[FD] Corel Software DLL Hijacking
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Corel Software DLL Hijacking 1. *Advisory Information* Title: Corel Software DLL Hijacking Advisory ID: CORE-2015-0001 Advisory URL: http://www.coresecurity.com/advisories/corel-software-dll-hijacking Date published: 2015-01-12 Date of last update: 2015-01-06 Vendors contacted: Corel Release mode: User release 2. *Vulnerability Information* Class: Uncontrolled Search Path Element [CWE-427] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396, CVE-2014-8397, CVE-2014-8398 3. *Vulnerability Description* Corel [1] has developed a wide range of products that includes graphics, painting, photo, video and office software.(CorelDRAW,Corel Photo-Paint, Corel PaintShop Pro, Corel CAD, Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick among others) When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document. 4. *Vulnerable packages* . Corel DRAW X7 [2] . Corel Photo-Paint X7 [3] . Corel PaintShop Pro X7 [7] . Corel CAD 2014 [4] . Corel Painter 2015 [5] . Corel PDF Fusion [6] . Corel VideoStudio PRO X7 [8] . Corel FastFlick [9] Other versions could be affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Given that this is a client-side vulnerability, affected users should avoid opening untrusted files whose extensions are associated with Corel software and contain any of the DLL files detailed below. 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from Core Security Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* [CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file associated with any of the following Corel applications is executed (CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF Fusion). The affected application should not be running for the vulnerability to work. The Corel software looks for a DLL file called wintab32.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be running before the associated file is executed for the vulnerability to work. Corel CAD looks for a DLL file called FxManagedCommands_3.08_9.tx or TD_Mgd_3.08_9.dll and does not control their path, therefore allowing to copy a malicious DLL file with the same name of either DLL inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file associated with Corel Painter 2015 is executed. Corel Painter 2015 should not be running before the associated file is executed for the vulnerability to work. Corel Painter looks for a DLL file called wacommt.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file associated with Corel PDF Fusion is executed. Corel PDF Fusion should not be running before the associated file is executed for the vulnerability to work. Corel PDF Fusion looks for a DLL file called quserex.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file associated with Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video Studio or Corel FastFlix should not be running before the associated file is executed for the vulnerability to work. Corel PDF Fusion looks for a DLL file called u32ZLib.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a file associated with Corel FastFlick is executed. Corel FastFlick should not be running before the associated file is executed
[FD] Corel Software DLL Hijacking
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Corel Software DLL Hijacking 1. *Advisory Information* Title: Corel Software DLL Hijacking Advisory ID: CORE-2015-0001 Advisory URL: http://www.coresecurity.com/advisories/corel-software-dll-hijacking Date published: 2015-01-12 Date of last update: 2015-01-06 Vendors contacted: Corel Release mode: User release 2. *Vulnerability Information* Class: Uncontrolled Search Path Element [CWE-427] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396, CVE-2014-8397, CVE-2014-8398 3. *Vulnerability Description* Corel [1] has developed a wide range of products that includes graphics, painting, photo, video and office software.(CorelDRAW,Corel Photo-Paint, Corel PaintShop Pro, Corel CAD, Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick among others) When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document. 4. *Vulnerable packages* . Corel DRAW X7 [2] . Corel Photo-Paint X7 [3] . Corel PaintShop Pro X7 [7] . Corel CAD 2014 [4] . Corel Painter 2015 [5] . Corel PDF Fusion [6] . Corel VideoStudio PRO X7 [8] . Corel FastFlick [9] Other versions could be affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Given that this is a client-side vulnerability, affected users should avoid opening untrusted files whose extensions are associated with Corel software and contain any of the DLL files detailed below. 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from Core Security Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* [CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file associated with any of the following Corel applications is executed (CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF Fusion). The affected application should not be running for the vulnerability to work. The Corel software looks for a DLL file called wintab32.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be running before the associated file is executed for the vulnerability to work. Corel CAD looks for a DLL file called FxManagedCommands_3.08_9.tx or TD_Mgd_3.08_9.dll and does not control their path, therefore allowing to copy a malicious DLL file with the same name of either DLL inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file associated with Corel Painter 2015 is executed. Corel Painter 2015 should not be running before the associated file is executed for the vulnerability to work. Corel Painter looks for a DLL file called wacommt.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file associated with Corel PDF Fusion is executed. Corel PDF Fusion should not be running before the associated file is executed for the vulnerability to work. Corel PDF Fusion looks for a DLL file called quserex.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file associated with Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video Studio or Corel FastFlix should not be running before the associated file is executed for the vulnerability to work. Corel PDF Fusion looks for a DLL file called u32ZLib.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a file associated with Corel FastFlick is executed. Corel FastFlick should not be running before the associated file is executed for the vulnerability to work. Corel FastFlick looks for
[FD] Corel Software DLL Hijacking
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Corel Software DLL Hijacking 1. *Advisory Information* Title: Corel Software DLL Hijacking Advisory ID: CORE-2015-0001 Advisory URL: http://www.coresecurity.com/advisories/corel-software-dll-hijacking Date published: 2015-01-12 Date of last update: 2015-01-06 Vendors contacted: Corel Release mode: User release 2. *Vulnerability Information* Class: Uncontrolled Search Path Element [CWE-427] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396, CVE-2014-8397, CVE-2014-8398 3. *Vulnerability Description* Corel [1] has developed a wide range of products that includes graphics, painting, photo, video and office software. (CorelDRAW,Corel Photo-Paint, Corel PaintShop Pro, Corel CAD, Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick among others) When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document. 4. *Vulnerable packages* . Corel DRAW X7 [2] . Corel Photo-Paint X7 [3] . Corel PaintShop Pro X7 [7] . Corel CAD 2014 [4] . Corel Painter 2015 [5] . Corel PDF Fusion [6] . Corel VideoStudio PRO X7 [8] . Corel FastFlick [9] Other versions could be affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Given that this is a client-side vulnerability, affected users should avoid opening untrusted files whose extensions are associated with Corel software and contain any of the DLL files detailed below. 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from Core Security Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* [CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file associated with any of the following Corel applications is executed (CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF Fusion). The affected application should not be running for the vulnerability to work. The Corel software looks for a DLL file called wintab32.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be running before the associated file is executed for the vulnerability to work. Corel CAD looks for a DLL file called FxManagedCommands_3.08_9.tx or TD_Mgd_3.08_9.dll and does not control their path, therefore allowing to copy a malicious DLL file with the same name of either DLL inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file associated with Corel Painter 2015 is executed. Corel Painter 2015 should not be running before the associated file is executed for the vulnerability to work. Corel Painter looks for a DLL file called wacommt.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file associated with Corel PDF Fusion is executed. Corel PDF Fusion should not be running before the associated file is executed for the vulnerability to work. Corel PDF Fusion looks for a DLL file called quserex.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application. [CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file associated with Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video Studio or Corel FastFlix should not be running before the associated file is executed for the vulnerability to work. Corel PDF Fusion looks for a DLL file called u32ZLib.dll and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the
