cbcvebase.
CVE-2013-0742
published 2013-10-03

CVE-2013-0742: Stack-based buffer overflow in Corel PDF Fusion 1.11 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
34.71%
98.2th percentile
Stack-based buffer overflow in Corel PDF Fusion 1.11 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long ZIP directory entry name in an XPS file.

Affected

1 ranges
VendorProductVersion rangeFixed in
corelpdf_fusion

Detection & IOCsextracted from sources · hover to see the quote

other0x00280b0b
  • Malicious XPS file contains an abnormally long ZIP directory entry name under the 'Resources/' path prefix, exceeding 4640 bytes, triggering a stack-based buffer overflow in Corel PDF Fusion 1.11.
  • The exploit appends ~1500 bytes of padding after the SEH record within the ZIP entry name to trigger the exception; monitor for XPS/ZIP files with entry names of unusual length (thousands of bytes).
  • The return address used in the exploit is 0x00280b0b (from unicode.nls, 'call dword ptr ss:[ebp+0x30]') on Windows XP SP3 with Corel PDF Fusion 1.11 (CorelFusion.exe 2.6.2.0); presence of this address in a crash/exception context is a strong indicator of exploitation.
  • The crafted XPS file is a ZIP archive containing a fixed set of internal paths including '[Content_Types].xml', '_rels/.rels', 'FixedDocSeq.fdseq', and 'Documents/1/Pages/1.fpage'; presence of all these alongside an oversized Resources/ entry is suspicious.
  • Target process to monitor for exploitation is CorelFusion.exe version 2.6.2.0; anomalous crashes or shellcode execution originating from this process should be investigated.
  • ·The ROP/return address (0x00280b0b) and offset (4640) are specific to Corel PDF Fusion 1.11 build 2012/04/25 on Windows XP SP3 with all updates; exploitation against other OS versions or patch levels will require different values.
  • ·Exploitation requires user interaction: the target must manually open the crafted XPS file with Corel PDF Fusion; this is not a remote network-exploitable vector without social engineering.
  • ·The NVD entry references CVE-2013-0742, but the Metasploit module references CVE-2013-3248; analysts should track both CVE identifiers when searching for related detections or patches.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.