Oracle Outside In CorelDRAW Integer Overflow

November 8, 2011

Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of unstructured file formats. The file formats include from the office suites, such as Microsoft Office 2007, to specialty formats and legacy files. The tool from Outside In is embedded by multiple client and server products that need parsing of various file formats.

CorelDRAW is a vector graphics editor developed and marketed by Corel Corporation. CorelDRAW uses CDR file format, which is a proprietary file format developed by Corel Corporation and primarily used for vector graphic drawings. Outside In supports Corel Corporation's CDR file format. This file format is encoded in the hierarchical Resource Interchange File Format (RIFF) format. RIFF is based on the Interchange File Format (IFF) and all multi-byte integers are in little-endian format. The basic storage structure of RIFF is called a chunk. The format of a chunk is illustrated as below:

 Offset Type    Description ------ ------- ----------------------------------------------------------------- 0x0000 Byte[4] four ASCII character identifier, padded with space if less than 4 0x0004 DWORD   *Size* of Data 0x0008 Byte[]  Size bytes of data, plus one padding byte if Size is odd 

The structure of a CorelDRAW file is not publicly known. The following structure represents the reverse engineering of the format:

 RIFF ('CDR8' or 'CDR7' 	'vrsn' (version number?) 	'DISP' 	LIST ('INFO' 		'IKEY' 		... 		) 	LIST ('CMPR' ...) 		LIST ('doc ' 			'mcfg' 			'ptrt' 			LIST('stlt' 				 				) 		) 	) 

An integer overflow vulnerability exists in Oracle Outside In. The vulnerability is due to improper bounds checking of the user-supplied chunk data. The data will be used to calculate the size of allocation memory and the memory is filled with user supplied chunk data. Remote attackers could exploit the vulnerability to inject and execute arbitrary code in the context of the vulnerable service or user application.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect the attack attempts.

  • 2483 Oracle Outside In CorelDRAW File Parser Integer Overflow

This vulnerability has been referred by CVE as CVE-2011-3541.