Advisory ID: HTB23112
Product: Corel Quattro Pro X6 Standard Edition
Vendor: Corel Corporation
Vulnerable Versions: 16.0.0.388, other versions may be also affected
Tested Version: 16.0.0.388 on Windows 7 SP1 32 bits
Vendor Notification: August 27, 2012
Public Disclosure: March 7, 2013
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4728
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:
High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

1) Multiple Null Pointer Dereference vulnerabilities in Corel Quattro Pro X6: CVE-2012-4728
1.1 The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer. Due to the malformed QPW file the EDX register will contain a null value. This destination pointer used to store the value of the AX register will be therefore invalid, which causes the application to crash instantly.
Crash details:

1.2 The second crash occurs in the QPW160.dll module at the Ordinal132 function when the application tries to copy a buffer from ESI to EDI. Due to the abnormal QPW file the EDI register is not properly initialized, which causes the dereference of the EDI pointer to a null value. After this, the code is not able to catch the issue due to a lack of exception handling, forcing the application to crash immediately.
Crash details:

In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.
As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are provided, which cause immediate application crash. Password for archive: ph77=!3=L

Solution:
Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-08-27: Vendor Notified.
2012-09-10: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure.


References:
[1] High-Tech Bridge Advisory HTB23112 - https://www.htbridge.com/advisory/HTB23112 - Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6.
[2] Corel Corporation - http://www.corel.com - Quattro Pro is a spreadsheet processing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.