Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Corel Software DLL Hijacking



1. *Advisory Information*

Title: Corel Software DLL Hijacking
Advisory ID: CORE-2015-0001
Advisory URL:
http://www.coresecurity.com/advisories/corel-software-dll-hijacking
Date published: 2015-01-12
Date of last update: 2015-01-06
Vendors contacted: Corel
Release mode: User release



2. *Vulnerability Information*

Class: Uncontrolled Search Path Element [CWE-427]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,
CVE-2014-8397, CVE-2014-8398



3. *Vulnerability Description*


      Corel [1] has developed a wide range of products that
      includes graphics, painting, photo, video and office software.
(CorelDRAW,Corel
      Photo-Paint, Corel PaintShop Pro, Corel CAD, Corel Painter, Corel PDF
      Fusion, Corel VideoStudio and Corel FastFlick among others)
    


      When a file associated with the Corel software is opened, the
directory of that
      document is first used to locate DLLs, which could allow an
attacker to execute
      arbitrary commands by inserting malicious DLLs into the same
directory as the
      document.
    


4. *Vulnerable packages*

   . Corel DRAW X7 [2]
   . Corel Photo-Paint X7 [3]
   . Corel PaintShop Pro X7 [7]
   . Corel CAD 2014 [4]
   . Corel Painter 2015 [5]
   . Corel PDF Fusion [6]
   . Corel VideoStudio PRO X7 [8]
   . Corel FastFlick [9]

Other versions could be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


        Given that this is a client-side vulnerability, affected users
should avoid
        opening untrusted files whose extensions are associated with
Corel software
        and contain any of the DLL files detailed below.
      


6. *Credits*


      This vulnerability was discovered and researched by Marcos
Accossatto from Core Security
      Exploit Writers Team. The publication of this advisory was
coordinated by
      Joaquin Rodriguez Varela from Core Advisories Team.
    


7. *Technical Description / Proof of Concept Code*

[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file
      associated with any of the following Corel applications is
executed (CorelDRAW X7, Corel
      Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or
Corel PDF Fusion). The
      affected application should not be running for the vulnerability
to work. The Corel
      software looks for a DLL file called "wintab32.dll" and does not
control its path,
      therefore allowing to copy a malicious DLL file with the same name
inside the folder
      where the associated file is. The DLL is executed within the
context of the application.
    

[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file
      associated with Corel CAD 2014 is executed. Corel CAD 2014 should
not be running before
      the associated file is executed for the vulnerability to work.
Corel CAD looks for a DLL
      file called "FxManagedCommands_3.08_9.tx" or "TD_Mgd_3.08_9.dll"
and does not control their
      path, therefore allowing to copy a malicious DLL file with the
same name of either DLL
      inside the folder where the associated file is. The DLL is
executed within the context of
      the application.
    

[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file
      associated with Corel Painter 2015 is executed. Corel Painter 2015
should not be running
      before the associated file is executed for the vulnerability to
work. Corel Painter looks
      for a DLL file called "wacommt.dll" and does not control its path,
therefore allowing to
      copy a malicious DLL file with the same name inside the folder
where the associated file
      is. The DLL is executed within the context of the application.
    

[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file
      associated with Corel PDF Fusion is executed. Corel PDF Fusion
should not be running
      before the associated file is executed for the vulnerability to
work. Corel PDF Fusion
      looks for a DLL file called "quserex.dll" and does not control its
path, therefore
      allowing to copy a malicious DLL file with the same name inside
the folder where the
      associated file is. The DLL is executed within the context of the
application.
    

[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file
      associated with Corel VideoStudio PRO X7 or Corel FastFlix is
executed. Corel Video
      Studio or Corel FastFlix should not be running before the
associated file is executed
      for the vulnerability to work. Corel PDF Fusion looks for a DLL
file called "u32ZLib.dll"
      and does not control its path, therefore allowing to copy a
malicious DLL file with the
      same name inside the folder where the associated file is. The DLL
is executed within the
      context of the application.
    

[CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a file
      associated with Corel FastFlick is executed. Corel FastFlick
should not be running before
      the associated file is executed for the vulnerability to work.
Corel FastFlick looks for
      DLL files called "igfxcmrt32.dll", "ipl.dll", "MSPStyleLib.dll",
"uFioUtil.dll",
      "uhDSPlay.dll", "uipl.dll", "uvipl.dll", "VC1DecDll.dll" or
"VC1DecDll_SSE3.dll" and
      does not control their path, therefore allowing to copy a
malicious DLL file with the same
      name of any of those DLLs inside the folder where the associated
file is. The DLL is
      executed within the context of the application.
    


8. *Report Timeline*
. 2014-12-09:
Core Security notifies Corel of the vulnerabilities. Publication date is
set for January 5th, 2015.
      

. 2014-12-17:
Core Security requests an acknowledgement of the mail previously sent.
Informs that if no answer
is registered the advisory will be pubilshed as "user release".
      

. 2015-01-02:
Core Security tries to contact the vendor through their twitter account
without any luck.
      

. 2015-01-12:
Advisory CORE-2015-0001 published as user release.
      


9. *References*

[1] http://www.corel.com/.
[2]
http://www.coreldraw.com/la/product/diseno-grafico-creativo/?hptrack=la2bb1.
[3] http://www.coreldraw.com/la/pages/photo-paint/.
[4] http://www.coreldraw.com/us/product/cad-software/.
[5] http://www.painterartist.com/us/product/paint-program/.
[6] http://www.wordperfect.com/us/product/pdf-creator/.
[7] http://learn.corel.com/photo/courses/course/PaintShop-Pro-X7-Tutorials.
[8]
http://learn.corel.com/video/tutorials/view/232/What-s-New-in-Corel-VideoStudio-Pro-X7.
[9] http://learn.corel.com/video/tutorials/view/236/How-to-Use-FastFlick.


10. *About CoreLabs*

      CoreLabs, the research center of Core Security, is charged with
anticipating
      the future needs and requirements for information security
technologies.
      We conduct our research in several important areas of computer
security
      including system vulnerabilities, cyber attack planning and
simulation,
      source code auditing, and cryptography. Our results include problem
      formalization, identification of vulnerabilities, novel solutions and
      prototypes for new technologies. CoreLabs regularly publishes security
      advisories, technical papers, project information and shared software
      tools for public use at:
      http://corelabs.coresecurity.com.
    


11. *About Core Security*


      Core Security enables organizations to get ahead of threats
      with security test and measurement solutions that continuously
identify
      and demonstrate real-world exposures to their most critical
assets. Our
      customers can gain real visibility into their security standing, real
      validation of their security controls, and real metrics to more
      effectively secure their organizations.
    


      Core Security's software solutions build on over a decade of trusted
      research and leading-edge threat expertise from the company's Security
      Consulting Services, CoreLabs and Engineering groups. Core Security
      can be reached at +1 (617) 399-6980 or on the Web at:
      http://www.coresecurity.com.
    


12. *Disclaimer*


      The contents of this advisory are copyright
      (c) 2014 Core Security and (c) 2014 CoreLabs,
      and are licensed under a Creative Commons
      Attribution Non-Commercial Share-Alike 3.0 (United States) License:
      http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. *PGP/GPG Keys*


      This advisory has been signed with the GPG key of Core Security
advisories
      team, which is available for download at
     
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
   


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to