Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6

High-Tech Bridge Security Research Lab discovered an untrusted pointer dereference vulnerability in Corel WordPerfect. Opening of a malicious WPD (WordPerfect Document) causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

1. Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6: CVE-2012-4900
   The very beginning of the crash occurs within the WPWIN16.DLL module in theSTARTAPPfunction when the application attempts to call theSTRNICMPprocedure in theMSVCR80module. Due to a specially crafted WPD file and as a result of the stack modification, it is possible to partially control the destination pointer**[EDI]inherited by theSTRNICMP** function.
   Crash details:
   eax=0225a848 ebx=0224ce48 ecx=00000008 edx=00000008 esi=0224ce48 edi=0225a848
   eip=69fe74bc esp=0012ee80 ebp=0012ee9c iopl=0 nv up ei pl nz na po cy
   cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010203

MSVCR80!strnicmp+0x261:
69fe74bc f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Exception Faulting Address: 0x225a848
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Stack Trace:
MSVCR80!strnicmp+0x261
wpwin16!StartApp+0xbdc8e
wpwin16!StartApp+0xc5ef1
wpwin16!StartApp+0xc67f3
wpwin16!StartApp+0xc0758
ntdll!RtlAllocateHeap+0x 211
ntdll!RtlAllocateHeap+0xac
ntdll!RtlTryEnterCriticalSection+0x9ba
ntd ll!RtlTryEnterCriticalSection+0x98f
WStr16!WPwmemcpy+0x1e
PFIT160!wread+0x e1
MSVCR80!strnicmp+0x135
wpwin16!StartApp+0xdfe00

In order to exploit the vulnerability remotely the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.
As a PoC (Proof of Concept) a file “PoC.wpd” is provided, which causes immediate application crash. Password for archive: k2-0xj)Dhfjhlfs