Title: Corel Paint Shop Pro Photo X2 FPX Heap Overflow
Advisory Id: CORE-2009-1126
Advisory URL: http://www.coresecurity.com/content/corel-paintshop-heap-overflow
Date published: 2010-02-01
Date of last update: 2010-02-01
Vendors contacted: Corel
Release mode: User release
Corel Paint Shop Pro Photo X2  is a professional image editing software, that allows users to edit photos, create graphics, draw and paint. Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer overflow when processing malformed FPX files, because it trusts user-controlled data located inside a FPX file and uses it as a loop counter when copying data from a FPX file into a fixed-size buffer located in the heap. This vulnerability can be exploited to overwrite adjacent heap chunks metadata, and possibly to gain arbitrary code execution.
- Corel Paint Shop Pro Photo X2 Ultimate 12.50
- Older versions are probably affected too, but they were not checked.
Vendor Information, Solutions and Workarounds
The vendor did not provide fixes or workaround information.
To prevent an accidental trigger of the vulnerability, you can disable the
Preview feature that exists in the
File/Open dialog. Furthermore, avoid opening FPX files coming from untrusted sources.
This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies during Bugweek 2009 .
The publication of this advisory was coordinated by Carlos Sarraute from Core Security Advisories team.
Technical Description / Proof of Concept Code
Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer overflow when processing malformed FPX files, because it trusts user-controlled data located inside a FPX file and uses it as a loop counter when copying data from a FPX file into a fixed-size buffer located in the heap. This vulnerability can be exploited to overwrite adjacent heap chunks metadata, and possibly to gain arbitrary code execution (though it does not seem easy).
When processing certain structures from a FPX file, Corel Paint Shop Pro Photo X2 allocates fixed-size (0xC08 bytes) buffers, and copies data from the FPX file to that buffer. But the application trusts certain bytes from the FPX file and uses them as loop counters for the copy operation, without properly verifying that these bytes have legal values. If those user-controlled bytes used as counters have large values, the buffer overflow will be triggered.
First of all, the application allocates a 0xC08-bytes long buffer, by calling
malloc() with a constant value:
[Module: JPEGACC.dll] 095F4D97 |. 68 080C0000 PUSH 0C08 ;size of the buffer to be allocated 095F4D9C |. E8 9F4D0000 CALL JPEGACC.095F9B40 ;call to malloc() 095F4DA1 |. 83C4 04 ADD ESP,4 095F4DA4 |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX ;saves the pointer returned by malloc()
After that, it starts copying data from the FPX file to the recently allocated buffer. As we can see in the following disassembled code excerpt, the byte located at the offset 0x1406 in the FPX file provided as a proof-of-concept with this advisory is interpreted as the loop counter for the inner loop, thus determining how many times the copy operation will be called. The copy operation is performed inside the call to address 09264C50. The data that is copied into the buffer is partially fetched from the FPX file too, starting from offset 0x1416.
[Module: JPEGACC.dll] 09264DD2 |> 8B6C24 24 /MOV EBP,DWORD PTR SS:[ESP+24] 09264DD6 |. 33D2 |XOR EDX,EDX 09264DD8 |. 8A55 00 |MOV DL,BYTE PTR SS:[EBP] ; byte at offset 0x1406 in the FPX file (user controlled) 09264DDB |. 45 |INC EBP 09264DDC |. 8BFA |MOV EDI,EDX ; EDI=inner loop counter, byte at offset 0x1406 (user controlled) 09264DDE |. 896C24 24 |MOV DWORD PTR SS:[ESP+24],EBP 09264DE2 |. 85FF |TEST EDI,EDI 09264DE4 |. 74 28 |JE SHORT JPEGACC.09264E0E 09264DE6 |. 7E 26 |JLE SHORT JPEGACC.09264E0E 09264DE8 |. 8D68 08 |LEA EBP,DWORD PTR DS:[EAX+8] 09264DEB |> 8B5424 28 |/MOV EDX,DWORD PTR SS:[ESP+28] ; EDX starts pointing to offset 0x1416 of the FPX file 09264DEF |. 33C0 ||XOR EAX,EAX 09264DF1 |. 8BCE ||MOV ECX,ESI 09264DF3 |. 55 ||PUSH EBP 09264DF4 |. 8A02 ||MOV AL,BYTE PTR DS:[EDX] ; reads bytes starting from offset 0x1416 (user controlled) 09264DF6 |. 46 ||INC ESI 09264DF7 |. 53 ||PUSH EBX 09264DF8 |. 42 ||INC EDX 09264DF9 |. 50 ||PUSH EAX 09264DFA |. 51 ||PUSH ECX 09264DFB |. 895424 38 ||MOV DWORD PTR SS:[ESP+38],EDX 09264DFF |. E8 4CFEFFFF ||CALL JPEGACC.09264C50 ; copies user-controlled data to the buffer 09264E04 |. 83C4 10 ||ADD ESP,10 09264E07 |. 4F ||DEC EDI ; is the loop counter == 0? 09264E08 |.^ 75 E1 |\JNZ SHORT JPEGACC.09264DEB ; if not, repeat the copy operation 09264E0A |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10] 09264E0E |> D1E6 |SHL ESI,1 09264E10 |. 43 |INC EBX 09264E11 |. 83FB 08 |CMP EBX,8 09264E14 |.^ 7E BC \JLE SHORT JPEGACC.09264DD2
Each iteration of the inner loop will copy 0x80 objects to the buffer, each one with a size of 8 bytes. That means that the buffer, with a size of 0xC08 bytes, will be able to handle a maximum of three iterations; so, an attacker can trigger the buffer overflow by enticing an unsuspecting user to open a specially crafted FPX file with a value greater than 3 in the byte at offset 0x1406. When the bug is triggered, the attacker will be able to write controlled bytes at certain positions after the end of the buffer. After exiting the outer loop, the application enters another loop, where it will write several dwords with a value of 0 into the buffer. The application iterates here as many times as objects were copied to the buffer; that is, a multiple of 0x80.
[Module: JPEGACC.dll] 09264E26 |. 8BD6 MOV EDX,ESI ; EDX = number of objects copied to the buffer 09264E28 |> C701 00000000 /MOV DWORD PTR DS:[ECX],0 09264E2E |. 83C1 08 |ADD ECX,8 09264E31 |. 4A |DEC EDX 09264E32 |.^ 75 F4 \JNZ SHORT JPEGACC.09264E28
If the FPX file being processed has triggered the buffer overflow as described in the previous step, this loop will be writing beyond the limits of the buffer too, thus corrupting memory contents beyond the end of it, including adjacent chunks metadata. That will ultimately cause a memory access violation when the application tries to free the allocated buffer by calling
[Module: ntdll.dll] 7C9108D3 8902 MOV DWORD PTR DS:[EDX],EAX Access violation when writing to 
Being unable to find a security contact on Corel website, Core Security Technologies requests CERT/CC for assistance in contacting Corel to report a security vulnerability.
CERT/CC informs Core that it will attempt to contact Corel.
Core sends a message to Corel Customer Services (through their website ) requesting a security contact, and announcing its intention to publish advisory CORE-2009-1126 on February 1st, 2010.
Corel Customer Support Services sends a generic reply without providing a security contact.
Core Security Technologies requests again a security contact to Corel Customer Services (through their website), and reminds Corel its intention to publish the advisory CORE-2009-1126 on February 1st, 2010.
Corel Customer Support team acknowledges notification, and requests the technical information about the security vulnerability, that will be forwarded to the PaintShop Pro team.
Core Security Technologies sends the advisory draft, containing a technical description of the vulnerability (no reply received).
Core Security Technologies reminds Corel that its advisory is scheduled for publication on February 1st, 2010, and that the advisory will be published as "user release" if Corel doesn't reply with a plan for fixing the vulnerability.
Given the lack of response from Corel, the advisory CORE-2009-1126 is published as "user release".
 The author participated in Core Security's Bugweek 2009 as member of the team "Estúpido y Sensual Flanders".
 Corel Paint Shop Pro Photo X2
 Corel Customer Services
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.