Talos Vulnerability Report

TALOS-2017-0297

Corel PHOTO-PAINT X8 64-bit TIFF Filter Code Execution Vulnerability

July 20, 2017
CVE Number

CVE-2017-2803

Summary

A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 version 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability. This vulnerability only exists in the 64-bit version.

Tested Versions

  • Corel PHOTO-PAINT X8 (Corel TIFF Import/Export Filter (64-Bit) - 18.1.0.661) - x64 version

Product URLs

http://corel.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

An remote memory corruption vulnerability exists in the TIFF parsing functionality of Corel PHOTO-PAINT. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption.

Module used in this advisory:

0:000> lm vm IETIF
start             end                 module name
00000000`0fc10000 00000000`0fc39000   IETIF      (export symbols)       c:\Program        
Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT
    Loaded symbol image file: c:\Program Files\Corel\CorelDRAW Graphics Suite      
X8\Filters64\IETIF.FLT
    Image path: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT
    Image name: IETIF.FLT
    Timestamp:        Fri Jun 24 20:44:10 2016 (576DEFFA)
    CheckSum:         0002F213
    ImageSize:        00029000
    File version:     18.1.0.661
    Product version:  18.1.0.661

While parsing the TIFF IFD entries, a crafted TIFF file can cause an underflow resulting in a large value being passed as the size to a memset.

.text:0000000040010AFA 088                 movzx   eax, word ptr [rdx+r9+1B8A6h] ; Data coming   
from IETIF.flt binary itself [0]
.text:0000000040010B03 088                 mov     edi, [rsp+88h+var_54]         ; [1]
.text:0000000040010B07 088                 sub     edi, eax        ; underflow causing large   
memset size
.text:0000000040010B09 088                 jmp     short loc_40010B0F
...
.text:0000000040010B0F 088                 test    ebx, ebx
.text:0000000040010B11 088                 mov     eax, edi     
.text:0000000040010B13 088                 cmovs   ebx, r13d
.text:0000000040010B17 088                 shr     eax, 3
.text:0000000040010B1A 088                 mov     ebp, ebx
.text:0000000040010B1C 088                 and     bx, 7
.text:0000000040010B20 088                 shr     ebp, 3
.text:0000000040010B23 088                 sub     eax, ebp
.text:0000000040010B25 088                 jz      short loc_40010B4A
.text:0000000040010B27 088                 mov     r8d, eax        
.text:0000000040010B2A 088                 lea     rcx, [rsi+1]
.text:0000000040010B2E 088                 mov     eax, ebp
.text:0000000040010B30 088                 add     rcx, rax        
.text:0000000040010B33 088                 test    r14w, r14w
.text:0000000040010B37 088                 jz      short loc_40010B62
...
.text:0000000040010B62
.text:0000000040010B62     loc_40010B62:                           
.text:0000000040010B62 088                 xor     edx, edx        
.text:0000000040010B64 088                 call    memset          ; [3]

One value [0] comes from a table of numbers from within the binary itself, whose offset is directly affected by file data. The other [1] comes from a calculation based on the file data itself. Because the attacker can force [1] to be less than [0], the underflow can be triggered, causing a large size to be passed to memset [3].

Crash Information

(10b0.a1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:
\Windows\system32\VCRUNTIME140.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\Program 
Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT -
VCRUNTIME140!memset+0xa5:
00000000`03b4cd15 660f2941f0      movapd  xmmword ptr [rcx-10h],xmm0 ds:
00000001`249dd000=????????????????????????????????
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=00000001249dd010
rdx=0000000000000000 rsi=0000000121e3db0c rdi=00000000fffffffe
rip=0000000003b4cd15 rsp=000000000012c6c8 rbp=0000000000000000
r8=000000001ffffffc  r9=00000000003a8c15 r10=0000000000000004
r11=0000000121e3db0d r12=000000000012c7a0 r13=0000000000000000
r14=0000000000000000 r15=000000000fc37110
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
VCRUNTIME140!memset+0xa5:
00000000`03b4cd15 660f2941f0      movapd  xmmword ptr [rcx-10h],xmm0 ds:
00000001`249dd000=????????????????????????????????
0:000> kv
Child-SP          RetAddr           : Args to 
Child                                                           : Call Site
00000000`0012c6c8 00000000`0fc20b69 : 00000000`ffffffff 00000001`2770a960 00000000`00000001    
00000000`0000cccc : VCRUNTIME140!memset+0xa5
00000000`0012c6d0 00000000`0fc213a6 : 00000001`2770a960 00000001`21e3db0c 00000000`0012c7a8    
00000000`0000cccc : IETIF!FilterEntry04+0xe729
00000000`0012c760 00000000`0fc17fa2 : 00000000`ab7ef920 00000000`b9f13fb0 00000000`b9350600 
00000000`ab7ef920 : IETIF!FilterEntry04+0xef66
00000000`0012c800 00000000`0fc18485 : 00000000`00000001 00000000`02bd8af6 00000000`00000001 
00000000`00000001 : IETIF!FilterEntry04+0x5b62
00000000`0012c890 00000000`0fc1a992 : 00000000`00000000 00000000`00000000 00000000`0000199a 
000092c1`c87bca34 : IETIF!FilterEntry04+0x6045
00000000`0012c950 00000000`0fc1afa4 : 00000000`138fb200 00000000`00000000 00000000`00000001 
00000000`0fc1af50 : IETIF!FilterEntry04+0x8552
00000000`0012ca30 00000000`0fc1d82d : 00000000`ab7ef920 00000000`b915fea0 00000001`249e0e30 
00000000`0fc1af50 : IETIF!FilterEntry04+0x8b64
00000000`0012caa0 00000000`0fc11ff0 : 00000000`00000000 00000000`ab7ef920 00000000`ab7ef920 
00000000`00000000 : IETIF!FilterEntry04+0xb3ed
00000000`0012cb40 00000000`1597097d : 00000000`2146b8f0 00000000`2146b8f0 00000000`00000180 
00000000`00000001 : IETIF!FilterEntry+0x90
00000000`0012cb70 00000000`1595e7ff : 00000000`00000000 00000000`00000001 00000000`ab7ef920 
00000000`00000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000000`0012cbb0 00000000`131f2298 : 00000000`00000000 00000000`78f170f7 00000000`00160000 
00000000`00000001 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000000`0012cce0 00000000`131eac66 : 00000000`1424fa1b 00000000`1424f6e9 00000000`0012d0fc 
00000000`ba2bbfc0 : corelpp!CTool::GetAutoScroll+0x630a8
00000000`0012cde0 00000000`131e7e91 : 00000000`00130000 00200000`00109000 000007ff`00000001 
00000000`78f199a5 : corelpp!CTool::GetAutoScroll+0x5ba76
00000000`0012d020 00000000`131e761c : 00000000`ba1d6fe0 00000000`ab7ef920 00000000`b928c8b0 
00000000`ba1d6fe0 : corelpp!CTool::GetAutoScroll+0x58ca1
00000000`0012d760 00000000`130eea42 : 00000000`b91e2e50 00000000`ba1d6fe0 00000000`560a4580 
00000000`0012e4d8 : corelpp!CTool::GetAutoScroll+0x5842c
00000000`0012e4a0 00000000`130efc79 : 00000000`ba1d6fe0 00000000`136390d0 00000000`b91e2e50 
00000000`b91e2e50 : corelpp!CPntCom::CPntCom+0x28b32
00000000`0012e5d0 00000000`131384b7 : 00000000`136390d0 00000000`0012e9d0 00000000`b91e2e50 
00000000`ab845de8 : corelpp!CPntCom::CPntCom+0x29d69
00000000`0012e740 00000000`13139f6b : 00000000`13903ba0 00000000`0012e9d0 00000000`b91e2e50 
00000000`06927b70 : corelpp!CPntCom::CPntCom+0x725a7
00000000`0012e780 00000000`131383aa : 00000000`0012e8d0 00000000`0012f578 00000000`0012e9d0 
00000000`b91e2e50 : corelpp!CPntCom::CPntCom+0x7405b
00000000`0012e880 00000000`1350ab4e : 00000000`0012f578 00000000`0012e9d0 00000000`ab845de8 
00000000`0012e8d0 : corelpp!CPntCom::CPntCom+0x7249a
00000000`0012e8d0 00000000`135094d9 : 00000000`0012f540 00000000`b8f06ff0 00000000`00000000 
00000000`b9141fe8 : corelpp!GetComponentTool+0xa58de
00000000`0012f4c0 00000000`13506d26 : 00000000`b89dcfc0 00000000`b8cacf48 00000000`b9143fd8 
00000000`146b03d0 : corelpp!GetComponentTool+0xa4269
00000000`0012f5f0 00000000`130a9c7e : 00000000`0012f648 00000000`5b312fc0 00000000`1373bbe4 
00000000`acc1aff8 : corelpp!GetComponentTool+0xa1ab6
00000000`0012f620 00000000`130a4f29 : 00000000`b8a90fe8 00000000`5b312fc0 00000000`acc1aff8 
00000000`060a3d66 : corelpp!CTool::GetNumStrokes+0x231e
00000000`0012f670 00000000`130dc3cc : 00000000`00000000 00000000`b8a90fe8 00000000`560a4580 
00000000`5b21afd0 : corelpp!StartApp+0xc139
00000000`0012f740 00000000`1350d6f8 : 00000000`00000000 00000000`00000001 00000000`560a4580 
00000000`00000000 : corelpp!CPntCom::CPntCom+0x164bc
00000000`0012f790 00000000`13098c87 : 00000000`accb4ff8 00000000`00000000 00000000`0012fa90 
00000000`00000000 : corelpp!GetComponentTool+0xa8488
00000000`0012f7e0 00000000`1424fa1b : 00000000`58dcffe0 00000000`0012fa90 00000000`00000000 
00000000`021abe78 : corelpp!CTool::GetToolMode+0x4ac7
00000000`0012f810 00000000`1424f6e9 : 00000000`0012fa90 00000000`00000001 00000000`00000001 
00000000`58dd5b98 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000000`0012f850 00000000`1424f849 : 00000000`57c9aef0 00000000`0012fa90 00000000`0012fa20 
4b18a26b`5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000000`0012f8e0 00000000`14233e49 : 00000000`b182cfd8 00000000`58e6fe10 00000000`58e6fe10 
00000000`59564fe8 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000000`0012f920 00000000`13099069 : 00000000`06006a58 00000000`21245ff0 00000000`06006a58 
00000000`00000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000000`0012fcf0 00000001`40001d92 : 00000000`0012fe70 00000000`0012fe70 00000000`00000000 
00000000`019cee01 : corelpp!StartApp+0x279
00000000`0012fdd0 00000001`400015a6 : 00000000`0012fe70 00000000`0000000a 00000000`00000000 
00000000`0012fe70 : CorelPP_APP+0x1d92
00000000`0012fe30 00000001`40007466 : 00000000`00000000 00000001`4000fd90 00000000`00000000 
01d29f39`66f6ad86 : CorelPP_APP+0x15a6
00000000`0012ff20 00000000`78d3652d : 00000000`00000000 00000000`00000000 00000000`00000000  
00000000`00000000 : CorelPP_APP+0x7466
00000000`0012ff60 00000000`78e7c521 : 00000000`00000000 00000000`00000000 00000000`00000000 
00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0012ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 
00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

Timeline

2017-03-28 - Vendor Disclosure
2017-07-20 - Public Release

Credit

Discovered by a member of Cisco Talos