Talos Vulnerability Report

TALOS-2016-0244

Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability

July 20, 2017
CVE Number

CVE-2016-8730

Summary

An of bound write / memory corruption vulnerability exists in the GIF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted GIF file can cause a vulnerability resulting in potential memory corruption resulting in code execution. An attacker can send the victim a specific GIF file to trigger this vulnerability.

Tested Versions

  • Corel PHOTO-PAINT X8 (Corel Import/Export Filter (64-Bit) - 18.1.0.661) - x64 version

Product URLs

http://corel.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

A memory corruption vulnerability exists in the GIF parsing functionality of Corel PHOTO-PAINT. A specially crafted GIF file can cause a vulnerability resulting in potential memory corruption.

The vulnerable code is located in the IEGIF.flt library:

.text:00000001800097E0 over_write:                               ; CODE XREF: bug_proc+1DBj
.text:00000001800097E0                 mov     [rax], cl         ; write, source cl (increased every cycle)
.text:00000001800097E2                 lea     rax, [rax+1]      ; rax++
.text:00000001800097E6                 inc     ecx               ; ecx = loop counter, and dest byte
.text:00000001800097E8                 cmp     ecx, r8d          ; r8d = total number of loop executions
.text:00000001800097EB                 jb      short over_write

The total number of loop executions (r8d value) is calculated below:

.text:0000000180009729                 call    sub_18000A780
.text:000000018000972E                 movzx   r9d, al         ; al=function result=used for shl
.text:0000000180009732                 xor     esi, esi
.text:0000000180009734                 mov     eax, 8
.text:0000000180009739                 mov     [rsp+0D8h+var_58], r9d
.text:0000000180009741                 mov     ecx, r9d
.text:0000000180009744                 mov     [rsp+0D8h+var_80], esi
.text:0000000180009748                 xor     r15d, r15d
.text:000000018000974B                 mov     [rsp+0D8h+var_88], esi
.text:000000018000974F                 xor     ebp, ebp
.text:0000000180009751                 mov     r8d, 1
.text:0000000180009757                 shl     r8d, cl         ; r8d = 1 << cl = 1 << output from sub_18000A780

An attacker can create a malicious GIF file which can force the total number of loop cycles to be extremely big (lile r8d=0x8000000000, 0x100000, …). This causes the loop to overwrite arbitrary memory data.

In order to trigger this vulnerability the GlobalColorTableFlag from the LOGICALSCREENDESCRIPTOR_PACKEDFIELDS needs to be 1 and the SizeOfGlobalColorTable needs to be set to 7.

Additionally, the value returned by sub_18000A780 (later used for shif-logical-left operation - CL register (count)) is taken directly from the poc file (offset 0x3f2).

Crash Information

FAULTING_IP: 
IEGIF!FilterEntry01+75c0
00007ffb`e81897e0 8808            mov     byte ptr [rax],cl

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffbe81897e0 (IEGIF!FilterEntry01+0x00000000000075c0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 00000205dca6e000
Attempt to write to address 00000205dca6e000

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=00000205dca6e000 rbx=00000205dc8a1460 rcx=0000000000005000
rdx=0000000020000001 rsi=0000000000000000 rdi=00000205dc8a2c0f
rip=00007ffbe81897e0 rsp=000000e5dc79c690 rbp=0000000000000000
 r8=0000000020000000  r9=00000000000000dd r10=00007ffc064615c0
r11=00000205dca6a030 r12=00000205dca64ae0 r13=0000000000000000
r14=0000000020000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010287
IEGIF!FilterEntry01+0x75c0:
00007ffb`e81897e0 8808            mov     byte ptr [rax],cl ds:00000205`dca6e000=??

FAULTING_THREAD:  0000000000001f20

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  CorelPP-APP.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  00000205dca6e000

WRITE_ADDRESS:  00000205dca6e000 

FOLLOWUP_IP: 
IEGIF!FilterEntry01+75c0
00007ffb`e81897e0 8808            mov     byte ptr [rax],cl

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  corelpp-app.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x1f20 (0)
Current frame: 
Child-SP         RetAddr          Caller, Callee

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 00007ffbe818360b to 00007ffbe81897e0

STACK_TEXT:  
000000e5`dc79c690 00007ffb`e818360b : 00000000`00000000 00007ffb`00000000 00000000`00000000 00007ffb`002b40d5 : IEGIF!
FilterEntry01+0x75c0
000000e5`dc79c770 00007ffb`e818215a : 00000205`00000000 00000205`dc9e3ff0 00000205`dc9e3ff0 00000000`00000000 : IEGIF!
FilterEntry01+0x13eb
000000e5`dc79c860 00007ffb`eca9097d : 000001fd`b0790280 00000000`00000118 ffffffff`fffffffe 00000000`00000001 : IEGIF!
FilterEntry+0x9a
000000e5`dc79c890 00007ffb`eca7e7ff : 00000000`00000000 00000000`00000001 00000205`dc9e3ff0 00000000`00000000 : CDRFLT!
FLTCLIPDATA::GetClrUsed+0x101d
000000e5`dc79c8d0 00007ffb`e52f2298 : 00000205`00000000 00000000`06040002 00000000`00000000 00000000`00000001 : CDRFLT!
CPT_DROP_SHADOW::LoadFrom+0x4ff
000000e5`dc79ca00 00007ffb`e52eac66 : feeefeee`00000009 00000205`00000001 000000e5`dc79ce1c 00000205`dc48d8c0 : corelpp!
CTool::GetAutoScroll+0x630a8
000000e5`dc79cb00 00007ffb`e52e7e91 : 000001fd`acc60000 00000000`00000038 00000000`00000001 00007ffc`06387ad7 : corelpp!
CTool::GetAutoScroll+0x5ba76
000000e5`dc79cd40 00007ffb`e52e761c : 00000205`dc9e3160 00000205`dc9e3ff0 00000205`dca190f0 00000205`dc9e3160 : corelpp!
CTool::GetAutoScroll+0x58ca1
000000e5`dc79d480 00007ffb`e51eea42 : 00000205`dc9e4960 00000205`dc9e3160 000001fd`b0ba9b10 00007ffb`e5238f56 : corelpp!
CTool::GetAutoScroll+0x5842c
000000e5`dc79e1c0 00007ffb`e51efc79 : 00000205`dc9e3160 00007ffb`e57390d0 00000205`dc9e4960 00000205`dc9e4960 : corelpp!
CPntCom::CPntCom+0x28b32
000000e5`dc79e2f0 00007ffb`e52384b7 : 00007ffb`e57390d0 000000e5`dc79e6f0 00000205`dc9e4960 000001fd`b12400a8 : corelpp!
CPntCom::CPntCom+0x29d69
000000e5`dc79e460 00007ffb`e5239f6b : 00007ffb`e5a03ba0 000000e5`dc79e6f0 00000205`dc9e4960 00000000`0200fb70 : corelpp!
CPntCom::CPntCom+0x725a7
000000e5`dc79e4a0 00007ffb`e52383aa : 000000e5`dc79e5f0 000000e5`dc79f298 000000e5`dc79e6f0 00000205`dc9e4960 : corelpp!
CPntCom::CPntCom+0x7405b
000000e5`dc79e5a0 00007ffb`e560ab4e : 000000e5`dc79f298 000000e5`dc79e6f0 000001fd`b12400a8 000000e5`dc79e5f0 : corelpp!
CPntCom::CPntCom+0x7249a
000000e5`dc79e5f0 00007ffb`e56094d9 : 000000e5`dc79f260 00000205`db2e9a90 00000000`00000000 00000205`dac6e3a8 : corelpp!
GetComponentTool+0xa58de
000000e5`dc79f1e0 00007ffb`e5606d26 : 000001fd`acd5e480 000001fd`accb8d68 00000205`db2e9448 00007ffb`dec803d0 : corelpp!
GetComponentTool+0xa4269
000000e5`dc79f310 00007ffb`e51a9c7e : 000000e5`dc79f368 000001fd`b14d88d0 00007ffb`e583bbe4 00000205`dc626028 : corelpp!
GetComponentTool+0xa1ab6
000000e5`dc79f340 00007ffb`e51a4f29 : 00000205`db2e81b8 000001fd`b14d88d0 00000205`dc626028 00007ffb`e13d3d66 : corelpp!
CTool::GetNumStrokes+0x231e
000000e5`dc79f390 00007ffb`e51dc3cc : 00000000`00000000 00000205`db2e81b8 000001fd`b0ba9b10 000001fd`b14a7d70 : corelpp!  
StartApp+0xc139
000000e5`dc79f460 00007ffb`e560d6f8 : 00000000`00000000 00000000`00000001 000001fd`b0ba9b10 00000000`00000000 : corelpp!
CPntCom::CPntCom+0x164bc
000000e5`dc79f4b0 00007ffb`e5198c87 : 00000205`dc9a4238 00000205`00000000 000000e5`dc79f7b0 00000000`00000000 : corelpp!
GetComponentTool+0xa8488
000000e5`dc79f500 00007ffb`de81fa1b : 000001fd`b0b876a0 000000e5`dc79f7b0 00000000`00000000 000001fd`acc812e8 : corelpp!
CTool::GetToolMode+0x4ac7
000000e5`dc79f530 00007ffb`de81f6e9 : 000000e5`dc79f7b0 00000000`00000001 00000000`00000001 000001fd`b0b89910 : CrlFrmWk!
WCmnUI_FrameWorkApp::OnIdle+0xdb
000000e5`dc79f570 00007ffb`de81f849 : 000001fd`b0b89910 000000e5`dc79f7b0 000000e5`dc79f740 4b18a26b`5f3d1849 : CrlFrmWk!
WCmnUI_FrameWorkApp::RunMessageLoop+0x99
000000e5`dc79f600 00007ffb`de803e49 : 000001fd`accac588 000001fd`b104eaf0 000001fd`b104eaf0 000001fd`b0a963e8 : CrlFrmWk!
WCmnUI_FrameWorkApp::Run+0x69
000000e5`dc79f640 00007ffb`e5199069 : 00007ffb`ea866a58 000001fd`accf7b30 00007ffb`ea866a58 00000000`00000000 : CrlFrmWk!
IAppFramework::GetInstance+0x11a9
000000e5`dc79fa10 00007ff7`f4ad1d92 : 000000e5`dc79fb90 000000e5`dc79fb90 00000000`00000000 000001fd`acc62501 : corelpp!
StartApp+0x279
000000e5`dc79faf0 00007ff7`f4ad15a6 : 000000e5`dc79fb90 00000000`0000000a 00000000`00000000 00000000`00000003 : 
CorelPP_APP+0x1d92
000000e5`dc79fb50 00007ff7`f4ad7466 : 00000000`00000000 00007ff7`f4adfd90 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x15a6
000000e5`dc79fc40 00007ffc`04158364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
CorelPP_APP+0x7466
000000e5`dc79fc80 00007ffc`063b5e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!
BaseThreadInitThunk+0x14
000000e5`dc79fcb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!  
RtlUserThreadStart+0x21


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  iegif!FilterEntry01+75c0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: IEGIF

IMAGE_NAME:  IEGIF.FLT

DEBUG_FLR_IMAGE_TIMESTAMP:  576defce

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_IEGIF.FLT!FilterEntry01

BUCKET_ID:  APPLICATION_FAULT_WRONG_SYMBOLS_iegif!FilterEntry01+75c0

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_c0000005_iegif.flt!filterentry01

FAILURE_ID_HASH:  {35a39316-5ab9-f773-eb46-0f3e7294b8ec}

Followup: MachineOwner
---------

Timeline

2016-12-01 - Vendor Disclosure
2017-07-20 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.