[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CORE-2009-1126] Corel Paint Shop Pro Photo X2 FPX Heap Overflow

Hash: SHA1

      Core Security Technologies - CoreLabs Advisory

     Corel Paint Shop Pro Photo X2 FPX Heap Overflow

1. *Advisory Information*

Title: Corel Paint Shop Pro Photo X2 FPX Heap Overflow
Advisory Id: CORE-2009-1126
Advisory URL:
Date published: 2010-02-01
Date of last update: 2010-02-01
Vendors contacted: Corel
Release mode: User release

2. *Vulnerability Information*

Class: Heap-based Buffer Overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 37980
CVE Name: N/A

3. *Vulnerability Description*

Corel Paint Shop Pro Photo X2 [2] is a professional image editing
software, that allows users to edit photos, create graphics, draw and
paint. Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer
overflow when processing malformed FPX files, because it trusts
user-controlled data located inside a FPX file and uses it as a loop
counter when copying data from a FPX file into a fixed-size buffer
located in the heap. This vulnerability can be exploited to overwrite
adjacent heap chunks metadata, and possibly to gain arbitrary code

4. *Vulnerable packages*

   . Corel Paint Shop Pro Photo X2 Ultimate 12.50
   . Older versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

The vendor did not provide fixes or workaround information.

To prevent an accidental trigger of the vulnerability, you can disable
the 'Preview' feature that exists in the 'File/Open' dialog.
Furthermore, avoid opening FPX files coming from untrusted sources.

6. *Credits*

This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies during Bugweek 2009 [1].

The publication of this advisory was coordinated by Carlos Sarraute from
Core Security Advisories team.

7. *Technical Description / Proof of Concept Code*

Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer overflow
when processing malformed FPX files, because it trusts user-controlled
data located inside a FPX file and uses it as a loop counter when
copying data from a FPX file into a fixed-size buffer located in the
heap. This vulnerability can be exploited to overwrite adjacent heap
chunks metadata, and possibly to gain arbitrary code execution (though
it does not seem easy).

When processing certain structures from a FPX file, Corel Paint Shop Pro
Photo X2 allocates fixed-size (0xC08 bytes) buffers, and copies data
from the FPX file to that buffer. But the application trusts certain
bytes from the FPX file and uses them as loop counters for the copy
operation, without properly verifying that these bytes have legal
values. If those user-controlled bytes used as counters have large
values, the buffer overflow will be triggered.

First of all, the application allocates a 0xC08-bytes long buffer, by
calling 'malloc()' with a constant value:

[Module: JPEGACC.dll]

095F4D97  |.  68 080C0000   PUSH 0C08
;size of the buffer to be allocated
095F4D9C  |.  E8 9F4D0000   CALL JPEGACC.095F9B40
;call to malloc()
095F4DA1  |.  83C4 04       ADD ESP,4
095F4DA4  |.  894424 10     MOV DWORD PTR SS:[ESP+10],EAX
;saves the pointer returned by malloc()

- -----/

After that, it starts copying data from the FPX file to the recently
allocated buffer. As we can see in the following disassembled code
excerpt, the byte located at the offset 0x1406 in the FPX file provided
as a proof-of-concept with this advisory is interpreted as the loop
counter for the inner loop, thus determining how many times the copy
operation will be called. The copy operation is performed inside the
call to address 09264C50. The data that is copied into the buffer is
partially fetched from the FPX file too, starting from offset 0x1416.

[Module: JPEGACC.dll]

09264DD2  |>  8B6C24 24     /MOV EBP,DWORD PTR SS:[ESP+24]
09264DD6  |.  33D2          |XOR EDX,EDX
09264DD8  |.  8A55 00       |MOV DL,BYTE PTR SS:[EBP]                ;
byte at offset 0x1406 in the FPX file (user controlled)
09264DDB  |.  45            |INC EBP
09264DDC  |.  8BFA          |MOV EDI,EDX                             ;
EDI=inner loop counter, byte at offset 0x1406 (user controlled)
09264DDE  |.  896C24 24     |MOV DWORD PTR SS:[ESP+24],EBP
09264DE2  |.  85FF          |TEST EDI,EDI
09264DE4  |.  74 28         |JE SHORT JPEGACC.09264E0E
09264DE6  |.  7E 26         |JLE SHORT JPEGACC.09264E0E
09264DE8  |.  8D68 08       |LEA EBP,DWORD PTR DS:[EAX+8]
09264DEB  |>  8B5424 28     |/MOV EDX,DWORD PTR SS:[ESP+28]          ;
EDX starts pointing to offset 0x1416 of the FPX file
09264DEF  |.  33C0          ||XOR EAX,EAX
09264DF1  |.  8BCE          ||MOV ECX,ESI
09264DF3  |.  55            ||PUSH EBP
09264DF4  |.  8A02          ||MOV AL,BYTE PTR DS:[EDX]               ;
reads bytes starting from offset 0x1416 (user controlled)
09264DF6  |.  46            ||INC ESI
09264DF7  |.  53            ||PUSH EBX
09264DF8  |.  42            ||INC EDX
09264DF9  |.  50            ||PUSH EAX
09264DFA  |.  51            ||PUSH ECX
09264DFB  |.  895424 38     ||MOV DWORD PTR SS:[ESP+38],EDX
09264DFF  |.  E8 4CFEFFFF   ||CALL JPEGACC.09264C50                  ;
copies user-controlled data to the buffer
09264E04  |.  83C4 10       ||ADD ESP,10
09264E07  |.  4F            ||DEC EDI                                ;
is the loop counter == 0?
09264E08  |.^ 75 E1         |\JNZ SHORT JPEGACC.09264DEB             ;
if not, repeat the copy operation
09264E0A  |.  8B4424 10     |MOV EAX,DWORD PTR SS:[ESP+10]
09264E0E  |>  D1E6          |SHL ESI,1
09264E10  |.  43            |INC EBX
09264E11  |.  83FB 08       |CMP EBX,8
09264E14  |.^ 7E BC         \JLE SHORT JPEGACC.09264DD2

- -----/

Each iteration of the inner loop will copy 0x80 objects to the buffer,
each one with a size of 8 bytes. That means that the buffer, with a size
of 0xC08 bytes, will be able to handle a maximum of three iterations;
so, an attacker can trigger the buffer overflow by enticing an
unsuspecting user to open a specially crafted FPX file with a value
greater than 3 in the byte at offset 0x1406. When the bug is triggered,
the attacker will be able to write controlled bytes at certain positions
after the end of the buffer. After exiting the outer loop, the
application enters another loop, where it will write several dwords with
a value of 0 into the buffer. The application iterates here as many
times as objects were copied to the buffer; that is, a multiple of 0x80.

[Module: JPEGACC.dll]

09264E26  |.  8BD6          MOV EDX,ESI                              ;
EDX = number of objects copied to the buffer
09264E28  |>  C701 00000000 /MOV DWORD PTR DS:[ECX],0
09264E2E  |.  83C1 08       |ADD ECX,8
09264E31  |.  4A            |DEC EDX
09264E32  |.^ 75 F4         \JNZ SHORT JPEGACC.09264E28

- -----/

If the FPX file being processed has triggered the buffer overflow as
described in the previous step, this loop will be writing beyond the
limits of the buffer too, thus corrupting memory contents beyond the end
of it, including adjacent chunks metadata. That will ultimately cause a
memory access violation when the application tries to free the allocated
buffer by calling 'ntdll.RtlFreeHeap':

[Module: ntdll.dll]

7C9108D3    8902            MOV DWORD PTR DS:[EDX],EAX

Access violation when writing to [00000000]

- -----/

8. *Report Timeline*

. 2009-12-02:
Being unable to find a security contact on Corel website, Core Security
Technologies requests CERT/CC for assistance in contacting Corel to
report a security vulnerability.

. 2009-12-02:
CERT/CC informs Core that it will attempt to contact Corel.

. 2009-12-22:
Core sends a message to Corel Customer Services (through their website
[3]) requesting a security contact, and announcing its intention to
publish advisory CORE-2009-1126 on February 1st, 2010.

. 2009-12-23:
Corel Customer Support Services sends a generic reply without providing
a security contact.

. 2010-01-12:
Core Security Technologies requests again a security contact to Corel
Customer Services (through their website), and reminds Corel its
intention to publish the advisory CORE-2009-1126 on February 1st, 2010.

. 2010-01-15:
Corel Customer Support team acknowledges notification, and requests the
technical information about the security vulnerability, that will be
forwarded to the PaintShop Pro team.

. 2010-01-16:
Core Security Technologies sends the advisory draft, containing a
technical description of the vulnerability (no reply received).

. 2010-01-27:
Core Security Technologies reminds Corel that its advisory is scheduled
for publication on February 1st, 2010, and that the advisory will be
published as "user release" if Corel doesn't reply with a plan for
fixing the vulnerability.

. 2010-02-01:
Given the lack of response from Corel, the advisory CORE-2009-1126 is
published as "user release".

9. *References*

[1] The author participated in Core Security's Bugweek 2009 as member of
the team "Estupido y Sensual Flanders".
[2] Corel Paint Shop Pro Photo X2
[3] Corel Customer Services

10. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:

11. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at

12. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/