51 lines
No EOL
1.6 KiB
Text
51 lines
No EOL
1.6 KiB
Text
CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability
|
|
|
|
|
|
Vendor: Corel Corporation
|
|
Product web page: http://www.corel.com
|
|
Affected version: 17.1.0.572 (X7) - 32bit/64bit (EN)
|
|
15.0.0.486 (X5) - 32bit (EN)
|
|
|
|
Summary: CorelDRAW is one of the image-creating programs in a
|
|
suite of graphic arts software used by professional artists,
|
|
educators, students, businesses and the general public. The
|
|
CorelDRAW Graphics Suite X7, which includes CorelDRAW, is sold
|
|
as stand-alone software and as a cloud-based subscription.
|
|
CorelDRAW is the core of the graphics suite and is primarily
|
|
used for vector illustrations and page layouts.
|
|
|
|
Desc: CorelDRAW is prone to an off-by-one memory corruption
|
|
vulnerability. An attacker can exploit this issue by tricking
|
|
a victim into opening a malicious CDR file to execute arbitrary
|
|
code and/or to cause denial-of-service conditions.
|
|
|
|
---
|
|
|
|
eax=13921178 ebx=00000003 ecx=00000000 edx=138fa270 esi=13c41e78 edi=00000002
|
|
eip=5fea43e4 esp=001eca8c ebp=131f67b8 iopl=0 nv up ei ng nz ac pe cy
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297
|
|
CdrTxt!WStyleList::EndLoad+0x74:
|
|
5fea43e4 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=????????
|
|
|
|
---
|
|
|
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2014-5204
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5204.php
|
|
|
|
|
|
27.10.2014
|
|
|
|
---
|
|
|
|
|
|
PoC:
|
|
|
|
- http://www.zeroscience.mk/codes/zsl_5204.rar
|
|
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35217.rar |