SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Corel WordPerfect Vendors:   Corel
Corel WordPerfect Pointer Dereference May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1028257
SecurityTracker URL:  http://securitytracker.com/id/1028257
CVE Reference:   CVE-2012-4900   (Links to External Site)
Date:  Mar 7 2013
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): X6, 16.0.0.388
Description:   A vulnerability was reported in Corel WordPerfect. A remote user may be able to cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted file that, when loaded by the target user, will potentially execute arbitrary code on the target system. The code will run with the privileges of the target user.

The vendor was notified on September 12, 2012.

High-Tech Bridge Security Research Lab reported this vulnerability.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.corel.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 07 Mar 2013 19:39:55 +0100 (CET)
Subject:  Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6

Advisory ID: HTB23114
Product: Corel WordPerfect X6 Standard Edition
Vendor: Corel Corporation
Vulnerable Version(s): 16.0.0.388, other versions may be also affected
Tested Version: 16.0.0.388 on Windows 7 SP1 32 bits
Vendor Notification: September 12, 2012=20
Public Disclosure: March 7, 2013=20
Vulnerability Type: Untrusted Pointer Dereference [CWE-822]
CVE Reference: CVE-2012-4900
Risk Level: Low=20
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w=
ww.htbridge.com/advisory/ )=20

---------------------------------------------------------------------------=
--------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered an untrusted pointer dere=
ference vulnerability in Corel WordPerfect. Opening of a malicious WPD (Wor=
dPerfect Document) causes immediate application crash, resulting in a loss =
of all unsaved current application data of the user.


1) Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6: CVE=
-2012-4900

The very beginning of the crash occurs within the WPWIN16.DLL module in the=
 STARTAPP function when the application attempts to call the STRNICMP proce=
dure in the MSVCR80 module. Due to a specially crafted WPD file and as a re=
sult of the stack modification, it is possible to partially control the des=
tination pointer [EDI] inherited by the STRNICMP function.

Crash details:
eax=3D0225a848 ebx=3D0224ce48 ecx=3D00000008 edx=3D00000008 esi=3D0224ce48 =
edi=3D0225a848

eip=3D69fe74bc esp=3D0012ee80 ebp=3D0012ee9c iopl=3D0         nv up ei pl n=
z na po cy
cs=3D001b  ss=3D0023  ds=3D0023  es=3D0023  fs=3D003b  gs=3D0000           =
  efl=3D00010203



MSVCR80!strnicmp+0x261:
69fe74bc f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

Exception Faulting Address: 0x225a848
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Exception Sub-Type: Write Access Violation


Stack Trace:

MSVCR80!strnicmp+0x261
wpwin16!StartApp+0xbdc8e
wpwin16!StartApp+0xc5ef1
wpwin16!StartApp+0xc67f3
wpwin16!StartApp+0xc0758
ntdll!RtlAllocateHeap+0x211
ntdll!RtlAllocateHeap+0xac
ntdll!RtlTryEnterCriticalSection+0x9ba
ntdll!RtlTryEnterCriticalSection+0x98f
WStr16!WPwmemcpy+0x1e
PFIT160!wread+0xe1
MSVCR80!strnicmp+0x135
wpwin16!StartApp+0xdfe00



In order to exploit the vulnerability remotely the attacker has to send a m=
alicious file to the victim by email. In a web-based scenario, the attacker=
 can host a malicious file on a website or WebDav share and trick the victi=
m to download and open the file.=20

As a PoC (Proof of Concept) a file "PoC.wpd" is <a href=3D"https://www.htbr=
idge.com/advisory/HTB23114-PoC.rar">provided</a>, which causes immediate ap=
plication crash. Password for archive: k2-0xj)Dhfjhlfs


---------------------------------------------------------------------------=
--------------------

Solution:

Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-09-12: Vendor Notified.
2012-09-19: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the ne=
xt Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is =
not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not=
 fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [<a href=3D"https://www.htbridge.com/advisory=
/disclosure_policy.html">Disclosure Policy</a>].


---------------------------------------------------------------------------=
--------------------

References:

[1] High-Tech Bridge Advisory HTB23114 - https://www.htbridge.com/advisory/=
HTB23114 - Untrusted Pointer Dereference Vulnerability in Corel WordPerfect=
 X6.
[2] Corel Corporation - http://www.corel.com - WordPerfect is a word proces=
sing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in=
ternational in scope and free for public use, CVE=C2=AE is a dictionary of =
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to =
developers and security practitioners, CWE is a formal list of software wea=
kness types.=20

---------------------------------------------------------------------------=
--------------------

Disclaimer: The information provided in this Advisory is provided "as is" a=
nd without any warranty of any kind. Details of this Advisory may be update=
d in order to provide as accurate information as possible. The latest versi=
on of the Advisory is available on web page [1] in the References.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC