Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)

vendor:

PaintShop Pro

by:

Francis Provencher

7.5

CVSS

HIGH

Heap Memory Corruption

119

CWE

Product Name: PaintShop Pro

Affected Version From: Paintshop Prox X7

Affected Version To: Paintshop Prox X7

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2015

Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)

The vulnerability is caused due to a boundary error within the processing of GIF images and can be exploited to cause a heap-based memory corruption. Successful exploitation may allow execution of arbitrary code.

Mitigation:

Update to the latest version of Paintshop Pro X7

Source

Exploit-DB raw data:

#####################################################################################

Application:   Paintshop Pro X7 GIF Conversion  Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)

Platforms:   Windows

Versions:   The vulnerability is confirmed in version Paintshop Prox X7, Other versions may also be affected.

Secunia:

{PRL}:   2015-06

Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

 

PaintShop Pro (PSP) is a raster and vector graphics editor for Microsoft Windows. It was originally published by Jasc Software. In October 2004, Corel purchased Jasc Software and the distribution rights to Paint Shop Pro. PSP functionality can be extended by Photoshop-compatible plugins.

Although often written as Paint Shop Pro, Corel’s website shows the name for the product as PaintShop Pro. The X-numbered editions have been sold in two versions: PaintShop Pro, which is the basic editing program, and PaintShop Pro Ultimate, which bundles in other standalone programs. The particular bundled programs have varied with each numbered version and have not been sold by Corel as separate products.

(https://en.wikipedia.org/wiki/PaintShop_Pro)

#####################################################################################

============================
2) Report Timeline
============================

2015-04-23: Francis Provencher from Protek Research Lab’s found the issue;
2015-02-24: Francis Provencher From Protek Research Lab’s ask for a security contact at Corel Software;
2015-02-25: Francis Provencher From Protek Research Lab’s ask for a security contact at Corel Software;
2015-05-10: Corel push a silent fix, without credit.

2015-05-16: Publication of this advisory.

 

#####################################################################################

============================
3) Technical details
============================

An error when handling LZWMinimumCodeSize can be exploited to cause an heap memory corruption via a specially crafted GIF file.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/PRL-2015-06.gif
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37346.gif

###############################################################################