Home page logo
/

bugtraq logo Bugtraq mailing list archives

Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6
From: advisory () htbridge com
Date: Thu, 7 Mar 2013 19:39:55 +0100 (CET)

Advisory ID: HTB23114
Product: Corel WordPerfect X6 Standard Edition
Vendor: Corel Corporation
Vulnerable Version(s): 16.0.0.388, other versions may be also affected
Tested Version: 16.0.0.388 on Windows 7 SP1 32 bits
Vendor Notification: September 12, 2012 
Public Disclosure: March 7, 2013 
Vulnerability Type: Untrusted Pointer Dereference [CWE-822]
CVE Reference: CVE-2012-4900
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered an untrusted pointer dereference vulnerability in Corel WordPerfect. 
Opening of a malicious WPD (WordPerfect Document) causes immediate application crash, resulting in a loss of all 
unsaved current application data of the user.


1) Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6: CVE-2012-4900

The very beginning of the crash occurs within the WPWIN16.DLL module in the STARTAPP function when the application 
attempts to call the STRNICMP procedure in the MSVCR80 module. Due to a specially crafted WPD file and as a result of 
the stack modification, it is possible to partially control the destination pointer [EDI] inherited by the STRNICMP 
function.

Crash details:
eax=0225a848 ebx=0224ce48 ecx=00000008 edx=00000008 esi=0224ce48 edi=0225a848

eip=69fe74bc esp=0012ee80 ebp=0012ee9c iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010203



MSVCR80!strnicmp+0x261:
69fe74bc f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

Exception Faulting Address: 0x225a848
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Exception Sub-Type: Write Access Violation


Stack Trace:

MSVCR80!strnicmp+0x261
wpwin16!StartApp+0xbdc8e
wpwin16!StartApp+0xc5ef1
wpwin16!StartApp+0xc67f3
wpwin16!StartApp+0xc0758
ntdll!RtlAllocateHeap+0x211
ntdll!RtlAllocateHeap+0xac
ntdll!RtlTryEnterCriticalSection+0x9ba
ntdll!RtlTryEnterCriticalSection+0x98f
WStr16!WPwmemcpy+0x1e
PFIT160!wread+0xe1
MSVCR80!strnicmp+0x135
wpwin16!StartApp+0xdfe00



In order to exploit the vulnerability remotely the attacker has to send a malicious file to the victim by email. In a 
web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to 
download and open the file. 

As a PoC (Proof of Concept) a file "PoC.wpd" is <a 
href="https://www.htbridge.com/advisory/HTB23114-PoC.rar";>provided</a>, which causes immediate application crash. 
Password for archive: k2-0xj)Dhfjhlfs


-----------------------------------------------------------------------------------------------

Solution:

Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-09-12: Vendor Notified.
2012-09-19: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [<a href="https://www.htbridge.com/advisory/disclosure_policy.html";>Disclosure 
Policy</a>].


-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23114 - https://www.htbridge.com/advisory/HTB23114 - Untrusted Pointer Dereference 
Vulnerability in Corel WordPerfect X6.
[2] Corel Corporation - http://www.corel.com - WordPerfect is a word processing application of Corel's WordPerfect 
Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.


  By Date           By Thread  

Current thread:
  • Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6 advisory (Mar 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]