Total Tests:

Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6

Advisory ID:HTB23112
Product:Corel Quattro Pro X6 Standard Edition
Vendor:Corel Corporation
Vulnerable Versions:16.0.0.388, other versions may be also affected
Tested Version:16.0.0.388 on Windows 7 SP1 32 bits
Advisory Publication:August 27, 2012 [without technical details]
Vendor Notification:August 27, 2012
Public Disclosure:March 7, 2013
Latest Update:March 7, 2013
Vulnerability Type:NULL Pointer Dereference [CWE-476]
CVE Reference:CVE-2012-4728
Risk Level:Low
CVSSv2 Base Score:2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

1) Multiple Null Pointer Dereference vulnerabilities in Corel Quattro Pro X6: CVE-2012-4728
1.1 The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer. Due to the malformed QPW file the EDX register will contain a null value. This destination pointer used to store the value of the AX register will be therefore invalid, which causes the application to crash instantly.
Crash details:
eax=04b11e00 ebx=00007020 ecx=000000f5 edx=00000000 esi=00000000 edi=04b10048
eip=202e5925 esp=0012d9b0 ebp=0012e8e8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
QPW160!QProGetNotebookWindowHandle+0x23cb85:
202e5925 6689048a mov word ptr [edx+ecx*4],ax ds:0023:000003d4=????


1.2 The second crash occurs in the QPW160.dll module at the Ordinal132 function when the application tries to copy a buffer from ESI to EDI. Due to the abnormal QPW file the EDI register is not properly initialized, which causes the dereference of the EDI pointer to a null value. After this, the code is not able to catch the issue due to a lack of exception handling, forcing the application to crash immediately.
Crash details:
eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=04ca6c40 edi=00000000
eip=20005a7d esp=0012d97c ebp=0012d988 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
QPW160!Ordinal132+0x5a7d: 20005a7d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]


In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.
As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are provided, which cause immediate application crash. Password for archive: ph77=!3=L

How to Detect NULL Pointer Dereference Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

Solution:
Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-08-27: Vendor Notified.
2012-09-10: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [Disclosure Policy].



References:
[1] High-Tech Bridge Advisory HTB23112 - https://www.immuniweb.com/advisory/HTB23112 - Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6.
[2] Corel Corporation - http://www.corel.com - Quattro Pro is a spreadsheet processing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential