Corel PDF Fusion Stack Buffer Overflow in XPS Parsing (July 19, 2013)
Corel PDF Fusion is a Microsoft Windows based PDF creator software which lets users view more than 100 different file types along with assembling, editing and generating PDFs. It provides an easy to use drag and drop functionality to combine multiple file types to one PDF package. It also enables file conversion to PDF, DOC and XPS file types.
An XPS file is a Zip archive and is made up of files that constitute the XPS document. As per ZIP format specification, every file that is a part of the archive has a corresponding Local File Header followed by File Data. Local File Header structure stores file-specific information like File Size, File Name Length, File Name, etc. A stack overflow vulnerability exists in Corel PDF Fusion due to insufficient bounds check which can be triggered when it tries to parse the File Name Length and File Name fields. Successful exploitation could enable arbitrary code execution in the security context of the logged-in user. The vulnerability has been assigned a CVE-2013-3248. Dell SonicWALL has researched the vulnerability and released a GAV signature to detect and block specific exploitation attempts targeting this vulnerability. Following are signature details:- 20816 Malformed.xps.TL.1
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
