CorelDRAW X7 CDR File – ‘CdrTxt.dll’ Off-by-One Stack Corruption

• Exploit Database
• 12 阅读

• 作者： LiquidWorm
  日期： 2014-11-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35217/

• CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability
  
  
  Vendor: Corel Corporation
  Product web page: http://www.corel.com
  Affected version: 17.1.0.572 (X7) - 32bit/64bit (EN)
  15.0.0.486 (X5) - 32bit (EN)
  
  Summary: CorelDRAW is one of the image-creating programs in a
  suite of graphic arts software used by professional artists,
  educators, students, businesses and the general public. The
  CorelDRAW Graphics Suite X7, which includes CorelDRAW, is sold
  as stand-alone software and as a cloud-based subscription.
  CorelDRAW is the core of the graphics suite and is primarily
  used for vector illustrations and page layouts.
  
  Desc: CorelDRAW is prone to an off-by-one memory corruption
  vulnerability. An attacker can exploit this issue by tricking
  a victim into opening a malicious CDR file to execute arbitrary
  code and/or to cause denial-of-service conditions.
  
  ---
  
  eax=13921178 ebx=00000003 ecx=00000000 edx=138fa270 esi=13c41e78 edi=00000002
  eip=5fea43e4 esp=001eca8c ebp=131f67b8 iopl=0 nv up ei ng nz ac pe cy
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00210297
  CdrTxt!WStyleList::EndLoad+0x74:
  5fea43e4 8b01mov eax,dword ptr [ecx]ds:002b:00000000=????????
  
  ---
  
  Tested on: Microsoft Windows 7 Professional SP1 (EN)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5204
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5204.php
  
  
  27.10.2014
  
  ---
  
  
  PoC:
  
   - http://www.zeroscience.mk/codes/zsl_5204.rar
   - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35217.rar