[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6
- From: advisory@xxxxxxxxxxxx
- Date: Thu, 7 Mar 2013 19:40:07 +0100 (CET)
Advisory ID: HTB23112
Product: Corel Quattro Pro X6 Standard Edition
Vendor: Corel Corporation
Vulnerable Version(s): 16.0.0.388, other versions may be also affected
Tested Version: 16.0.0.388 on Windows 7 SP1 32 bits
Vendor Notification: August 27, 2012
Public Disclosure: March 7, 2013
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4728
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered two null pointer dereference
vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro
Spreadsheet) document causes immediate application crash, resulting in a loss
of all unsaved current application data of the user.
1) Multiple Null Pointer Dereference vulnerabilities in Corel Quattro Pro X6:
CVE-2012-4728
1.1 The first crash occurs in the QPW160.dll module at the
QProGetNotebookWindowHandle function when the application tries to move a value
to a corrupted pointer. Due to the malformed QPW file the EDX register will
contain a null value. This destination pointer used to store the value of the
AX register will be therefore invalid, which causes the application to crash
instantly.
Crash details:
eax=04b11e00 ebx=00007020 ecx=000000f5 edx=00000000 esi=00000000 edi=04b10048
eip=202e5925 esp=0012d9b0 ebp=0012e8e8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
QPW160!QProGetNotebookWindowHandle+0x23cb85:
202e5925 6689048a mov word ptr [edx+ecx*4],ax ds:0023:000003d4=????
1.2 The second crash occurs in the QPW160.dll module at the Ordinal132 function
when the application tries to copy a buffer from ESI to EDI. Due to the
abnormal QPW file the EDI register is not properly initialized, which causes
the dereference of the EDI pointer to a null value. After this, the code is not
able to catch the issue due to a lack of exception handling, forcing the
application to crash immediately.
Crash details:
eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=04ca6c40 edi=00000000
eip=20005a7d esp=0012d97c ebp=0012d988 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
QPW160!Ordinal132+0x5a7d: 20005a7d f3a5 rep movs dword ptr
es:[edi],dword ptr [esi]
In order to exploit these vulnerabilities remotely, the attacker has to send a
malicious file to the victim by email. In a web-based scenario, the attacker
can host a malicious file on a website or WebDav share and trick the victim to
download and open the file.
As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are <a
href="https://www.htbridge.com/advisory/HTB23112-PoC.rar">provided</a>, which
cause immediate application crash. Password for archive: ph77=!3=L
-----------------------------------------------------------------------------------------------
Solution:
Currently we are not aware of any solutions from the Vendor.
Disclosure Timeline:
2012-08-27: Vendor Notified.
2012-09-10: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next
Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not
fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not
fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [<a
href="https://www.htbridge.com/advisory/disclosure_policy.html">Disclosure
Policy</a>].
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23112 -
https://www.htbridge.com/advisory/HTB23112 - Multiple NULL Pointer Dereference
Vulnerabilities in Corel Quattro Pro X6.
[2] Corel Corporation - http://www.corel.com - Quattro Pro is a spreadsheet
processing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.