Corel CorelDRAW X8 EMF Parser Code Execution Vulnerability(CVE-2016-9043)

2017-09-13T00:00:00
ID SSV:96465
Type seebug
Reporter Root
Modified 2017-09-13T00:00:00

Description

Summary

An out of bound write vulnerability exists in the EMF parsing functionality of CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661). A specially crafted EMF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific EMF file to trigger this vulnerability.

Tested Versions

Corel CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661) - x64 version

Product URLs

http://corel.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

A remote memory corruption vulnerability exists in the EMF parsing functionality of CorelDRAW. A specially crafted EMF file can cause a vulnerability resulting in potential memory corruption. Vulnerable code is located in the CdrGfx.dll library: .text:0000000000176B1B corruption_label: ; CODE XREF: corel_bug_proc+52j .text:0000000000176B1B ; corel_bug_proc+91j .text:0000000000176B1B lea eax, [r13-1] .text:0000000000176B1F mov [rsi+rax*8], ebp .text:0000000000176B22 mov [rsi+rax*8+4], r15d .text:0000000000176B27 inc dword ptr [rdi+8] Presented code gets executed when EMR_CREATEBRUSHINDIRECT (39) record from the EMF file is parsed. Such record is typically composed as follows [1]: [RecordType] [RecordSize] [ihBrush] [LogBrush] Attacker can control the RAX register value (see instructions at 0x176B1F and 0x176B22) by simply changing the ihBrush value in the EMF file (EMR_CREATEBRUSHINDIRECT record). This leads to memory corruption of where the destination address is controlled by attacker. Additionally this vulnerability can be triggered using other EMF records. Below is a list of records that can be used to trigger this problem. 38 - EMRCREATEPEN 39 - EMRCREATEBRUSHINDIRECT 40 - EMRDELETEOBJECT 82 - EMREXTCREATEFONTINDIRECTW 93 - EMRCREATEMONOBRUSH 94 - EMRCREATEDIBPATTERNBRUSHPT 95 - EMR_EXTCREATEPEN [1] - https://msdn.microsoft.com/en-us/library/cc230604.aspx

Crash Information

`` FAULTING_IP: CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff 00007ffa673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ffa673f6b1f (CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x00000000000023ff) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000023129b72850 Attempt to write to address 0000023129b72850

CONTEXT: 0000000000000000 -- (.cxr 0x0;r) rax=00000000dddddddc rbx=0000000000000000 rcx=0000022a3ac83930 rdx=0000000000000020 rsi=0000022a3ac83970 rdi=000000e8986fd720 rip=00007ffa673f6b1f rsp=000000e8986fd440 rbp=0000000000000020 r8=0000000000000000 r9=000000e8986fd720 r10=00007ffa67290000 r11=000000e8986fd478 r12=0000022216b422e4 r13=00000000dddddddd r14=0000022a3ac60080 r15=0000000000000000 iopl=0 nv up ei ng nz ac po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff: 00007ffa673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp ds:0000023129b72850=????????

FAULTING_THREAD: 0000000000001ce8

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

PROCESS_NAME: CorelDRW-APP.exe

ADDITIONAL_DEBUG_TEXT:
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

MODULE_NAME: CdrGfx

FAULTING_MODULE: 00007ffa982c0000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP: 576deefd

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1: 0000000000000001

EXCEPTION_PARAMETER2: 0000023129b72850

WRITE_ADDRESS: 0000023129b72850

FOLLOWUP_IP: CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff 00007ffa`673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp

APP: coreldrw-app.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

MANAGED_STACK: !dumpstack -EE OS Thread Id: 0x1ce8 (0) Current frame: Child-SP RetAddr Caller, Callee

PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS

BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER: from 00007ffa673f7078 to 00007ffa673f6b1f

STACK_TEXT:
000000e8986fd440 00007ffa673f7078 : 0000000000000000 0000022a3ac60080 0000000000000000 000000e8986fd5f1 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff 000000e8986fd480 00007ffa673f5a5a : 0000022216b422e4 000000e8986fd720 000000e8986fd5f1 0000000000000001 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x2958 000000e8986fd4d0 00007ffa673f4e3b : 0000022a3ac5c700 0000022216b40000 000000e8986fd5f1 0000000000000000 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x133a 000000e8986fd500 00007ffa9573fe02 : 0000022a3ac5c700 0000022216b40000 0000000000000000 0000000000000000 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x71b 000000e8986fd530 00007ffa973f15c1 : 0000022216b40000 00007ffa9573e4cf 00000000ffffffff 000000e8986fd7a0 : gdi32full!SetWinMetaFileBits+0xf62 000000e8986fd650 00007ffa673f4d60 : 0000000000000000 000000e8986fd7a0 000000004d461147 000000004d461147 : GDI32!EnumEnhMetaFileStub+0x51 000000e8986fd6a0 00007ffa673f46f0 : 0000000000000001 0000022a3acd7990 0000000000000000 0000000000000001 : CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x640 000000e8986fe140 00007ffa68370eb6 : 0000000000000001 00007ffa9573e6d7 0000022a3ac5c3f0 0000000000000001 : CdrGfx!EMF2UDI_PlayEMFFromFileName+0x90 000000e8986fe210 00007ffa5b6e3d64 : 0000022a3ac78068 0000022a3ac78068 ffffffffcf461a8e 0000022a3ac78068 : VGCore!StartApp+0xa056 000000e8986fe260 00007ffa5b6e251e : 0000000000000001 0000000000000001 0000000000000001 00007ffa761f2c0f : IEWMF!FilterEntry01+0x1914 000000e8986fe2d0 00007ffa75b6097d : 0000022a3ab1e660 00000000000000c0 fffffffffffffffe 00007ffa6cf21bb0 : IEWMF!FilterEntry01+0xce 000000e8986fe330 00007ffa75b4e7ff : 0000000000000000 0000000000000001 0000022a3ac78068 0000000000000000 : CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d 000000e8986fe370 00007ffa678feb6c : 0000022a00000000 0000022a3acd7cc8 000000e8986fe4a8 0000022a3ac78060 : CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff 000000e8986fe4a0 00007ffa67a26ac5 : 0000022a3acee8c0 000002221883aa28 0000022a00000001 000000e8986fe5f0 :
CdrCore!WDrawFilterManager::ImportClip+0x4c 000000e8986fe4f0 00007ffa6844ff6b : 0000000000000000 000000e8986fe910 0000022200000000 0000022a3ac78060 : CdrCore!WOpenImport::Import+0xd75 000000e8986fe910 00007ffa68439012 : 0000022a3abdddb0 000002221454bbb8 000000e8986fea50 000000e800000000 : VGCore!CDrawlibDoc::Clone+0xa937b 000000e8986fea00 00007ffa683adaec : 0000022218b0c2e0 00007ffa761f8ad9 000000e8986febf8 000000e8986feb80 : VGCore!CDrawlibDoc::Clone+0x92422 000000e8986feb30 00007ffa683ad604 : 0000000000000000 000000e8986fec31 0000000000000000 0000000000000000 : VGCore!CDrawlibDoc::Clone+0x6efc 000000e8986feba0 00007ffa683795f8 : 000000e8986fed30 0000022a3a1865a0 000000e8986fed68 000002221454bbb8 : VGCore!CDrawlibDoc::Clone+0x6a14 000000e8986fec80 00007ffa6839543e : 000000e8986fee48 0000022a00000000 00007ffa68b4e154 0000022a3aab19f8 : VGCore!StartApp+0x12798 000000e8986fee20 00007ffa683958c9 : 0000022a3aa2db18 0000022a392b90a0 0000022a3aa29608 0000022a3aa2db18 : VGCore!StartApp+0x2e5de 000000e8986fee70 00007ffa6838022c : 0000000000000000 0000022a3a2bf8c0 0000022a3aa2db18 00000222187c7820 : VGCore!StartApp+0x2ea69 000000e8986fef40 00007ffa683783fb : 0000000000000000 0000000000000001 0000022218b0c2e0 0000022218b07480 : VGCore!StartApp+0x193cc 000000e8986fef90 00007ffa6837e4d0 : 0000000000000000 0000000000000001 0000000000000001 00000222145611e0 : VGCore!StartApp+0x1159b 000000e8986ff000 00007ffa67e7fa1b : 0000022218b08570 000000e8986ff2b0 0000000000000000 0000022214561238 : VGCore!StartApp+0x17670 000000e8986ff030 00007ffa67e7f6e9 : 000000e8986ff2b0 0000000000000001 0000000000000001 0000022218b07480 : CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb 000000e8986ff070 00007ffa67e7f849 : 0000022218b07480 000000e8986ff2b0 000000e8986ff240 4b18a26b5f3d1849 : CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99 000000e8986ff100 00007ffa67e63e49 : 0000022a3a38e668 0000022218d64350 0000022218d64350 0000022218c2ed58 : CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69 000000e8986ff140 00007ffa683670dd : 00000222145e3630 00000222145e3630 00000222145e3630 0000000000000000 : CrlFrmWk!IAppFramework::GetInstance+0x11a9 000000e8986ff510 00007ff794ec22a2 : 00000222145f6238 000000e8986ff680 0000000000000000 0000022214542501 : VGCore!StartApp+0x27d 000000e8986ff5e0 00007ff794ec16be : 000000e8986ff680 000000000000000a 0000000000000000 0000000000000003 : CorelDRW_APP+0x22a2 000000e8986ff640 00007ff794ec78d6 : 0000000000000000 00007ff794ed0de0 0000000000000000 000000000000000a : CorelDRW_APP+0x16be 000000e8986ff730 00007ffa95b38364 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : CorelDRW_APP+0x78d6 000000e8986ff770 00007ffa98325e91 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14 000000e8986ff7a0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21

STACK_COMMAND: .cxr 0x0 ; kb

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: cdrgfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: CdrGfx.dll

BUCKET_ID: WRONG_SYMBOLS

FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_CdrGfx.dll!EMF2UDI_PlayEMFFromEnhMetaFileHandle

ANALYSIS_SOURCE: UM

FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_cdrgfx.dll!emf2udi_playemffromenhmetafilehandle

FAILURE_ID_HASH: {efbf1f89-ad00-39f3-3352-b0c702d36b36}

Followup: MachineOwner

```

Timeline

  • 2016-12-23 - Vendor Disclosure
  • 2017-07-20 - Public Release

CREDIT

  • Discovered by Piotr Bania of Cisco Talos.