WordPerfect Office X6 – Standard Edition, Corel.com
High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.
The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer.
The second crash occurs in the QPW160.dll module at the Ordinal132 function when the application tries to copy a buffer from ESI to EDI.
In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.
Two files provided by researcher as a Proof of Concept (PoC) examples.
No comments:
Post a Comment