CVE-2017-2803
A remote out of bound write vulnerability exists in the TIFF parsing functionality of Core PHOTO-PAINT X8 version 18.1.0.661. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific TIFF file to trigger this vulnerability. This vulnerability only exists in the 64-bit version.
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
An remote memory corruption vulnerability exists in the TIFF parsing functionality of Corel PHOTO-PAINT. A specially crafted TIFF file can cause a vulnerability resulting in potential memory corruption.
Module used in this advisory:
0:000> lm vm IETIF
start end module name
00000000`0fc10000 00000000`0fc39000 IETIF (export symbols) c:\Program
Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT
Loaded symbol image file: c:\Program Files\Corel\CorelDRAW Graphics Suite
X8\Filters64\IETIF.FLT
Image path: c:\Program Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT
Image name: IETIF.FLT
Timestamp: Fri Jun 24 20:44:10 2016 (576DEFFA)
CheckSum: 0002F213
ImageSize: 00029000
File version: 18.1.0.661
Product version: 18.1.0.661
While parsing the TIFF IFD entries, a crafted TIFF file can cause an underflow resulting in a large value being passed as the size to a memset.
.text:0000000040010AFA 088 movzx eax, word ptr [rdx+r9+1B8A6h] ; Data coming
from IETIF.flt binary itself [0]
.text:0000000040010B03 088 mov edi, [rsp+88h+var_54] ; [1]
.text:0000000040010B07 088 sub edi, eax ; underflow causing large
memset size
.text:0000000040010B09 088 jmp short loc_40010B0F
...
.text:0000000040010B0F 088 test ebx, ebx
.text:0000000040010B11 088 mov eax, edi
.text:0000000040010B13 088 cmovs ebx, r13d
.text:0000000040010B17 088 shr eax, 3
.text:0000000040010B1A 088 mov ebp, ebx
.text:0000000040010B1C 088 and bx, 7
.text:0000000040010B20 088 shr ebp, 3
.text:0000000040010B23 088 sub eax, ebp
.text:0000000040010B25 088 jz short loc_40010B4A
.text:0000000040010B27 088 mov r8d, eax
.text:0000000040010B2A 088 lea rcx, [rsi+1]
.text:0000000040010B2E 088 mov eax, ebp
.text:0000000040010B30 088 add rcx, rax
.text:0000000040010B33 088 test r14w, r14w
.text:0000000040010B37 088 jz short loc_40010B62
...
.text:0000000040010B62
.text:0000000040010B62 loc_40010B62:
.text:0000000040010B62 088 xor edx, edx
.text:0000000040010B64 088 call memset ; [3]
One value [0] comes from a table of numbers from within the binary itself, whose offset is directly affected by file data. The other [1] comes from a calculation based on the file data itself. Because the attacker can force [1] to be less than [0], the underflow can be triggered, causing a large size to be passed to memset [3].
(10b0.a1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:
\Windows\system32\VCRUNTIME140.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Program
Files\Corel\CorelDRAW Graphics Suite X8\Filters64\IETIF.FLT -
VCRUNTIME140!memset+0xa5:
00000000`03b4cd15 660f2941f0 movapd xmmword ptr [rcx-10h],xmm0 ds:
00000001`249dd000=????????????????????????????????
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=00000001249dd010
rdx=0000000000000000 rsi=0000000121e3db0c rdi=00000000fffffffe
rip=0000000003b4cd15 rsp=000000000012c6c8 rbp=0000000000000000
r8=000000001ffffffc r9=00000000003a8c15 r10=0000000000000004
r11=0000000121e3db0d r12=000000000012c7a0 r13=0000000000000000
r14=0000000000000000 r15=000000000fc37110
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
VCRUNTIME140!memset+0xa5:
00000000`03b4cd15 660f2941f0 movapd xmmword ptr [rcx-10h],xmm0 ds:
00000001`249dd000=????????????????????????????????
0:000> kv
Child-SP RetAddr : Args to
Child : Call Site
00000000`0012c6c8 00000000`0fc20b69 : 00000000`ffffffff 00000001`2770a960 00000000`00000001
00000000`0000cccc : VCRUNTIME140!memset+0xa5
00000000`0012c6d0 00000000`0fc213a6 : 00000001`2770a960 00000001`21e3db0c 00000000`0012c7a8
00000000`0000cccc : IETIF!FilterEntry04+0xe729
00000000`0012c760 00000000`0fc17fa2 : 00000000`ab7ef920 00000000`b9f13fb0 00000000`b9350600
00000000`ab7ef920 : IETIF!FilterEntry04+0xef66
00000000`0012c800 00000000`0fc18485 : 00000000`00000001 00000000`02bd8af6 00000000`00000001
00000000`00000001 : IETIF!FilterEntry04+0x5b62
00000000`0012c890 00000000`0fc1a992 : 00000000`00000000 00000000`00000000 00000000`0000199a
000092c1`c87bca34 : IETIF!FilterEntry04+0x6045
00000000`0012c950 00000000`0fc1afa4 : 00000000`138fb200 00000000`00000000 00000000`00000001
00000000`0fc1af50 : IETIF!FilterEntry04+0x8552
00000000`0012ca30 00000000`0fc1d82d : 00000000`ab7ef920 00000000`b915fea0 00000001`249e0e30
00000000`0fc1af50 : IETIF!FilterEntry04+0x8b64
00000000`0012caa0 00000000`0fc11ff0 : 00000000`00000000 00000000`ab7ef920 00000000`ab7ef920
00000000`00000000 : IETIF!FilterEntry04+0xb3ed
00000000`0012cb40 00000000`1597097d : 00000000`2146b8f0 00000000`2146b8f0 00000000`00000180
00000000`00000001 : IETIF!FilterEntry+0x90
00000000`0012cb70 00000000`1595e7ff : 00000000`00000000 00000000`00000001 00000000`ab7ef920
00000000`00000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
00000000`0012cbb0 00000000`131f2298 : 00000000`00000000 00000000`78f170f7 00000000`00160000
00000000`00000001 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
00000000`0012cce0 00000000`131eac66 : 00000000`1424fa1b 00000000`1424f6e9 00000000`0012d0fc
00000000`ba2bbfc0 : corelpp!CTool::GetAutoScroll+0x630a8
00000000`0012cde0 00000000`131e7e91 : 00000000`00130000 00200000`00109000 000007ff`00000001
00000000`78f199a5 : corelpp!CTool::GetAutoScroll+0x5ba76
00000000`0012d020 00000000`131e761c : 00000000`ba1d6fe0 00000000`ab7ef920 00000000`b928c8b0
00000000`ba1d6fe0 : corelpp!CTool::GetAutoScroll+0x58ca1
00000000`0012d760 00000000`130eea42 : 00000000`b91e2e50 00000000`ba1d6fe0 00000000`560a4580
00000000`0012e4d8 : corelpp!CTool::GetAutoScroll+0x5842c
00000000`0012e4a0 00000000`130efc79 : 00000000`ba1d6fe0 00000000`136390d0 00000000`b91e2e50
00000000`b91e2e50 : corelpp!CPntCom::CPntCom+0x28b32
00000000`0012e5d0 00000000`131384b7 : 00000000`136390d0 00000000`0012e9d0 00000000`b91e2e50
00000000`ab845de8 : corelpp!CPntCom::CPntCom+0x29d69
00000000`0012e740 00000000`13139f6b : 00000000`13903ba0 00000000`0012e9d0 00000000`b91e2e50
00000000`06927b70 : corelpp!CPntCom::CPntCom+0x725a7
00000000`0012e780 00000000`131383aa : 00000000`0012e8d0 00000000`0012f578 00000000`0012e9d0
00000000`b91e2e50 : corelpp!CPntCom::CPntCom+0x7405b
00000000`0012e880 00000000`1350ab4e : 00000000`0012f578 00000000`0012e9d0 00000000`ab845de8
00000000`0012e8d0 : corelpp!CPntCom::CPntCom+0x7249a
00000000`0012e8d0 00000000`135094d9 : 00000000`0012f540 00000000`b8f06ff0 00000000`00000000
00000000`b9141fe8 : corelpp!GetComponentTool+0xa58de
00000000`0012f4c0 00000000`13506d26 : 00000000`b89dcfc0 00000000`b8cacf48 00000000`b9143fd8
00000000`146b03d0 : corelpp!GetComponentTool+0xa4269
00000000`0012f5f0 00000000`130a9c7e : 00000000`0012f648 00000000`5b312fc0 00000000`1373bbe4
00000000`acc1aff8 : corelpp!GetComponentTool+0xa1ab6
00000000`0012f620 00000000`130a4f29 : 00000000`b8a90fe8 00000000`5b312fc0 00000000`acc1aff8
00000000`060a3d66 : corelpp!CTool::GetNumStrokes+0x231e
00000000`0012f670 00000000`130dc3cc : 00000000`00000000 00000000`b8a90fe8 00000000`560a4580
00000000`5b21afd0 : corelpp!StartApp+0xc139
00000000`0012f740 00000000`1350d6f8 : 00000000`00000000 00000000`00000001 00000000`560a4580
00000000`00000000 : corelpp!CPntCom::CPntCom+0x164bc
00000000`0012f790 00000000`13098c87 : 00000000`accb4ff8 00000000`00000000 00000000`0012fa90
00000000`00000000 : corelpp!GetComponentTool+0xa8488
00000000`0012f7e0 00000000`1424fa1b : 00000000`58dcffe0 00000000`0012fa90 00000000`00000000
00000000`021abe78 : corelpp!CTool::GetToolMode+0x4ac7
00000000`0012f810 00000000`1424f6e9 : 00000000`0012fa90 00000000`00000001 00000000`00000001
00000000`58dd5b98 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
00000000`0012f850 00000000`1424f849 : 00000000`57c9aef0 00000000`0012fa90 00000000`0012fa20
4b18a26b`5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
00000000`0012f8e0 00000000`14233e49 : 00000000`b182cfd8 00000000`58e6fe10 00000000`58e6fe10
00000000`59564fe8 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
00000000`0012f920 00000000`13099069 : 00000000`06006a58 00000000`21245ff0 00000000`06006a58
00000000`00000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9
00000000`0012fcf0 00000001`40001d92 : 00000000`0012fe70 00000000`0012fe70 00000000`00000000
00000000`019cee01 : corelpp!StartApp+0x279
00000000`0012fdd0 00000001`400015a6 : 00000000`0012fe70 00000000`0000000a 00000000`00000000
00000000`0012fe70 : CorelPP_APP+0x1d92
00000000`0012fe30 00000001`40007466 : 00000000`00000000 00000001`4000fd90 00000000`00000000
01d29f39`66f6ad86 : CorelPP_APP+0x15a6
00000000`0012ff20 00000000`78d3652d : 00000000`00000000 00000000`00000000 00000000`00000000
00000000`00000000 : CorelPP_APP+0x7466
00000000`0012ff60 00000000`78e7c521 : 00000000`00000000 00000000`00000000 00000000`00000000
00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0012ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000
00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
2017-03-28 - Vendor Disclosure
2017-07-20 - Public Release
Discovered by a member of Cisco Talos