Community Edition
Total Tests:
This Week:
Today:
Recent Blog Posts
LockBit Boss Identified, Charged And Sanctioned By The US And Partners
May 9, 2024
REvil Ransomware Operator Behind The Kaseya Supply Chain Hack Sentenced To 13 Years In Prison
May 2, 2024
Four Iranian Hackers Charged With Cyberattacks On American Firms
April 25, 2024
An Ex-Amazon Security Engineer Gets 3 Years In Jail For Hacking And Crypto Theft
April 18, 2024
Hacker Fakes His Own Death To Avoid Child Support Payments
April 11, 2024
Stay in Touch

Get exclusive updates and invitations to our events and webinars:


Your data will stay confidential Private and Confidential

ImmuniWebSecurity Advisories ArchiveHTB23114

Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6

Advisory ID:HTB23114
Product:Corel WordPerfect X6 Standard Edition
Vendor:Corel Corporation
Vulnerable Versions:16.0.0.388, other versions may be also affected
Tested Version:16.0.0.388 on Windows 7 SP1 32 bits
Advisory Publication:September 12, 2012 [without technical details]
Vendor Notification:September 12, 2012
Public Disclosure:March 7, 2013
Latest Update:March 7, 2013
Vulnerability Type:Untrusted Pointer Dereference [CWE-822]
CVE Reference:CVE-2012-4900
Risk Level:Low
CVSSv2 Base Score:2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered an untrusted pointer dereference vulnerability in Corel WordPerfect. Opening of a malicious WPD (WordPerfect Document) causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

1) Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6: CVE-2012-4900
The very beginning of the crash occurs within the WPWIN16.DLL module in the STARTAPP function when the application attempts to call the STRNICMP procedure in the MSVCR80 module. Due to a specially crafted WPD file and as a result of the stack modification, it is possible to partially control the destination pointer [EDI] inherited by the STRNICMP function.
Crash details:
eax=0225a848 ebx=0224ce48 ecx=00000008 edx=00000008 esi=0224ce48 edi=0225a848
eip=69fe74bc esp=0012ee80 ebp=0012ee9c iopl=0 nv up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010203

MSVCR80!strnicmp+0x261:
69fe74bc f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Exception Faulting Address: 0x225a848
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Stack Trace:
MSVCR80!strnicmp+0x261
wpwin16!StartApp+0xbdc8e
wpwin16!StartApp+0xc5ef1
wpwin16!StartApp+0xc67f3
wpwin16!StartApp+0xc0758
ntdll!RtlAllocateHeap+0x 211
ntdll!RtlAllocateHeap+0xac
ntdll!RtlTryEnterCriticalSection+0x9ba
ntd ll!RtlTryEnterCriticalSection+0x98f
WStr16!WPwmemcpy+0x1e
PFIT160!wread+0x e1
MSVCR80!strnicmp+0x135
wpwin16!StartApp+0xdfe00

In order to exploit the vulnerability remotely the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.
As a PoC (Proof of Concept) a file "PoC.wpd" is provided, which causes immediate application crash. Password for archive: k2-0xj)Dhfjhlfs

How to Detect Untrusted Pointer Dereference Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

Solution:
Currently we are not aware of any solutions from the Vendor.

Disclosure Timeline:
2012-09-12: Vendor Notified.
2012-09-19: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [Disclosure Policy].


References:
[1] High-Tech Bridge Advisory HTB23114 - https://www.immuniweb.com/advisory/HTB23114 - Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6.
[2] Corel Corporation - http://www.corel.com - WordPerfect is a word processing application of Corel's WordPerfect Office suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Related Security Advisories: HTB23112: Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.

This website uses cookies to provide you with a better surfing experience. To learn more, please visit our Privacy Policy. By continuing to use this website you consent to our use of cookies.

Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
Your data will stay private and confidential