Corel PDF Fusion Stack Buffer Overflow in XPS Parsing

July 19, 2013

Corel PDF Fusion is a Microsoft Windows based PDF creator software which lets users view more than 100 different file types along with assembling, editing and generating PDFs. It provides an easy to use drag and drop functionality to combine multiple file types to one PDF package. It also enables file conversion to PDF, DOC and XPS file types.

An XPS file is a Zip archive and is made up of files that constitute the XPS document. As per ZIP format specification, every file that is a part of the archive has a corresponding Local File Header followed by File Data. Local File Header structure stores file-specific information like File Size, File Name Length, File Name, etc.

A stack overflow vulnerability exists in Corel PDF Fusion due to insufficient bounds check which can be triggered when it tries to parse the File Name Length and File Name fields. Successful exploitation could enable arbitrary code execution in the security context of the logged-in user.

The vulnerability has been assigned a CVE-2013-3248.

Dell SonicWALL has researched the vulnerability and released a GAV signature to detect and block specific exploitation attempts targeting this vulnerability. Following are signature details:

  • 20816 Malformed.xps.TL.1