CVE-2013-0742
published 2013-10-03CVE-2013-0742: Stack-based buffer overflow in Corel PDF Fusion 1.11 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
34.71%
98.2th percentile
Stack-based buffer overflow in Corel PDF Fusion 1.11 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long ZIP directory entry name in an XPS file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| corel | pdf_fusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious XPS file contains an abnormally long ZIP directory entry name under the 'Resources/' path prefix, exceeding 4640 bytes, triggering a stack-based buffer overflow in Corel PDF Fusion 1.11. ↗
- →The exploit appends ~1500 bytes of padding after the SEH record within the ZIP entry name to trigger the exception; monitor for XPS/ZIP files with entry names of unusual length (thousands of bytes). ↗
- →The return address used in the exploit is 0x00280b0b (from unicode.nls, 'call dword ptr ss:[ebp+0x30]') on Windows XP SP3 with Corel PDF Fusion 1.11 (CorelFusion.exe 2.6.2.0); presence of this address in a crash/exception context is a strong indicator of exploitation. ↗
- →The crafted XPS file is a ZIP archive containing a fixed set of internal paths including '[Content_Types].xml', '_rels/.rels', 'FixedDocSeq.fdseq', and 'Documents/1/Pages/1.fpage'; presence of all these alongside an oversized Resources/ entry is suspicious. ↗
- →Target process to monitor for exploitation is CorelFusion.exe version 2.6.2.0; anomalous crashes or shellcode execution originating from this process should be investigated. ↗
- ·The ROP/return address (0x00280b0b) and offset (4640) are specific to Corel PDF Fusion 1.11 build 2012/04/25 on Windows XP SP3 with all updates; exploitation against other OS versions or patch levels will require different values. ↗
- ·Exploitation requires user interaction: the target must manually open the crafted XPS file with Corel PDF Fusion; this is not a remote network-exploitable vector without social engineering. ↗
- ·The NVD entry references CVE-2013-0742, but the Metasploit module references CVE-2013-3248; analysts should track both CVE identifiers when searching for related detections or patches. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2013-10-03
Published