CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability

vendor:

CorelDRAW Graphics Suite X7

by:

Gjoko 'LiquidWorm' Krstic

7,5

CVSS

HIGH

Off-By-One Memory Corruption Vulnerability

119

CWE

Product Name: CorelDRAW Graphics Suite X7

Affected Version From: 17.1.0.572 (X7) - 32bit/64bit (EN)

Affected Version To: 15.0.0.486 (X5) - 32bit (EN)

Patch Exists: Yes

Related CWE: N/A

CPE: a:corel:coreldraw_graphics_suite_x7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows 7 Professional SP1 (EN)

2014

CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability

CorelDRAW is prone to an off-by-one memory corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious CDR file to execute arbitrary code and/or to cause denial-of-service conditions.

Mitigation:

Update to the latest version of CorelDRAW X7.

Source

Exploit-DB raw data:

CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability


Vendor: Corel Corporation
Product web page: http://www.corel.com
Affected version: 17.1.0.572 (X7) - 32bit/64bit (EN)
                  15.0.0.486 (X5) - 32bit (EN)

Summary: CorelDRAW is one of the image-creating programs in a
suite of graphic arts software used by professional artists,
educators, students, businesses and the general public. The
CorelDRAW Graphics Suite X7, which includes CorelDRAW, is sold
as stand-alone software and as a cloud-based subscription.
CorelDRAW is the core of the graphics suite and is primarily
used for vector illustrations and page layouts.

Desc: CorelDRAW is prone to an off-by-one memory corruption
vulnerability. An attacker can exploit this issue by tricking
a victim into opening a malicious CDR file to execute arbitrary
code and/or to cause denial-of-service conditions.

---

eax=13921178 ebx=00000003 ecx=00000000 edx=138fa270 esi=13c41e78 edi=00000002
eip=5fea43e4 esp=001eca8c ebp=131f67b8 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
CdrTxt!WStyleList::EndLoad+0x74:
5fea43e4 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????

---

Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5204
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5204.php


27.10.2014

---


PoC:

 - http://www.zeroscience.mk/codes/zsl_5204.rar
 - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35217.rar