Corel Software DLL Hijacking

`Core Security - Corelabs Advisory  
http://corelabs.coresecurity.com/  
  
Corel Software DLL Hijacking  
  
  
  
1. *Advisory Information*  
  
Title: Corel Software DLL Hijacking  
Advisory ID: CORE-2015-0001  
Advisory URL:  
http://www.coresecurity.com/advisories/corel-software-dll-hijacking  
Date published: 2015-01-12  
Date of last update: 2015-01-06  
Vendors contacted: Corel  
Release mode: User release  
  
  
  
2. *Vulnerability Information*  
  
Class: Uncontrolled Search Path Element [CWE-427]  
Impact: Code execution  
Remotely Exploitable: No  
Locally Exploitable: Yes  
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,  
CVE-2014-8397, CVE-2014-8398  
  
  
  
3. *Vulnerability Description*  
  
  
Corel [1] has developed a wide range of products that includes graphics, painting,   
photo, video and office software.(CorelDRAW,Corel Photo-Paint, Corel PaintShop Pro, Corel CAD,  
Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick among others)  
  
  
  
When a file associated with the Corel software is opened, the directory of that document  
is first used to locate DLLs, which could allow an attacker to execute arbitrary commands  
by inserting malicious DLLs into the same directory as the document.  
  
  
  
4. *Vulnerable packages*  
  
. Corel DRAW X7 [2]  
. Corel Photo-Paint X7 [3]  
. Corel PaintShop Pro X7 [7]  
. Corel CAD 2014 [4]  
. Corel Painter 2015 [5]  
. Corel PDF Fusion [6]  
. Corel VideoStudio PRO X7 [8]  
. Corel FastFlick [9]  
  
Other versions could be affected too, but they were not checked.  
  
  
5. *Vendor Information, Solutions and Workarounds*  
  
  
Given that this is a client-side vulnerability, affected users should avoid opening untrusted  
files whose extensions are associated with Corel software and contain any of the DLL files detailed below.  
  
  
  
6. *Credits*  
  
  
This vulnerability was discovered and researched by Marcos Accossatto from Core Security  
Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez  
Varela from Core Advisories Team.  
  
  
  
7. *Technical Description / Proof of Concept Code*  
  
[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file  
associated with any of the following Corel applications is executed (CorelDRAW X7, Corel  
Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF Fusion). The   
affected application should not be running for the vulnerability to work. The Corel   
software looks for a DLL file called "wintab32.dll" and does not control its path, therefore  
allowing to copy a malicious DLL file with the same name inside the folder where the   
associated file is. The DLL is executed within the context of the application.  
  
  
[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file  
associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be running before  
the associated file is executed for the vulnerability to work.  
Corel CAD looks for a DLL file called "FxManagedCommands_3.08_9.tx" or "TD_Mgd_3.08_9.dll"  
and does not control their path, therefore allowing to copy a malicious DLL file with the  
same name of either DLL inside the folder where the associated file is. The DLL is  
executed within the context of the application.  
  
  
[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file associated with  
Corel Painter 2015 is executed. Corel Painter 2015 should not be running before the associated  
file is executed for the vulnerability to work. Corel Painter looks for a DLL file called   
"wacommt.dll" and does not control its path, therefore allowing to copy a malicious DLL file   
with the same name inside the folder where the associated file is. The DLL is executed within  
the context of the application.  
  
  
[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file associated with   
Corel PDF Fusion is executed. Corel PDF Fusion should not be running before the associated   
file is executed for the vulnerability to work. Corel PDF Fusion looks for a DLL file called  
"quserex.dll" and does not control its path, therefore allowing to copy a malicious DLL file   
with the same name inside the folder where the associated file is. The DLL is executed within  
the context of the application.  
  
  
[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file associated with   
Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video Studio or Corel FastFlix  
should not be running before the associated file is executed for the vulnerability to work.   
Corel PDF Fusion looks for a DLL file called "u32ZLib.dll" and does not control its path,   
therefore allowing to copy a malicious DLL file with the same name inside the folder where the  
associated file is. The DLL is executed within the context of the application.  
  
  
[CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a file associated with   
Corel FastFlick is executed. Corel FastFlick should not be running before the associated file  
is executed for the vulnerability to work. Corel FastFlick looks for DLL files called "igfxcmrt32.dll",  
"ipl.dll", "MSPStyleLib.dll", "uFioUtil.dll", "uhDSPlay.dll", "uipl.dll", "uvipl.dll", "VC1DecDll.dll" or  
"VC1DecDll_SSE3.dll" and does not control their path, therefore allowing to copy a malicious DLL file with  
the same name of any of those DLLs inside the folder where the associated file is. The DLL is executed   
within the context of the application.  
  
  
  
8. *Report Timeline*  
  
. 2014-12-09:  
Core Security notifies Corel of the vulnerabilities. Publication date is  
set for January 5th, 2015.  
  
  
. 2014-12-17:  
Core Security requests an acknowledgement of the mail previously sent.  
Informs that if no answer  
is registered the advisory will be pubilshed as "user release".  
  
  
. 2015-01-02:  
Core Security tries to contact the vendor through their twitter account  
without any luck.  
  
  
. 2015-01-12:  
Advisory CORE-2015-0001 published as user release.  
  
  
  
9. *References*  
  
[1] http://www.corel.com/.  
[2] http://www.coreldraw.com/la/product/diseno-grafico-creativo/?hptrack=la2bb1.  
[3] http://www.coreldraw.com/la/pages/photo-paint/.  
[4] http://www.coreldraw.com/us/product/cad-software/.  
[5] http://www.painterartist.com/us/product/paint-program/.  
[6] http://www.wordperfect.com/us/product/pdf-creator/.  
[7] http://learn.corel.com/photo/courses/course/PaintShop-Pro-X7-Tutorials.  
[8] http://learn.corel.com/video/tutorials/view/232/What-s-New-in-Corel-VideoStudio-Pro-X7.  
[9] http://learn.corel.com/video/tutorials/view/236/How-to-Use-FastFlick.  
  
  
10. *About CoreLabs*  
  
CoreLabs, the research center of Core Security, is charged with  
anticipating the future needs and requirements for information security  
technologies. We conduct our research in several important areas of computer  
security including system vulnerabilities, cyber attack planning and  
simulation, source code auditing, and cryptography. Our results include problem  
formalization, identification of vulnerabilities, novel solutions and  
prototypes for new technologies. CoreLabs regularly publishes security  
advisories, technical papers, project information and shared software  
tools for public use at: http://corelabs.coresecurity.com.  
  
  
  
11. *About Core Security*  
  
  
Core Security enables organizations to get ahead of threats  
with security test and measurement solutions that continuously  
identify and demonstrate real-world exposures to their most critical  
assets. Our customers can gain real visibility into their security standing, real  
validation of their security controls, and real metrics to more  
effectively secure their organizations.  
  
  
  
Core Security's software solutions build on over a decade of trusted  
research and leading-edge threat expertise from the company's Security  
Consulting Services, CoreLabs and Engineering groups. Core Security  
can be reached at +1 (617) 399-6980 or on the Web at:  
http://www.coresecurity.com.  
  
  
  
12. *Disclaimer*  
  
  
The contents of this advisory are copyright  
(c) 2014 Core Security and (c) 2014 CoreLabs,  
and are licensed under a Creative Commons  
Attribution Non-Commercial Share-Alike 3.0 (United States) License:  
http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
  
13. *PGP/GPG Keys*  
  
  
This advisory has been signed with the GPG key of Core Security  
advisories team, which is available for download at:  
  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
  
  
`