cbcvebase.
CVE-2013-3248
published 2013-10-03

CVE-2013-3248: Untrusted search path vulnerability in Corel PDF Fusion 1.11 allows local users to gain privileges via a Trojan horse wintab32.dll file in the current working…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
18.56%
96.9th percentile
Untrusted search path vulnerability in Corel PDF Fusion 1.11 allows local users to gain privileges via a Trojan horse wintab32.dll file in the current working directory, as demonstrated by a directory that contains a .pdf or .xps file.

Affected

1 ranges
VendorProductVersion rangeFixed in
corelpdf_fusion

Detection & IOCsextracted from sources · hover to see the quote

filenamewintab32.dll
otherRET=0x00280b0b, Offset=4640 (Corel PDF Fusion 1.11 / Windows XP SP3)
  • Monitor for DLL search-order hijacking: watch for wintab32.dll being loaded from the current working directory (e.g., a directory containing a .pdf or .xps file) rather than from a trusted system path.
  • Detect malicious XPS files exploiting CVE-2013-3248 by inspecting ZIP-structured .xps archives for an entry under 'Resources/' whose name is padded to approximately 4640+ characters (used to overflow the stack buffer).
  • The exploit constructs a ZIP/XPS archive containing a crafted 'Resources/' entry name of excessive length (resources_length + SEH overwrite + ~1500 bytes of padding) to trigger the stack buffer overflow in CorelFusion.exe.
  • The Metasploit module targets CorelFusion.exe version 2.6.2.0 (build 2012/04/25:21:00:00) on Windows XP SP3; use the return address 0x00280b0b (from unicode.nls via 'call dword ptr ss:[ebp+0x30]') as a detection pivot for memory forensics.
  • ·The DLL hijacking vector (wintab32.dll) requires the attacker to place the malicious DLL in the same directory as a .pdf or .xps file that the victim opens — exploitation is local and requires write access to that directory.
  • ·The stack buffer overflow exploit (Metasploit module) requires user interaction: the victim must manually open the crafted XPS file with Corel PDF Fusion 1.11.
  • ·The provided return address (0x00280b0b) and offset (4640) are specific to Corel PDF Fusion 1.11 build 2012/04/25 on Windows XP SP3; the exploit may not work reliably on other OS versions or patch levels.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.