CVE-2016-8730
An of bound write / memory corruption vulnerability exists in the GIF parsing functionality of Core PHOTO-PAINT X8 18.1.0.661. A specially crafted GIF file can cause a vulnerability resulting in potential memory corruption resulting in code execution. An attacker can send the victim a specific GIF file to trigger this vulnerability.
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A memory corruption vulnerability exists in the GIF parsing functionality of Corel PHOTO-PAINT. A specially crafted GIF file can cause a vulnerability resulting in potential memory corruption.
The vulnerable code is located in the IEGIF.flt library:
.text:00000001800097E0 over_write: ; CODE XREF: bug_proc+1DBj
.text:00000001800097E0 mov [rax], cl ; write, source cl (increased every cycle)
.text:00000001800097E2 lea rax, [rax+1] ; rax++
.text:00000001800097E6 inc ecx ; ecx = loop counter, and dest byte
.text:00000001800097E8 cmp ecx, r8d ; r8d = total number of loop executions
.text:00000001800097EB jb short over_write
The total number of loop executions (r8d value) is calculated below:
.text:0000000180009729 call sub_18000A780
.text:000000018000972E movzx r9d, al ; al=function result=used for shl
.text:0000000180009732 xor esi, esi
.text:0000000180009734 mov eax, 8
.text:0000000180009739 mov [rsp+0D8h+var_58], r9d
.text:0000000180009741 mov ecx, r9d
.text:0000000180009744 mov [rsp+0D8h+var_80], esi
.text:0000000180009748 xor r15d, r15d
.text:000000018000974B mov [rsp+0D8h+var_88], esi
.text:000000018000974F xor ebp, ebp
.text:0000000180009751 mov r8d, 1
.text:0000000180009757 shl r8d, cl ; r8d = 1 << cl = 1 << output from sub_18000A780
An attacker can create a malicious GIF file which can force the total number of loop cycles to be extremely big (lile r8d=0x8000000000, 0x100000, …). This causes the loop to overwrite arbitrary memory data.
In order to trigger this vulnerability the GlobalColorTableFlag from the LOGICALSCREENDESCRIPTOR_PACKEDFIELDS needs to be 1 and the SizeOfGlobalColorTable needs to be set to 7.
Additionally, the value returned by sub_18000A780 (later used for shif-logical-left operation - CL register (count)) is taken directly from the poc file (offset 0x3f2).
FAULTING_IP:
IEGIF!FilterEntry01+75c0
00007ffb`e81897e0 8808 mov byte ptr [rax],cl
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffbe81897e0 (IEGIF!FilterEntry01+0x00000000000075c0)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 00000205dca6e000
Attempt to write to address 00000205dca6e000
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=00000205dca6e000 rbx=00000205dc8a1460 rcx=0000000000005000
rdx=0000000020000001 rsi=0000000000000000 rdi=00000205dc8a2c0f
rip=00007ffbe81897e0 rsp=000000e5dc79c690 rbp=0000000000000000
r8=0000000020000000 r9=00000000000000dd r10=00007ffc064615c0
r11=00000205dca6a030 r12=00000205dca64ae0 r13=0000000000000000
r14=0000000020000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287
IEGIF!FilterEntry01+0x75c0:
00007ffb`e81897e0 8808 mov byte ptr [rax],cl ds:00000205`dca6e000=??
FAULTING_THREAD: 0000000000001f20
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: CorelPP-APP.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 00000205dca6e000
WRITE_ADDRESS: 00000205dca6e000
FOLLOWUP_IP:
IEGIF!FilterEntry01+75c0
00007ffb`e81897e0 8808 mov byte ptr [rax],cl
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
APP: corelpp-app.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x1f20 (0)
Current frame:
Child-SP RetAddr Caller, Callee
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00007ffbe818360b to 00007ffbe81897e0
STACK_TEXT:
000000e5`dc79c690 00007ffb`e818360b : 00000000`00000000 00007ffb`00000000 00000000`00000000 00007ffb`002b40d5 : IEGIF!
FilterEntry01+0x75c0
000000e5`dc79c770 00007ffb`e818215a : 00000205`00000000 00000205`dc9e3ff0 00000205`dc9e3ff0 00000000`00000000 : IEGIF!
FilterEntry01+0x13eb
000000e5`dc79c860 00007ffb`eca9097d : 000001fd`b0790280 00000000`00000118 ffffffff`fffffffe 00000000`00000001 : IEGIF!
FilterEntry+0x9a
000000e5`dc79c890 00007ffb`eca7e7ff : 00000000`00000000 00000000`00000001 00000205`dc9e3ff0 00000000`00000000 : CDRFLT!
FLTCLIPDATA::GetClrUsed+0x101d
000000e5`dc79c8d0 00007ffb`e52f2298 : 00000205`00000000 00000000`06040002 00000000`00000000 00000000`00000001 : CDRFLT!
CPT_DROP_SHADOW::LoadFrom+0x4ff
000000e5`dc79ca00 00007ffb`e52eac66 : feeefeee`00000009 00000205`00000001 000000e5`dc79ce1c 00000205`dc48d8c0 : corelpp!
CTool::GetAutoScroll+0x630a8
000000e5`dc79cb00 00007ffb`e52e7e91 : 000001fd`acc60000 00000000`00000038 00000000`00000001 00007ffc`06387ad7 : corelpp!
CTool::GetAutoScroll+0x5ba76
000000e5`dc79cd40 00007ffb`e52e761c : 00000205`dc9e3160 00000205`dc9e3ff0 00000205`dca190f0 00000205`dc9e3160 : corelpp!
CTool::GetAutoScroll+0x58ca1
000000e5`dc79d480 00007ffb`e51eea42 : 00000205`dc9e4960 00000205`dc9e3160 000001fd`b0ba9b10 00007ffb`e5238f56 : corelpp!
CTool::GetAutoScroll+0x5842c
000000e5`dc79e1c0 00007ffb`e51efc79 : 00000205`dc9e3160 00007ffb`e57390d0 00000205`dc9e4960 00000205`dc9e4960 : corelpp!
CPntCom::CPntCom+0x28b32
000000e5`dc79e2f0 00007ffb`e52384b7 : 00007ffb`e57390d0 000000e5`dc79e6f0 00000205`dc9e4960 000001fd`b12400a8 : corelpp!
CPntCom::CPntCom+0x29d69
000000e5`dc79e460 00007ffb`e5239f6b : 00007ffb`e5a03ba0 000000e5`dc79e6f0 00000205`dc9e4960 00000000`0200fb70 : corelpp!
CPntCom::CPntCom+0x725a7
000000e5`dc79e4a0 00007ffb`e52383aa : 000000e5`dc79e5f0 000000e5`dc79f298 000000e5`dc79e6f0 00000205`dc9e4960 : corelpp!
CPntCom::CPntCom+0x7405b
000000e5`dc79e5a0 00007ffb`e560ab4e : 000000e5`dc79f298 000000e5`dc79e6f0 000001fd`b12400a8 000000e5`dc79e5f0 : corelpp!
CPntCom::CPntCom+0x7249a
000000e5`dc79e5f0 00007ffb`e56094d9 : 000000e5`dc79f260 00000205`db2e9a90 00000000`00000000 00000205`dac6e3a8 : corelpp!
GetComponentTool+0xa58de
000000e5`dc79f1e0 00007ffb`e5606d26 : 000001fd`acd5e480 000001fd`accb8d68 00000205`db2e9448 00007ffb`dec803d0 : corelpp!
GetComponentTool+0xa4269
000000e5`dc79f310 00007ffb`e51a9c7e : 000000e5`dc79f368 000001fd`b14d88d0 00007ffb`e583bbe4 00000205`dc626028 : corelpp!
GetComponentTool+0xa1ab6
000000e5`dc79f340 00007ffb`e51a4f29 : 00000205`db2e81b8 000001fd`b14d88d0 00000205`dc626028 00007ffb`e13d3d66 : corelpp!
CTool::GetNumStrokes+0x231e
000000e5`dc79f390 00007ffb`e51dc3cc : 00000000`00000000 00000205`db2e81b8 000001fd`b0ba9b10 000001fd`b14a7d70 : corelpp!
StartApp+0xc139
000000e5`dc79f460 00007ffb`e560d6f8 : 00000000`00000000 00000000`00000001 000001fd`b0ba9b10 00000000`00000000 : corelpp!
CPntCom::CPntCom+0x164bc
000000e5`dc79f4b0 00007ffb`e5198c87 : 00000205`dc9a4238 00000205`00000000 000000e5`dc79f7b0 00000000`00000000 : corelpp!
GetComponentTool+0xa8488
000000e5`dc79f500 00007ffb`de81fa1b : 000001fd`b0b876a0 000000e5`dc79f7b0 00000000`00000000 000001fd`acc812e8 : corelpp!
CTool::GetToolMode+0x4ac7
000000e5`dc79f530 00007ffb`de81f6e9 : 000000e5`dc79f7b0 00000000`00000001 00000000`00000001 000001fd`b0b89910 : CrlFrmWk!
WCmnUI_FrameWorkApp::OnIdle+0xdb
000000e5`dc79f570 00007ffb`de81f849 : 000001fd`b0b89910 000000e5`dc79f7b0 000000e5`dc79f740 4b18a26b`5f3d1849 : CrlFrmWk!
WCmnUI_FrameWorkApp::RunMessageLoop+0x99
000000e5`dc79f600 00007ffb`de803e49 : 000001fd`accac588 000001fd`b104eaf0 000001fd`b104eaf0 000001fd`b0a963e8 : CrlFrmWk!
WCmnUI_FrameWorkApp::Run+0x69
000000e5`dc79f640 00007ffb`e5199069 : 00007ffb`ea866a58 000001fd`accf7b30 00007ffb`ea866a58 00000000`00000000 : CrlFrmWk!
IAppFramework::GetInstance+0x11a9
000000e5`dc79fa10 00007ff7`f4ad1d92 : 000000e5`dc79fb90 000000e5`dc79fb90 00000000`00000000 000001fd`acc62501 : corelpp!
StartApp+0x279
000000e5`dc79faf0 00007ff7`f4ad15a6 : 000000e5`dc79fb90 00000000`0000000a 00000000`00000000 00000000`00000003 :
CorelPP_APP+0x1d92
000000e5`dc79fb50 00007ff7`f4ad7466 : 00000000`00000000 00007ff7`f4adfd90 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x15a6
000000e5`dc79fc40 00007ffc`04158364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
CorelPP_APP+0x7466
000000e5`dc79fc80 00007ffc`063b5e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!
BaseThreadInitThunk+0x14
000000e5`dc79fcb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!
RtlUserThreadStart+0x21
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: iegif!FilterEntry01+75c0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: IEGIF
IMAGE_NAME: IEGIF.FLT
DEBUG_FLR_IMAGE_TIMESTAMP: 576defce
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_IEGIF.FLT!FilterEntry01
BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_iegif!FilterEntry01+75c0
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_iegif.flt!filterentry01
FAILURE_ID_HASH: {35a39316-5ab9-f773-eb46-0f3e7294b8ec}
Followup: MachineOwner
---------
2016-12-01 - Vendor Disclosure
2017-07-20 - Public Release
Discovered by Piotr Bania of Cisco Talos.