CVE-2013-3248
published 2013-10-03CVE-2013-3248: Untrusted search path vulnerability in Corel PDF Fusion 1.11 allows local users to gain privileges via a Trojan horse wintab32.dll file in the current working…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
18.56%
96.9th percentile
Untrusted search path vulnerability in Corel PDF Fusion 1.11 allows local users to gain privileges via a Trojan horse wintab32.dll file in the current working directory, as demonstrated by a directory that contains a .pdf or .xps file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| corel | pdf_fusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for DLL search-order hijacking: watch for wintab32.dll being loaded from the current working directory (e.g., a directory containing a .pdf or .xps file) rather than from a trusted system path. ↗
- →Detect malicious XPS files exploiting CVE-2013-3248 by inspecting ZIP-structured .xps archives for an entry under 'Resources/' whose name is padded to approximately 4640+ characters (used to overflow the stack buffer). ↗
- →The exploit constructs a ZIP/XPS archive containing a crafted 'Resources/' entry name of excessive length (resources_length + SEH overwrite + ~1500 bytes of padding) to trigger the stack buffer overflow in CorelFusion.exe. ↗
- →The Metasploit module targets CorelFusion.exe version 2.6.2.0 (build 2012/04/25:21:00:00) on Windows XP SP3; use the return address 0x00280b0b (from unicode.nls via 'call dword ptr ss:[ebp+0x30]') as a detection pivot for memory forensics. ↗
- ·The DLL hijacking vector (wintab32.dll) requires the attacker to place the malicious DLL in the same directory as a .pdf or .xps file that the victim opens — exploitation is local and requires write access to that directory. ↗
- ·The stack buffer overflow exploit (Metasploit module) requires user interaction: the victim must manually open the crafted XPS file with Corel PDF Fusion 1.11. ↗
- ·The provided return address (0x00280b0b) and offset (4640) are specific to Corel PDF Fusion 1.11 build 2012/04/25 on Windows XP SP3; the exploit may not work reliably on other OS versions or patch levels. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)
exploitdb·2013-07-13
CVE-2013-3248 Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)
Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 'Corel PDF Fusion Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in version 1.11 of
Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry
names. In order for the payload to be executed, an attacker must convince the target
user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the
attacker can execute arbitrary code as th
Metasploit
Corel PDF Fusion Stack Buffer Overflow
metasploit
Corel PDF Fusion Stack Buffer Overflow
Corel PDF Fusion Stack Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in version 1.11 of Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry names. In order for the payload to be executed, an attacker must convince the target user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the attacker can execute arbitrary code as the target user.
No writeups or analysis indexed.
2013-10-03
Published