Headline
CVE-2016-9043: TALOS-2016-0261 || Cisco Talos Intelligence Group
An out of bound write vulnerability exists in the EMF parsing functionality of CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661). A specially crafted EMF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific EMF file to trigger this vulnerability.
Summary
An out of bound write vulnerability exists in the EMF parsing functionality of CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661). A specially crafted EMF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific EMF file to trigger this vulnerability.
Tested Versions
Corel CorelDRAW X8 (CdrGfx - Corel Graphics Engine (64-Bit) - 18.1.0.661) - x64 version
Product URLs
http://corel.com
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
A remote memory corruption vulnerability exists in the EMF parsing functionality of CorelDRAW. A specially crafted EMF file can cause a vulnerability resulting in potential memory corruption.
Vulnerable code is located in the CdrGfx.dll library:
.text:0000000000176B1B corruption_label: ; CODE XREF: corel_bug_proc+52j
.text:0000000000176B1B ; corel_bug_proc+91j
.text:0000000000176B1B lea eax, [r13-1]
.text:0000000000176B1F mov [rsi+rax*8], ebp
.text:0000000000176B22 mov [rsi+rax*8+4], r15d
.text:0000000000176B27 inc dword ptr [rdi+8]
Presented code gets executed when EMR_CREATEBRUSHINDIRECT (39) record from the EMF file is parsed. Such record is typically composed as follows [1]:
[RecordType] [RecordSize] [ihBrush] [LogBrush]
Attacker can control the RAX register value (see instructions at 0x176B1F and 0x176B22) by simply changing the ihBrush value in the EMF file (EMR_CREATEBRUSHINDIRECT record). This leads to memory corruption of where the destination address is controlled by attacker.
Additionally this vulnerability can be triggered using other EMF records. Below is a list of records that can be used to trigger this problem. 38 - EMR_CREATEPEN 39 - EMR_CREATEBRUSHINDIRECT 40 - EMR_DELETEOBJECT 82 - EMR_EXTCREATEFONTINDIRECTW 93 - EMR_CREATEMONOBRUSH 94 - EMR_CREATEDIBPATTERNBRUSHPT 95 - EMR_EXTCREATEPEN
[1] - https://msdn.microsoft.com/en-us/library/cc230604.aspx
Crash Information
FAULTING_IP:
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff
00007ffa`673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffa673f6b1f (CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x00000000000023ff)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000023129b72850
Attempt to write to address 0000023129b72850
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=00000000dddddddc rbx=0000000000000000 rcx=0000022a3ac83930
rdx=0000000000000020 rsi=0000022a3ac83970 rdi=000000e8986fd720
rip=00007ffa673f6b1f rsp=000000e8986fd440 rbp=0000000000000020
r8=0000000000000000 r9=000000e8986fd720 r10=00007ffa67290000
r11=000000e8986fd478 r12=0000022216b422e4 r13=00000000dddddddd
r14=0000022a3ac60080 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff:
00007ffa`673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp ds:00000231`29b72850=????????
FAULTING_THREAD: 0000000000001ce8
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: CorelDRW-APP.exe
ADDITIONAL_DEBUG_TEXT:
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.
MODULE_NAME: CdrGfx
FAULTING_MODULE: 00007ffa982c0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 576deefd
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000023129b72850
WRITE_ADDRESS: 0000023129b72850
FOLLOWUP_IP:
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff
00007ffa`673f6b1f 892cc6 mov dword ptr [rsi+rax*8],ebp
APP: coreldrw-app.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x1ce8 (0)
Current frame:
Child-SP RetAddr Caller, Callee
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00007ffa673f7078 to 00007ffa673f6b1f
STACK_TEXT:
000000e8`986fd440 00007ffa`673f7078 : 00000000`00000000 0000022a`3ac60080 00000000`00000000 000000e8`986fd5f1 :
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x23ff
000000e8`986fd480 00007ffa`673f5a5a : 00000222`16b422e4 000000e8`986fd720 000000e8`986fd5f1 00000000`00000001 :
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x2958
000000e8`986fd4d0 00007ffa`673f4e3b : 0000022a`3ac5c700 00000222`16b40000 000000e8`986fd5f1 00000000`00000000 :
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x133a
000000e8`986fd500 00007ffa`9573fe02 : 0000022a`3ac5c700 00000222`16b40000 00000000`00000000 00000000`00000000 :
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x71b
000000e8`986fd530 00007ffa`973f15c1 : 00000222`16b40000 00007ffa`9573e4cf 00000000`ffffffff 000000e8`986fd7a0 :
gdi32full!SetWinMetaFileBits+0xf62
000000e8`986fd650 00007ffa`673f4d60 : 00000000`00000000 000000e8`986fd7a0 00000000`4d461147 00000000`4d461147 :
GDI32!EnumEnhMetaFileStub+0x51
000000e8`986fd6a0 00007ffa`673f46f0 : 00000000`00000001 0000022a`3acd7990 00000000`00000000 00000000`00000001 :
CdrGfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+0x640
000000e8`986fe140 00007ffa`68370eb6 : 00000000`00000001 00007ffa`9573e6d7 0000022a`3ac5c3f0 00000000`00000001 :
CdrGfx!EMF2UDI_PlayEMFFromFileName+0x90
000000e8`986fe210 00007ffa`5b6e3d64 : 0000022a`3ac78068 0000022a`3ac78068 ffffffff`cf461a8e 0000022a`3ac78068 :
VGCore!StartApp+0xa056
000000e8`986fe260 00007ffa`5b6e251e : 00000000`00000001 00000000`00000001 00000000`00000001 00007ffa`761f2c0f :
IEWMF!FilterEntry01+0x1914
000000e8`986fe2d0 00007ffa`75b6097d : 0000022a`3ab1e660 00000000`000000c0 ffffffff`fffffffe 00007ffa`6cf21bb0 :
IEWMF!FilterEntry01+0xce
000000e8`986fe330 00007ffa`75b4e7ff : 00000000`00000000 00000000`00000001 0000022a`3ac78068 00000000`00000000 :
CDRFLT!FLTCLIPDATA::GetClrUsed+0x101d
000000e8`986fe370 00007ffa`678feb6c : 0000022a`00000000 0000022a`3acd7cc8 000000e8`986fe4a8 0000022a`3ac78060 :
CDRFLT!CPT_DROP_SHADOW::LoadFrom+0x4ff
000000e8`986fe4a0 00007ffa`67a26ac5 : 0000022a`3acee8c0 00000222`1883aa28 0000022a`00000001 000000e8`986fe5f0 :
CdrCore!WDrawFilterManager::ImportClip+0x4c
000000e8`986fe4f0 00007ffa`6844ff6b : 00000000`00000000 000000e8`986fe910 00000222`00000000 0000022a`3ac78060 :
CdrCore!WOpenImport::Import+0xd75
000000e8`986fe910 00007ffa`68439012 : 0000022a`3abdddb0 00000222`1454bbb8 000000e8`986fea50 000000e8`00000000 :
VGCore!CDrawlibDoc::Clone+0xa937b
000000e8`986fea00 00007ffa`683adaec : 00000222`18b0c2e0 00007ffa`761f8ad9 000000e8`986febf8 000000e8`986feb80 :
VGCore!CDrawlibDoc::Clone+0x92422
000000e8`986feb30 00007ffa`683ad604 : 00000000`00000000 000000e8`986fec31 00000000`00000000 00000000`00000000 :
VGCore!CDrawlibDoc::Clone+0x6efc
000000e8`986feba0 00007ffa`683795f8 : 000000e8`986fed30 0000022a`3a1865a0 000000e8`986fed68 00000222`1454bbb8 :
VGCore!CDrawlibDoc::Clone+0x6a14
000000e8`986fec80 00007ffa`6839543e : 000000e8`986fee48 0000022a`00000000 00007ffa`68b4e154 0000022a`3aab19f8 :
VGCore!StartApp+0x12798
000000e8`986fee20 00007ffa`683958c9 : 0000022a`3aa2db18 0000022a`392b90a0 0000022a`3aa29608 0000022a`3aa2db18 :
VGCore!StartApp+0x2e5de
000000e8`986fee70 00007ffa`6838022c : 00000000`00000000 0000022a`3a2bf8c0 0000022a`3aa2db18 00000222`187c7820 :
VGCore!StartApp+0x2ea69
000000e8`986fef40 00007ffa`683783fb : 00000000`00000000 00000000`00000001 00000222`18b0c2e0 00000222`18b07480 :
VGCore!StartApp+0x193cc
000000e8`986fef90 00007ffa`6837e4d0 : 00000000`00000000 00000000`00000001 00000000`00000001 00000222`145611e0 :
VGCore!StartApp+0x1159b
000000e8`986ff000 00007ffa`67e7fa1b : 00000222`18b08570 000000e8`986ff2b0 00000000`00000000 00000222`14561238 :
VGCore!StartApp+0x17670
000000e8`986ff030 00007ffa`67e7f6e9 : 000000e8`986ff2b0 00000000`00000001 00000000`00000001 00000222`18b07480 :
CrlFrmWk!WCmnUI_FrameWorkApp::OnIdle+0xdb
000000e8`986ff070 00007ffa`67e7f849 : 00000222`18b07480 000000e8`986ff2b0 000000e8`986ff240 4b18a26b`5f3d1849 :
CrlFrmWk!WCmnUI_FrameWorkApp::RunMessageLoop+0x99
000000e8`986ff100 00007ffa`67e63e49 : 0000022a`3a38e668 00000222`18d64350 00000222`18d64350 00000222`18c2ed58 :
CrlFrmWk!WCmnUI_FrameWorkApp::Run+0x69
000000e8`986ff140 00007ffa`683670dd : 00000222`145e3630 00000222`145e3630 00000222`145e3630 00000000`00000000 :
CrlFrmWk!IAppFramework::GetInstance+0x11a9
000000e8`986ff510 00007ff7`94ec22a2 : 00000222`145f6238 000000e8`986ff680 00000000`00000000 00000222`14542501 :
VGCore!StartApp+0x27d
000000e8`986ff5e0 00007ff7`94ec16be : 000000e8`986ff680 00000000`0000000a 00000000`00000000 00000000`00000003 :
CorelDRW_APP+0x22a2
000000e8`986ff640 00007ff7`94ec78d6 : 00000000`00000000 00007ff7`94ed0de0 00000000`00000000 00000000`0000000a :
CorelDRW_APP+0x16be
000000e8`986ff730 00007ffa`95b38364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
CorelDRW_APP+0x78d6
000000e8`986ff770 00007ffa`98325e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
KERNEL32!BaseThreadInitThunk+0x14
000000e8`986ff7a0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :
ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: cdrgfx!EMF2UDI_PlayEMFFromEnhMetaFileHandle+23ff
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: CdrGfx.dll
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_CdrGfx.dll!EMF2UDI_PlayEMFFromEnhMetaFileHandle
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_cdrgfx.dll!emf2udi_playemffromenhmetafilehandle
FAILURE_ID_HASH: {efbf1f89-ad00-39f3-3352-b0c702d36b36}
Followup: MachineOwner
---------
Timeline
2016-12-23 - Vendor Disclosure
2017-07-20 - Public Release
Discovered by Piotr Bania of Cisco Talos.