Vulnerabilities > CVE-2017-2804 - Out-of-bounds Write vulnerability in Corel Coreldraw Photo Paint X8 18.1.0.661
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Seebug
| bulletinFamily | exploit |
| description | ### Summary A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability. ### Tested Versions Corel PHOTO-PAINT X8 (Corel TIFF Import/Export Filter (64-Bit) - 18.1.0.661) - x64 & x86 version ### Product URLs http://corel.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-787 - Out-of-bounds Write ### Details An remote memory corruption vulnerability exists in the TIFF parsing functionality of Corel PHOTO-PAINT. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. Module used in this vulnerability is described below: ``` start end module name 31980000 319a2000 IETIF (export symbols) c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT Loaded symbol image file: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT Image path: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters\IETIF.FLT Image name: IETIF.FLT Timestamp: Fri Jun 24 18:14:13 2016 (576DDAE5) CheckSum: 00022E36 ImageSize: 00022000 File version: 18.1.0.661 ``` While parsing a TIFF file, a tag of type 0x111 can be given. In this tag, there is a count attribute used to dictate further information to read from the file. ``` <class tiff.Entry> '3' [30] <instance tiff.DirectoryTag 'tag'> StripOffsets(0x111) [32] <instance tiff.DirectoryType 'type'> BYTE(0x1) [34] <instance pint.uint32_t 'count'> 0x00000001 (1) [38] <instance tiff.BYTE 'value'> 0x00 (0) [39] <instance dynamic.block(3) 'padding'> "\x00\x00\x00" [3c] <instance ptype.undefined 'pointer'> ... ``` If there is no more data to read from the file, ReadFile will return 0 for the number of bytes read from the file. ``` CDRFLT!FLTCLIPDATA::GetClrUsed+0x28ad: .text:1001FA1D 010 lea eax, [esp+10h+NumberOfBytesRead] .text:1001FA21 010 push eax ; Bytes read written to this address .text:1001FA22 014 push [esp+14h+nNumberOfBytesToRead] .text:1001FA26 018 push [esp+18h+lpBuffer] .text:1001FA2A 01C push dword ptr [esi+40h] .text:1001FA2D 020 call ds:ReadFile ; NumberOfBytesRead is set to 0 .text:1001FA33 00C neg eax .text:1001FA35 00C lea ecx, [esp+0Ch+var_8] .text:1001FA39 00C sbb esi, esi .text:1001FA3B 00C and esi, [esp+0Ch+NumberOfBytesRead] .text:1001FA3F 00C call ds:mfc140u_1052 ; Doesn't modify esi .text:1001FA45 00C mov eax, esi ; esi (0) is returned .text:1001FA47 00C pop esi .text:1001FA48 008 add esp, 8 .text:1001FA4B 000 retn 0Ch ``` This value is saved at offset 0x10 for later use. ``` IETIF!FilterEntry04+0x8c4a: .text:1000AF9A 030 FF D0 call eax ; ReadFile function from above .text:1000AF9C 024 89 45 10 mov [ebp+10h], eax ; 0 value written ``` The function presented below is typically executed 3 times (assuming our POC is being parsed): ``` 1st pass: 8 bytes are read (TIFF initial/basic header) 2nd pass: number of bytes is calculated by this formula: image file directory num entries * 12 (size of entry) 3rd pass: in our case -1 bytes (large negative number) IETIF!FilterEntry04+0xaa00: .text:0001CD50 ; int __stdcall memcpy_proc(void *Dst, int) .text:0001CD50 memcpy_proc proc near ; CODE XREF: sub_18110+F3p .text:0001CD50 ; sub_184A0:loc_1869Dp ... .text:0001CD50 .text:0001CD50 Dst = dword ptr 4 .text:0001CD50 arg_4 = dword ptr 8 .text:0001CD50 .text:0001CD50 push ebx .text:0001CD51 mov ebx, [esp+4+Dst] .text:0001CD55 push esi .text:0001CD56 mov esi, ecx .text:0001CD58 push edi .text:0001CD59 mov edi, [esp+0Ch+arg_4] .text:0001CD5D mov edx, [esi+4] .text:0001CD60 add edi, [esi+8] .text:0001CD63 add edx, [esi+8] .text:0001CD66 mov eax, [esi+10h] ; eax=how many bytes to read? .text:0001CD69 cmp edi, eax ; but eax can be forced to be 0 .text:0001CD6B jle short loc_1CDCA ; less than (good read) .text:0001CD6D nop dword ptr [eax] .text:0001CD70 .text:0001CD70 loc_1CD70: ; CODE XREF: memcpy_proc+78j .text:0001CD70 sub eax, [esi+8] ; 0 bytes - 1 bytes = -1 (infinite) .text:0001CD73 push eax ; Size .text:0001CD74 push edx ; Src .text:0001CD75 push ebx ; Dst .text:0001CD76 call memcpy ; bug .text:0001CD7B mov eax, [esi+10h] .text:0001CD7E add esp, 0Ch .text:0001CD81 sub eax, [esi+8] .text:0001CD84 sub edi, [esi+10h] .text:0001CD87 add ebx, eax .text:0001CD89 mov eax, [esi] .text:0001CD8B push dword ptr [esi+0Ch] .text:0001CD8E push dword ptr [esi+4] .text:0001CD91 push eax .text:0001CD92 mov eax, [eax+1B8h] .text:0001CD98 call eax .text:0001CD9A mov [esi+10h], eax .text:0001CD9D cmp eax, [esi+0Ch] .text:0001CDA0 jge short loc_1CDB9 .text:0001CDA2 cmp eax, edi .text:0001CDA4 jge short loc_1CDB9 .text:0001CDA6 mov eax, [esi] .text:0001CDA8 mov dword ptr [eax+78h], 6773h .text:0001CDAF mov edi, [esi+10h] .text:0001CDB2 mov dword ptr [esi+18h], 1 .text:0001CDB9 .text:0001CDB9 loc_1CDB9: ; CODE XREF: memcpy_proc+50j .text:0001CDB9 ; memcpy_proc+54j .text:0001CDB9 mov eax, [esi+10h] .text:0001CDBC mov edx, [esi+4] .text:0001CDBF mov dword ptr [esi+8], 0 .text:0001CDC6 cmp edi, eax .text:0001CDC8 jg short loc_1CD70 .text:0001CDCA .text:0001CDCA loc_1CDCA: ; CODE XREF: memcpy_proc+1Bj .text:0001CDCA mov eax, edi .text:0001CDCC sub eax, [esi+8] .text:0001CDCF push eax ; Size .text:0001CDD0 push edx ; Src .text:0001CDD1 push ebx ; Dst .text:0001CDD2 call memcpy .text:0001CDD7 mov ecx, [esi+10h] .text:0001CDDA add esp, 0Ch .text:0001CDDD test ecx, ecx .text:0001CDDF jz short loc_1CDE9 .text:0001CDE1 .text:0001CDE1 loc_1CDE1: ; CODE XREF: memcpy_proc+97j .text:0001CDE1 cmp edi, ecx .text:0001CDE3 jle short loc_1CDE9 .text:0001CDE5 sub edi, ecx .text:0001CDE7 jmp short loc_1CDE1 .text:0001CDE9 ; --------------------------------------------------------------------------- .text:0001CDE9 .text:0001CDE9 loc_1CDE9: ; CODE XREF: memcpy_proc+8Fj .text:0001CDE9 ; memcpy_proc+93j .text:0001CDE9 xor eax, eax .text:0001CDEB test ecx, ecx .text:0001CDED cmovnz eax, edi .text:0001CDF0 pop edi .text:0001CDF1 mov [esi+8], eax .text:0001CDF4 pop esi .text:0001CDF5 pop ebx .text:0001CDF6 retn 8 .text:0001CDF6 memcpy_proc endp ``` Using the saved 0 value from ReadFile in a subtraction (0x0001CD70), a 0xffffffff value is generated and passed as the size to a memcpy operation. ### Crash Information ``` 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: VCRUNTIME140!memcpy+57 FAULTING_IP: VCRUNTIME140!memcpy+57 FAULTING_IP: VCRUNTIME140!memcpy+57 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135] [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135] [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135] 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] EXCEPTION_RECORD: EXCEPTION_RECORD: EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ffffffffffffffff -- (.exr 0xffffffffffffffff) ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000016759f1b000 Attempt to write to address 0000016759f1b000 ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000016759f1b000 Attempt to write to address 0000016759f1b000 ExceptionAddress: 00007ffe2b9ec877 (VCRUNTIME140!memcpy+0x0000000000000057) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000016759f1b000 Attempt to write to address 0000016759f1b000 CONTEXT: CONTEXT: CONTEXT: 0000000000000000 -- (.cxr 0x0;r) 0000000000000000 -- (.cxr 0x0;r) 0000000000000000 -- (.cxr 0x0;r) rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000 rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0 r8=0000000000000000 r9=0000000000000000 r10=0000016759ec7101 r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000 r14=0000016759ed15a0 r15=0000016759ed15a0 iopl=0 nv up ei ng nz na pe cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 VCRUNTIME140!memcpy+0x57: 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000 rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0 r8=0000000000000000 r9=0000000000000000 r10=0000016759ec7101 r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000 r14=0000016759ed15a0 r15=0000016759ed15a0 iopl=0 nv up ei ng nz na pe cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 VCRUNTIME140!memcpy+0x57: 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] rax=0000016759ed15a0 rbx=0000016759e49830 rcx=fffffffffffb659f rdx=ffffffffffff5b61 rsi=0000016759f10b61 rdi=0000016759f1b000 rip=00007ffe2b9ec877 rsp=00000037e49cc218 rbp=0000016759ed15a0 r8=0000000000000000 r9=0000000000000000 r10=0000016759ec7101 r11=0000000000000002 r12=0000016759ec5b60 r13=0000000000000000 r14=0000016759ed15a0 r15=0000016759ed15a0 iopl=0 nv up ei ng nz na pe cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 VCRUNTIME140!memcpy+0x57: 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] FAULTING_THREAD: 0000000000001684 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: CorelPP-APP.exe OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000016759f1b000 WRITE_ADDRESS: 0000016759f1b000 FOLLOWUP_IP: VCRUNTIME140!memcpy+57 FAULTING_THREAD: 0000000000001684 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: CorelPP-APP.exe OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000016759f1b000 WRITE_ADDRESS: 0000016759f1b000 FOLLOWUP_IP: VCRUNTIME140!memcpy+57 FAULTING_THREAD: 0000000000001684 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: CorelPP-APP.exe OVERLAPPED_MODULE: Address regions for 'icm32' and 'lcms2.dll' overlap ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000016759f1b000 WRITE_ADDRESS: 0000016759f1b000 FOLLOWUP_IP: VCRUNTIME140!memcpy+57 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135] [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135] [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 135] 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 00007ffe`2b9ec877 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: corelpp-app.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre MANAGED_STACK: !dumpstack -EE NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: corelpp-app.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre MANAGED_STACK: !dumpstack -EE NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: corelpp-app.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre MANAGED_STACK: !dumpstack -EE OS Thread Id: 0x1684 OS Thread Id: 0x1684 OS Thread Id: 0x1684 (0) (0) (0) Current frame: Current frame: Current frame: Child-SP RetAddr Caller, Callee Child-SP RetAddr Caller, Callee Child-SP RetAddr Caller, Callee PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00007ffe0390ead0 to 00007ffe2b9ec877 STACK_TEXT: PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00007ffe0390ead0 to 00007ffe2b9ec877 STACK_TEXT: PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00007ffe0390ead0 to 00007ffe2b9ec877 STACK_TEXT: 00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 : VCRUNTIME140!memcpy+0x57 00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 : IETIF!FilterEntry04+0xc690 00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 : IETIF!FilterEntry04+0xb0b0 00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 : IETIF!FilterEntry04+0xa711 00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 : IETIF!FilterEntry04+0xb2ce 00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 : IETIF!FilterEntry+0x90 00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d 00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff 00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 : corelpp!CTool::GetAutoScroll+0x630a8 00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 : corelpp!CTool::GetAutoScroll+0x5ba76 00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 : corelpp!CTool::GetAutoScroll+0x58ca1 00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 : corelpp!CTool::GetAutoScroll+0x5842c 00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 : corelpp!CPntCom::CPntCom+0x28b32 00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 : corelpp!CPntCom::CPntCom+0x29d69 00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 : corelpp!CPntCom::CPntCom+0x725a7 00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 : corelpp!CPntCom::CPntCom+0x7405b 00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 : corelpp!CPntCom::CPntCom+0x7249a 00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 : corelpp!GetComponentTool+0xa58de 00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 : corelpp!GetComponentTool+0xa4269 00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 : corelpp!GetComponentTool+0xa1ab6 00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 : corelpp!CTool::GetNumStrokes+0x231e 00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 : corelpp!StartApp+0xc139 00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 : corelpp!CPntCom::CPntCom+0x164bc 00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 : corelpp!GetComponentTool+0xa8488 00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 : corelpp!CTool::GetToolMode+0x4ac7 00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb 00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99 00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69 00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9 00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 : corelpp!StartApp+0x279 00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 : CorelPP_APP+0x1d92 00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 : CorelPP_APP+0x15a6 00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CorelPP_APP+0x7466 00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 : VCRUNTIME140!memcpy+0x57 00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 : IETIF!FilterEntry04+0xc690 00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 : IETIF!FilterEntry04+0xb0b0 00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 : IETIF!FilterEntry04+0xa711 00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 : IETIF!FilterEntry04+0xb2ce 00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 : IETIF!FilterEntry+0x90 00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d 00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff 00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 : corelpp!CTool::GetAutoScroll+0x630a8 00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 : corelpp!CTool::GetAutoScroll+0x5ba76 00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 : corelpp!CTool::GetAutoScroll+0x58ca1 00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 : corelpp!CTool::GetAutoScroll+0x5842c 00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 : corelpp!CPntCom::CPntCom+0x28b32 00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 : corelpp!CPntCom::CPntCom+0x29d69 00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 : corelpp!CPntCom::CPntCom+0x725a7 00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 : corelpp!CPntCom::CPntCom+0x7405b 00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 : corelpp!CPntCom::CPntCom+0x7249a 00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 : corelpp!GetComponentTool+0xa58de 00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 : corelpp!GetComponentTool+0xa4269 00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 : corelpp!GetComponentTool+0xa1ab6 00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 : corelpp!CTool::GetNumStrokes+0x231e 00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 : corelpp!StartApp+0xc139 00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 : corelpp!CPntCom::CPntCom+0x164bc 00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 : corelpp!GetComponentTool+0xa8488 00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 : corelpp!CTool::GetToolMode+0x4ac7 00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb 00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99 00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69 00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9 00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 : corelpp!StartApp+0x279 00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 : CorelPP_APP+0x1d92 00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 : CorelPP_APP+0x15a6 00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CorelPP_APP+0x7466 00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 00000037`e49cc218 00007ffe`0390ead0 : 00000000`00000000 00000000`00000000 00000037`002b40d5 00000037`00000001 : VCRUNTIME140!memcpy+0x57 00000037`e49cc220 00007ffe`0390d4f0 : 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 00000000`00000000 : IETIF!FilterEntry04+0xc690 00000037`e49cc250 00007ffe`0390cb51 : 00000000`00000000 00000000`00000001 00000167`59eb8830 00007ffe`0390af50 : IETIF!FilterEntry04+0xb0b0 00000037`e49cc300 00007ffe`0390d70e : 00000167`00000001 00000167`00000001 00007ffe`0390af50 00000167`59ed2200 : IETIF!FilterEntry04+0xa711 00000037`e49cc380 00007ffe`03901ff0 : 00000000`00000000 00000167`59eb8830 00000167`59eb8830 00000000`00000000 : IETIF!FilterEntry04+0xb2ce 00000037`e49cc420 00007ffe`14bf097d : 00000000`00000001 0000015f`2e7607f0 00000000`00000180 00000000`00000001 : IETIF!FilterEntry+0x90 00000037`e49cc450 00007ffe`14bde7ff : 00000000`00000000 00000000`00000001 00000167`59eb8830 00000000`00000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d 00000037`e49cc490 00007ffe`10702298 : 00000000`00000000 00000000`00000000 00000000`00000030 00000000`00000001 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff 00000037`e49cc5c0 00007ffe`106fac66 : 0000015f`00000007 00007ffe`3bcfacee 00000037`e49cc9dc 00000167`59ebb1d0 : corelpp!CTool::GetAutoScroll+0x630a8 00000037`e49cc6c0 00007ffe`106f7e91 : 0000015f`2ab20000 00000000`00000038 00000000`00000001 00007ffe`3bd08097 : corelpp!CTool::GetAutoScroll+0x5ba76 00000037`e49cc900 00007ffe`106f761c : 00000167`59d29270 00000167`59eb8830 0000015f`2ab87b90 00000167`59d29270 : corelpp!CTool::GetAutoScroll+0x58ca1 00000037`e49cd040 00007ffe`105fea42 : 00000167`599492b0 00000167`59d29270 0000015f`2eb072a0 00007ffe`10648f56 : corelpp!CTool::GetAutoScroll+0x5842c 00000037`e49cdd80 00007ffe`105ffc79 : 00000167`59d29270 00007ffe`10b490d0 00000167`599492b0 00000167`599492b0 : corelpp!CPntCom::CPntCom+0x28b32 00000037`e49cdeb0 00007ffe`106484b7 : 00007ffe`10b490d0 00000037`e49ce2b0 00000167`599492b0 00000167`59eb7398 : corelpp!CPntCom::CPntCom+0x29d69 00000037`e49ce020 00007ffe`10649f6b : 00007ffe`10e13ba0 00000037`e49ce2b0 00000167`599492b0 ffffffff`fcdcfb70 : corelpp!CPntCom::CPntCom+0x725a7 00000037`e49ce060 00007ffe`106483aa : 00000037`e49ce1b0 00000037`e49cee58 00000037`e49ce2b0 00000167`599492b0 : corelpp!CPntCom::CPntCom+0x7405b 00000037`e49ce160 00007ffe`10a1ab4e : 00000037`e49cee58 00000037`e49ce2b0 00000167`59eb7398 00000037`e49ce1b0 : corelpp!CPntCom::CPntCom+0x7249a 00000037`e49ce1b0 00007ffe`10a194d9 : 00000037`e49cee20 00000167`58491e20 00000000`00000000 00000167`59e5aa18 : corelpp!GetComponentTool+0xa58de 00000037`e49ceda0 00007ffe`10a16d26 : 0000015f`2ac1ea30 0000015f`00000028 00000167`58491ba8 00007ffe`11b003d0 : corelpp!GetComponentTool+0xa4269 00000037`e49ceed0 00007ffe`105b9c7e : 00000037`e49cef28 0000015f`2f05d990 00007ffe`10c4bbe4 00000167`59aa6ee8 : corelpp!GetComponentTool+0xa1ab6 00000037`e49cef00 00007ffe`105b4f29 : 0000015f`2e60b768 0000015f`2f05d990 00000167`59aa6ee8 00007ffe`16c63d66 : corelpp!CTool::GetNumStrokes+0x231e 00000037`e49cef50 00007ffe`105ec3cc : 00000000`00000000 0000015f`2e60b768 0000015f`2eb072a0 0000015f`2f05a590 : corelpp!StartApp+0xc139 00000037`e49cf020 00007ffe`10a1d6f8 : 00000000`00000000 00000000`00000001 0000015f`2eb072a0 00000000`00000000 : corelpp!CPntCom::CPntCom+0x164bc 00000037`e49cf070 00007ffe`105a8c87 : 00000167`59e3b898 00000167`00000000 00000037`e49cf370 00000000`00000000 : corelpp!GetComponentTool+0xa8488 00000037`e49cf0c0 00007ffe`1169fa1b : 0000015f`2eaffb40 00000037`e49cf370 00000000`00000000 0000015f`2ab41428 : corelpp!CTool::GetToolMode+0x4ac7 00000037`e49cf0f0 00007ffe`1169f6e9 : 00000037`e49cf370 00000000`00000001 00000000`00000001 0000015f`2eaff600 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb 00000037`e49cf130 00007ffe`1169f849 : 0000015f`2eb00120 00000037`e49cf370 00000037`e49cf300 4b18a26b`5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99 00000037`e49cf1c0 00007ffe`11683e49 : 00000167`58660188 0000015f`2ac1edb0 0000015f`2ac1edb0 0000015f`2ea4d098 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69 00000037`e49cf200 00007ffe`105a9069 : 00007ffe`17286a58 0000015f`2abb7450 00007ffe`17286a58 00000000`00000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9 00000037`e49cf5d0 00007ff6`656a1d92 : 00000037`e49cf750 00000037`e49cf750 00000000`00000000 0000015f`2ab22601 : corelpp!StartApp+0x279 00000037`e49cf6b0 00007ff6`656a15a6 : 00000037`e49cf750 00000000`0000000a 00000000`00000000 00000000`00000003 : CorelPP_APP+0x1d92 00000037`e49cf710 00007ff6`656a7466 : 00000000`00000000 00007ff6`656afd90 00000000`00000000 00000000`00000000 : CorelPP_APP+0x15a6 00000037`e49cf800 00007ffe`396c8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CorelPP_APP+0x7466 00000037`e49cf840 00007ffe`3bd370d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000037`e49cf870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 STACK_COMMAND: .cxr 0x0 ; kb FAULTING_SOURCE_LINE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm FAULTING_SOURCE_FILE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm FAULTING_SOURCE_LINE_NUMBER: 135 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: vcruntime140!memcpy+57 FOLLOWUP_NAME: MachineOwner MODULE_NAME: STACK_COMMAND: .cxr 0x0 ; kb FAULTING_SOURCE_LINE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm FAULTING_SOURCE_FILE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm FAULTING_SOURCE_LINE_NUMBER: 135 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: vcruntime140!memcpy+57 FOLLOWUP_NAME: MachineOwner MODULE_NAME: STACK_COMMAND: .cxr 0x0 ; kb FAULTING_SOURCE_LINE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm FAULTING_SOURCE_FILE: f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm FAULTING_SOURCE_LINE_NUMBER: 135 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: vcruntime140!memcpy+57 FOLLOWUP_NAME: MachineOwner MODULE_NAME: VCRUNTIME140 VCRUNTIME140 VCRUNTIME140 IMAGE_NAME: VCRUNTIME140.dll DEBUG_FLR_IMAGE_TIMESTAMP: 563c45c0 FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_vcruntime140.dll!memcpy FAILURE_ID_HASH: {af9e04a5-399b-60ad-9abe-5412f864504e} Followup: MachineOwner --------- IMAGE_NAME: VCRUNTIME140.dll DEBUG_FLR_IMAGE_TIMESTAMP: 563c45c0 FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_vcruntime140.dll!memcpy FAILURE_ID_HASH: {af9e04a5-399b-60ad-9abe-5412f864504e} Followup: MachineOwner --------- IMAGE_NAME: VCRUNTIME140.dll DEBUG_FLR_IMAGE_TIMESTAMP: 563c45c0 FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_VCRUNTIME140.dll!memcpy BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_vcruntime140!memcpy+57 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_vcruntime140.dll!memcpy FAILURE_ID_HASH: {af9e04a5-399b-60ad-9abe-5412f864504e} Followup: MachineOwner --------- ``` ### Timeline * 2017-03-28 - Vendor Disclosure * 2017—07-20 - Public Release ### CREDIT * Discovered by a member of Cisco Talos |
| id | SSV:96464 |
| last seen | 2017-11-19 |
| modified | 2017-09-13 |
| published | 2017-09-13 |
| reporter | Root |
| title | Corel PHOTO-PAINT X8 TIFF Filter Code Execution Vulnerability(CVE-2017-2804) |
Talos
| id | TALOS-2017-0298 |
| last seen | 2019-05-29 |
| published | 2017-07-20 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0298 |
| title | Corel PHOTO-PAINT X8 TIFF Filter Code Execution Vulnerability |