Post Wed Mar 13, 2013 6:29 am

HTB23112: Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro

Advisory ID: HTB23112
Product: Corel Quattro Pro X6 Standard Edition
Vendor: Corel Corporation
Vulnerable Versions: 16.0.0.388, other versions may be also affected
Tested Version: 16.0.0.388 on Windows 7 SP1 32 bits
Vendor Notification: August 27, 2012
Public Disclosure: March 7, 2013
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4728
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:
High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

1) Multiple Null Pointer Dereference vulnerabilities in Corel Quattro Pro X6: CVE-2012-4728
1.1 The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer. Due to the malformed QPW file the EDX register will contain a null value. This destination pointer used to store the value of the AX register will be therefore invalid, which causes the application to crash instantly.
Crash details:
  Code:
eax=04b11e00 ebx=00007020 ecx=000000f5 edx=00000000 esi=00000000 edi=04b10048
eip=202e5925 esp=0012d9b0 ebp=0012e8e8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
QPW160!QProGetNotebookWindowHandle+0x23cb85:
202e5925 6689048a mov word ptr [edx+ecx*4],ax ds:0023:000003d4=????


1.2 The second crash occurs in the QPW160.dll module at the Ordinal132 function when the application tries to copy a buffer from ESI to EDI. Due to the abnormal QPW file the EDI register is not properly initialized, which causes the dereference of the EDI pointer to a null value. After this, the code is not able to catch the issue due to a lack of exception handling, forcing the application to crash immediately.
Crash details:
  Code:
eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=04ca6c40 edi=00000000
eip=20005a7d esp=0012d97c ebp=0012d988 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
QPW160!Ordinal132+0x5a7d: 20005a7d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]


In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.
As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are provided, which cause immediate application crash. Password for archive: ph77=!3=L

Solution:
Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-08-27: Vendor Notified.
2012-09-10: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure.


References:
[1] High-Tech Bridge Advisory HTB23112 - https://www.htbridge.com/advisory/HTB23112 - Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6.
[2] Corel Corporation - http://www.corel.com - Quattro Pro is a spreadsheet processing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.