Advisory ID: HTB23112
Product: Corel Quattro Pro X6 Standard Edition
Vendor: Corel Corporation
Vulnerable Version(s): 16.0.0.388, other versions may be also affected
Tested Version: 16.0.0.388 on Windows 7 SP1 32 bits
Vendor Notification: August 27, 2012 
Public Disclosure: March 7, 2013 
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4728
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.


1) Multiple Null Pointer Dereference vulnerabilities in Corel Quattro Pro X6: CVE-2012-4728

1.1 The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer. Due to the malformed QPW file the EDX register will contain a null value. This destination pointer used to store the value of the AX register will be therefore invalid, which causes the application to crash instantly.

Crash details:

eax=04b11e00 ebx=00007020 ecx=000000f5 edx=00000000 esi=00000000 edi=04b10048
eip=202e5925 esp=0012d9b0 ebp=0012e8e8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

QPW160!QProGetNotebookWindowHandle+0x23cb85:
202e5925 6689048a        mov     word ptr [edx+ecx*4],ax  ds:0023:000003d4=????



1.2 The second crash occurs in the QPW160.dll module at the Ordinal132 function when the application tries to copy a buffer from ESI to EDI. Due to the abnormal QPW file the EDI register is not properly initialized, which causes the dereference of the EDI pointer to a null value. After this, the code is not able to catch the issue due to a lack of exception handling, forcing the application to crash immediately.

Crash details:

eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=04ca6c40 edi=00000000
eip=20005a7d esp=0012d97c ebp=0012d988 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213

QPW160!Ordinal132+0x5a7d: 20005a7d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]



In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file. 

As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are <a href="https://www.htbridge.com/advisory/HTB23112-PoC.rar">provided</a>, which cause immediate application crash. Password for archive: ph77=!3=L

-----------------------------------------------------------------------------------------------

Solution:

Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-08-27: Vendor Notified.
2012-09-10: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [<a href="https://www.htbridge.com/advisory/disclosure_policy.html">Disclosure Policy</a>].



-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23112 - https://www.htbridge.com/advisory/HTB23112 - Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6.
[2] Corel Corporation - http://www.corel.com - Quattro Pro is a spreadsheet processing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.