Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

2010-07-12T00:00:00
ID ZSL-2010-4945
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-07-12T00:00:00

Description

Title: Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC
Advisory ID: ZSL-2010-4945
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 12.07.2010

Summary

Corel® WordPerfect® Office X5 – Standard Edition is the essential office suite for word processing, spreadsheets, presentations and email. Chosen over Microsoft® Office by millions of longtime users, it integrates the latest productivity software with the best of the Web. Work faster and collaborate more efficiently with all-new Web services, new Microsoft® Office SharePoint® support, more PDF tools and even better compatibility with Microsoft Office. It's everything you expect in an office suite—for less.

Description

Corel WordPerfect is prone to a remote buffer overflow vulnerability because the application fails to perform adequate boundary checks on user supplied input with .WPD (WordPerfect Document) file. Attackers may exploit this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Vendor

Corel Corporation - <http://www.corel.com>

Affected Version

15.0.0.357 (Standard Edition)

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[09.07.2010] Vulnerability discovered.
[09.07.2010] Initial contact with the vendor.
[12.07.2010] No reply from vendor.
[12.07.2010] Public advisory released.

PoC

corel_word.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/14344/>
[2] <http://securityreason.com/exploitalert/8397>
[3] <http://packetstormsecurity.org/filedesc/corelwpoxs-overflow.txt.html>
[4] <http://xforce.iss.net/xforce/xfdb/60280>
[5] <http://www.net-security.org/vuln.php?id=13577>
[6] <http://www.securityfocus.com/bid/41553>

Changelog

[12.07.2010] - Initial release
[13.07.2010] - Added reference [2] and [3]
[15.07.2010] - Added reference [4]
[12.08.2010] - Added reference [5] and [6]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;