[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6



Advisory ID: HTB23112
Product: Corel Quattro Pro X6 Standard Edition
Vendor: Corel Corporation
Vulnerable Version(s): 16.0.0.388, other versions may be also affected
Tested Version: 16.0.0.388 on Windows 7 SP1 32 bits
Vendor Notification: August 27, 2012 
Public Disclosure: March 7, 2013 
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4728
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two null pointer dereference 
vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro 
Spreadsheet) document causes immediate application crash, resulting in a loss 
of all unsaved current application data of the user.


1) Multiple Null Pointer Dereference vulnerabilities in Corel Quattro Pro X6: 
CVE-2012-4728

1.1 The first crash occurs in the QPW160.dll module at the 
QProGetNotebookWindowHandle function when the application tries to move a value 
to a corrupted pointer. Due to the malformed QPW file the EDX register will 
contain a null value. This destination pointer used to store the value of the 
AX register will be therefore invalid, which causes the application to crash 
instantly.

Crash details:

eax=04b11e00 ebx=00007020 ecx=000000f5 edx=00000000 esi=00000000 edi=04b10048
eip=202e5925 esp=0012d9b0 ebp=0012e8e8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

QPW160!QProGetNotebookWindowHandle+0x23cb85:
202e5925 6689048a        mov     word ptr [edx+ecx*4],ax  ds:0023:000003d4=????



1.2 The second crash occurs in the QPW160.dll module at the Ordinal132 function 
when the application tries to copy a buffer from ESI to EDI. Due to the 
abnormal QPW file the EDI register is not properly initialized, which causes 
the dereference of the EDI pointer to a null value. After this, the code is not 
able to catch the issue due to a lack of exception handling, forcing the 
application to crash immediately.

Crash details:

eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=04ca6c40 edi=00000000
eip=20005a7d esp=0012d97c ebp=0012d988 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213

QPW160!Ordinal132+0x5a7d: 20005a7d f3a5            rep movs dword ptr 
es:[edi],dword ptr [esi]



In order to exploit these vulnerabilities remotely, the attacker has to send a 
malicious file to the victim by email. In a web-based scenario, the attacker 
can host a malicious file on a website or WebDav share and trick the victim to 
download and open the file. 

As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are <a 
href="https://www.htbridge.com/advisory/HTB23112-PoC.rar";>provided</a>, which 
cause immediate application crash. Password for archive: ph77=!3=L

-----------------------------------------------------------------------------------------------

Solution:

Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-08-27: Vendor Notified.
2012-09-10: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next 
Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not 
fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not 
fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [<a 
href="https://www.htbridge.com/advisory/disclosure_policy.html";>Disclosure 
Policy</a>].



-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23112 - 
https://www.htbridge.com/advisory/HTB23112 - Multiple NULL Pointer Dereference 
Vulnerabilities in Corel Quattro Pro X6.
[2] Corel Corporation - http://www.corel.com - Quattro Pro is a spreadsheet 
processing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.