mov eax, edi .text:0000000040010B13 088 cmovs ebx, r13d .text:0000000040010B17 088 shr eax, 3 .text:0000000040010B1A 088 mov ebp, ebx .text:0000000040010B1C 088 and bx, 7 .text:0000000040010B20 088 shr ebp, 3 .text:0000000040010B23 088 sub eax, ebp .text:0000000040010B25 088 jz short loc_40010B4A .text:0000000040010B27 088 mov r8d, eax .text:0000000040010B2A 088 lea rcx, [rsi+1] .text:0000000040010B2E 088 mov eax, ebp .text:0000000040010B30 088 add rcx, rax .text:0000000040010B33 088 test r14w, r14w .text:0000000040010B37 088 jz short loc_40010B62 ... .text:0000000040010B62 .text:0000000040010B62 loc_40010B62: .text:0000000040010B62 088 xor edx, edx .text:0000000040010B64 088 call memset ; [3] ``` One value [0] comes from a table of numbers from within the binary itself, whose offset is directly affected by file data. The other [1] comes from a calculation based on the file data itself. Because the attacker can force [1] to be less than [0], the underflow can be triggered, causing a large size to be passed to memset [3]. ### Crash Information ``` (10b0.a1c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C: \Windows\system32\VCRUNTIME140.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT - VCRUNTIME140!memset+0xa5: 00000000`03b4cd15 660f2941f0 movapd xmmword ptr [rcx-10h],xmm0 ds: 00000001`249dd000=???????????????????????????????? 0:000> r rax=0000000000000000 rbx=0000000000000000 rcx=00000001249dd010 rdx=0000000000000000 rsi=0000000121e3db0c rdi=00000000fffffffe rip=0000000003b4cd15 rsp=000000000012c6c8 rbp=0000000000000000 r8=000000001ffffffc r9=00000000003a8c15 r10=0000000000000004 r11=0000000121e3db0d r12=000000000012c7a0 r13=0000000000000000 r14=0000000000000000 r15=000000000fc37110 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 VCRUNTIME140!memset+0xa5: 00000000`03b4cd15 660f2941f0 movapd xmmword ptr [rcx-10h],xmm0 ds: 00000001`249dd000=???????????????????????????????? 0:000> kv Child-SP RetAddr : Args to Child : Call Site 00000000`0012c6c8 00000000`0fc20b69 : 00000000`ffffffff 00000001`2770a960 00000000`00000001 00000000`0000cccc : VCRUNTIME140!memset+0xa5 00000000`0012c6d0 00000000`0fc213a6 : 00000001`2770a960 00000001`21e3db0c 00000000`0012c7a8 00000000`0000cccc : IETIF!FilterEntry04+0xe729 00000000`0012c760 00000000`0fc17fa2 : 00000000`ab7ef920 00000000`b9f13fb0 00000000`b9350600 00000000`ab7ef920 : IETIF!FilterEntry04+0xef66 00000000`0012c800 00000000`0fc18485 : 00000000`00000001 00000000`02bd8af6 00000000`00000001 00000000`00000001 : IETIF!FilterEntry04+0x5b62 00000000`0012c890 00000000`0fc1a992 : 00000000`00000000 00000000`00000000 00000000`0000199a 000092c1`c87bca34 : IETIF!FilterEntry04+0x6045 00000000`0012c950 00000000`0fc1afa4 : 00000000`138fb200 00000000`00000000 00000000`00000001 00000000`0fc1af50 : IETIF!FilterEntry04+0x8552 00000000`0012ca30 00000000`0fc1d82d : 00000000`ab7ef920 00000000`b915fea0 00000001`249e0e30 00000000`0fc1af50 : IETIF!FilterEntry04+0x8b64 00000000`0012caa0 00000000`0fc11ff0 : 00000000`00000000 00000000`ab7ef920 00000000`ab7ef920 00000000`00000000 : IETIF!FilterEntry04+0xb3ed 00000000`0012cb40 00000000`1597097d : 00000000`2146b8f0 00000000`2146b8f0 00000000`00000180 00000000`00000001 : IETIF!FilterEntry+0x90 00000000`0012cb70 00000000`1595e7ff : 00000000`00000000 00000000`00000001 00000000`ab7ef920 00000000`00000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d 00000000`0012cbb0 00000000`131f2298 : 00000000`00000000 00000000`78f170f7 00000000`00160000 00000000`00000001 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff 00000000`0012cce0 00000000`131eac66 : 00000000`1424fa1b 00000000`1424f6e9 00000000`0012d0fc 00000000`ba2bbfc0 : corelpp!CTool::GetAutoScroll+0x630a8 00000000`0012cde0 00000000`131e7e91 : 00000000`00130000 00200000`00109000 000007ff`00000001 00000000`78f199a5 : corelpp!CTool::GetAutoScroll+0x5ba76 00000000`0012d020 00000000`131e761c : 00000000`ba1d6fe0 00000000`ab7ef920 00000000`b928c8b0 00000000`ba1d6fe0 : corelpp!CTool::GetAutoScroll+0x58ca1 00000000`0012d760 00000000`130eea42 : 00000000`b91e2e50 00000000`ba1d6fe0 00000000`560a4580 00000000`0012e4d8 : corelpp!CTool::GetAutoScroll+0x5842c 00000000`0012e4a0 00000000`130efc79 : 00000000`ba1d6fe0 00000000`136390d0 00000000`b91e2e50 00000000`b91e2e50 : corelpp!CPntCom::CPntCom+0x28b32 00000000`0012e5d0 00000000`131384b7 : 00000000`136390d0 00000000`0012e9d0 00000000`b91e2e50 00000000`ab845de8 : corelpp!CPntCom::CPntCom+0x29d69 00000000`0012e740 00000000`13139f6b : 00000000`13903ba0 00000000`0012e9d0 00000000`b91e2e50 00000000`06927b70 : corelpp!CPntCom::CPntCom+0x725a7 00000000`0012e780 00000000`131383aa : 00000000`0012e8d0 00000000`0012f578 00000000`0012e9d0 00000000`b91e2e50 : corelpp!CPntCom::CPntCom+0x7405b 00000000`0012e880 00000000`1350ab4e : 00000000`0012f578 00000000`0012e9d0 00000000`ab845de8 00000000`0012e8d0 : corelpp!CPntCom::CPntCom+0x7249a 00000000`0012e8d0 00000000`135094d9 : 00000000`0012f540 00000000`b8f06ff0 00000000`00000000 00000000`b9141fe8 : corelpp!GetComponentTool+0xa58de 00000000`0012f4c0 00000000`13506d26 : 00000000`b89dcfc0 00000000`b8cacf48 00000000`b9143fd8 00000000`146b03d0 : corelpp!GetComponentTool+0xa4269 00000000`0012f5f0 00000000`130a9c7e : 00000000`0012f648 00000000`5b312fc0 00000000`1373bbe4 00000000`acc1aff8 : corelpp!GetComponentTool+0xa1ab6 00000000`0012f620 00000000`130a4f29 : 00000000`b8a90fe8 00000000`5b312fc0 00000000`acc1aff8 00000000`060a3d66 : corelpp!CTool::GetNumStrokes+0x231e 00000000`0012f670 00000000`130dc3cc : 00000000`00000000 00000000`b8a90fe8 00000000`560a4580 00000000`5b21afd0 : corelpp!StartApp+0xc139 00000000`0012f740 00000000`1350d6f8 : 00000000`00000000 00000000`00000001 00000000`560a4580 00000000`00000000 : corelpp!CPntCom::CPntCom+0x164bc 00000000`0012f790 00000000`13098c87 : 00000000`accb4ff8 00000000`00000000 00000000`0012fa90 00000000`00000000 : corelpp!GetComponentTool+0xa8488 00000000`0012f7e0 00000000`1424fa1b : 00000000`58dcffe0 00000000`0012fa90 00000000`00000000 00000000`021abe78 : corelpp!CTool::GetToolMode+0x4ac7 00000000`0012f810 00000000`1424f6e9 : 00000000`0012fa90 00000000`00000001 00000000`00000001 00000000`58dd5b98 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb 00000000`0012f850 00000000`1424f849 : 00000000`57c9aef0 00000000`0012fa90 00000000`0012fa20 4b18a26b`5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99 00000000`0012f8e0 00000000`14233e49 : 00000000`b182cfd8 00000000`58e6fe10 00000000`58e6fe10 00000000`59564fe8 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69 00000000`0012f920 00000000`13099069 : 00000000`06006a58 00000000`21245ff0 00000000`06006a58 00000000`00000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9 00000000`0012fcf0 00000001`40001d92 : 00000000`0012fe70 00000000`0012fe70 00000000`00000000 00000000`019cee01 : corelpp!StartApp+0x279 00000000`0012fdd0 00000001`400015a6 : 00000000`0012fe70 00000000`0000000a 00000000`00000000 00000000`0012fe70 : CorelPP_APP+0x1d92 00000000`0012fe30 00000001`40007466 : 00000000`00000000 00000001`4000fd90 00000000`00000000 01d29f39`66f6ad86 : CorelPP_APP+0x15a6 00000000`0012ff20 00000000`78d3652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CorelPP_APP+0x7466 00000000`0012ff60 00000000`78e7c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`0012ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d ``` ### Timeline * 2017-03-28 - Vendor Disclosure * 2017-07-20 - Public Release ### CREDIT * Discovered by a member of Cisco Talos
idSSV:96463
last seen2017-11-19
modified2017-09-13
published2017-09-13
reporterRoot
titleCorel PHOTO-PAINT X8 64-bit TIFF Filter Code Execution Vulnerability(CVE-2017-2803)

Talos

idTALOS-2017-0297
last seen2019-05-29
published2017-07-20
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0297
titleCorel PHOTO-PAINT X8 64-bit TIFF Filter Code Execution Vulnerability