Talos Vulnerability Report

TALOS-2016-0261

Corel CorelDRAW X8 EMF Parser Code Execution Vulnerability

July 20, 2017
CVE Number

CVE-2016-9043

Summary

An out of bound write vulnerability exists in the EMF parsing functionality of CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661). A specially crafted EMF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific EMF file to trigger this vulnerability.

Tested Versions

Corel CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661) - x64 version

Product URLs

http://corel.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

A remote memory corruption vulnerability exists in the EMF parsing functionality of CorelDRAW. A specially crafted EMF file can cause a vulnerability resulting in potential memory corruption.

Vulnerable code is located in the CdrGfx.dll library:

.text:0000000000176B1B corruption_label:                       ; CODE XREF: corel_bug_proc+52j
.text:0000000000176B1B                                         ; corel_bug_proc+91j
.text:0000000000176B1B                 lea     eax, [r13-1]
.text:0000000000176B1F                 mov     [rsi+rax*8], ebp 
.text:0000000000176B22                 mov     [rsi+rax*8+4], r15d
.text:0000000000176B27                 inc     dword ptr [rdi+8] 

Presented code gets executed when EMR_CREATEBRUSHINDIRECT (39) record from the EMF file is parsed. Such record is typically composed as follows [1]:

[RecordType] [RecordSize] [ihBrush] [LogBrush]

Attacker can control the RAX register value (see instructions at 0x176B1F and 0x176B22) by simply changing the ihBrush value in the EMF file (EMR_CREATEBRUSHINDIRECT record). This leads to memory corruption of where the destination address is controlled by attacker.

Additionally this vulnerability can be triggered using other EMF records. Below is a list of records that can be used to trigger this problem. 38 - EMRCREATEPEN 39 - EMRCREATEBRUSHINDIRECT 40 - EMRDELETEOBJECT 82 - EMREXTCREATEFONTINDIRECTW 93 - EMRCREATEMONOBRUSH 94 - EMRCREATEDIBPATTERNBRUSHPT 95 - EMR_EXTCREATEPEN

[1] - https://msdn.microsoft.com/en-us/library/cc230604.aspx

Crash Information

FAULTING_IP: 
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff
00007ffa`673f6b1f 892cc6          mov     dword ptr [rsi+rax*8],ebp

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffa673f6b1f (CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x00000000000023ff)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000023129b72850
Attempt to write to address 0000023129b72850

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=00000000dddddddc rbx=0000000000000000 rcx=0000022a3ac83930
rdx=0000000000000020 rsi=0000022a3ac83970 rdi=000000e8986fd720
rip=00007ffa673f6b1f rsp=000000e8986fd440 rbp=0000000000000020
 r8=0000000000000000  r9=000000e8986fd720 r10=00007ffa67290000
r11=000000e8986fd478 r12=0000022216b422e4 r13=00000000dddddddd
r14=0000022a3ac60080 r15=0000000000000000
iopl=0         nv up ei ng nz ac po cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff:
00007ffa`673f6b1f 892cc6          mov     dword ptr [rsi+rax*8],ebp ds:00000231`29b72850=????????

FAULTING_THREAD:  0000000000001ce8

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  CorelDRW-APP.exe

ADDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

MODULE_NAME: CdrGfx

FAULTING_MODULE: 00007ffa982c0000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  576deefd

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000023129b72850

WRITE_ADDRESS:  0000023129b72850 

FOLLOWUP_IP: 
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff
00007ffa`673f6b1f 892cc6          mov     dword ptr [rsi+rax*8],ebp

APP:  coreldrw-app.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x1ce8 (0)
Current frame: 
Child-SP         RetAddr          Caller, Callee

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 00007ffa673f7078 to 00007ffa673f6b1f

STACK_TEXT:  
000000e8`986fd440 00007ffa`673f7078 : 00000000`00000000 0000022a`3ac60080 00000000`00000000 000000e8`986fd5f1 : 
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff
000000e8`986fd480 00007ffa`673f5a5a : 00000222`16b422e4 000000e8`986fd720 000000e8`986fd5f1 00000000`00000001 : 
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x2958
000000e8`986fd4d0 00007ffa`673f4e3b : 0000022a`3ac5c700 00000222`16b40000 000000e8`986fd5f1 00000000`00000000 : 
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x133a
000000e8`986fd500 00007ffa`9573fe02 : 0000022a`3ac5c700 00000222`16b40000 00000000`00000000 00000000`00000000 : 
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x71b
000000e8`986fd530 00007ffa`973f15c1 : 00000222`16b40000 00007ffa`9573e4cf 00000000`ffffffff 000000e8`986fd7a0 : 
gdi32full!SetWinMetaFileBits+0xf62
000000e8`986fd650 00007ffa`673f4d60 : 00000000`00000000 000000e8`986fd7a0 00000000`4d461147 00000000`4d461147 : 
GDI32!EnumEnhMetaFileStub+0x51
000000e8`986fd6a0 00007ffa`673f46f0 : 00000000`00000001 0000022a`3acd7990 00000000`00000000 00000000`00000001 : 
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x640
000000e8`986fe140 00007ffa`68370eb6 : 00000000`00000001 00007ffa`9573e6d7 0000022a`3ac5c3f0 00000000`00000001 : 
CdrGfx!EMF2UDI_PlayEMFFromFileName+0x90
000000e8`986fe210 00007ffa`5b6e3d64 : 0000022a`3ac78068 0000022a`3ac78068 ffffffff`cf461a8e 0000022a`3ac78068 : 
VGCore!StartApp+0xa056
000000e8`986fe260 00007ffa`5b6e251e : 00000000`00000001 00000000`00000001 00000000`00000001 00007ffa`761f2c0f : 
IEWMF!FilterEntry01+0x1914
000000e8`986fe2d0 00007ffa`75b6097d : 0000022a`3ab1e660 00000000`000000c0 ffffffff`fffffffe 00007ffa`6cf21bb0 : 
IEWMF!FilterEntry01+0xce
000000e8`986fe330 00007ffa`75b4e7ff : 00000000`00000000 00000000`00000001 0000022a`3ac78068 00000000`00000000 : 
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
000000e8`986fe370 00007ffa`678feb6c : 0000022a`00000000 0000022a`3acd7cc8 000000e8`986fe4a8 0000022a`3ac78060 : 
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
000000e8`986fe4a0 00007ffa`67a26ac5 : 0000022a`3acee8c0 00000222`1883aa28 0000022a`00000001 000000e8`986fe5f0 :    
CdrCore!WDrawFilterManager::ImportClip+0x4c
000000e8`986fe4f0 00007ffa`6844ff6b : 00000000`00000000 000000e8`986fe910 00000222`00000000 0000022a`3ac78060 : 
CdrCore!WOpenImport::Import+0xd75
000000e8`986fe910 00007ffa`68439012 : 0000022a`3abdddb0 00000222`1454bbb8 000000e8`986fea50 000000e8`00000000 : 
VGCore!CDrawlibDoc::Clone+0xa937b
000000e8`986fea00 00007ffa`683adaec : 00000222`18b0c2e0 00007ffa`761f8ad9 000000e8`986febf8 000000e8`986feb80 : 
VGCore!CDrawlibDoc::Clone+0x92422
000000e8`986feb30 00007ffa`683ad604 : 00000000`00000000 000000e8`986fec31 00000000`00000000 00000000`00000000 : 
VGCore!CDrawlibDoc::Clone+0x6efc
000000e8`986feba0 00007ffa`683795f8 : 000000e8`986fed30 0000022a`3a1865a0 000000e8`986fed68 00000222`1454bbb8 : 
VGCore!CDrawlibDoc::Clone+0x6a14
000000e8`986fec80 00007ffa`6839543e : 000000e8`986fee48 0000022a`00000000 00007ffa`68b4e154 0000022a`3aab19f8 : 
VGCore!StartApp+0x12798
000000e8`986fee20 00007ffa`683958c9 : 0000022a`3aa2db18 0000022a`392b90a0 0000022a`3aa29608 0000022a`3aa2db18 : 
VGCore!StartApp+0x2e5de
000000e8`986fee70 00007ffa`6838022c : 00000000`00000000 0000022a`3a2bf8c0 0000022a`3aa2db18 00000222`187c7820 : 
VGCore!StartApp+0x2ea69
000000e8`986fef40 00007ffa`683783fb : 00000000`00000000 00000000`00000001 00000222`18b0c2e0 00000222`18b07480 : 
VGCore!StartApp+0x193cc
000000e8`986fef90 00007ffa`6837e4d0 : 00000000`00000000 00000000`00000001 00000000`00000001 00000222`145611e0 : 
VGCore!StartApp+0x1159b
000000e8`986ff000 00007ffa`67e7fa1b : 00000222`18b08570 000000e8`986ff2b0 00000000`00000000 00000222`14561238 : 
VGCore!StartApp+0x17670
000000e8`986ff030 00007ffa`67e7f6e9 : 000000e8`986ff2b0 00000000`00000001 00000000`00000001 00000222`18b07480 : 
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
000000e8`986ff070 00007ffa`67e7f849 : 00000222`18b07480 000000e8`986ff2b0 000000e8`986ff240 4b18a26b`5f3d1849 : 
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
000000e8`986ff100 00007ffa`67e63e49 : 0000022a`3a38e668 00000222`18d64350 00000222`18d64350 00000222`18c2ed58 : 
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
000000e8`986ff140 00007ffa`683670dd : 00000222`145e3630 00000222`145e3630 00000222`145e3630 00000000`00000000 : 
CrlFrmWk!IAppFramework::GetInstance+0x11a9
000000e8`986ff510 00007ff7`94ec22a2 : 00000222`145f6238 000000e8`986ff680 00000000`00000000 00000222`14542501 : 
VGCore!StartApp+0x27d
000000e8`986ff5e0 00007ff7`94ec16be : 000000e8`986ff680 00000000`0000000a 00000000`00000000 00000000`00000003 : 
CorelDRW_APP+0x22a2
000000e8`986ff640 00007ff7`94ec78d6 : 00000000`00000000 00007ff7`94ed0de0 00000000`00000000 00000000`0000000a : 
CorelDRW_APP+0x16be
000000e8`986ff730 00007ffa`95b38364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
CorelDRW_APP+0x78d6
000000e8`986ff770 00007ffa`98325e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
KERNEL32!BaseThreadInitThunk+0x14
000000e8`986ff7a0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
ntdll!RtlUserThreadStart+0x21


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  cdrgfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  CdrGfx.dll

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_CdrGfx.dll!EMF2UDI_PlayEMFFromEnhMetaFileHandle

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_c0000005_cdrgfx.dll!emf2udi_playemffromenhmetafilehandle

FAILURE_ID_HASH:  {efbf1f89-ad00-39f3-3352-b0c702d36b36}

Followup: MachineOwner
---------

Timeline

2016-12-23 - Vendor Disclosure
2017-07-20 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.