vuln.sg Vulnerability Research Advisory

QuarkXPress Word File Import Filter Buffer Overflow Vulnerability by Tan Chew Keong Release Date: 2007-07-11    [en] [jp] Summary A vulnerability has been found in QuarkXPress. When exploited, the vulnerability allows execution of arbitrary code when the user imports text from a MSWord 6 document (DOC) file. Tested Versions QuarkXPress 7.2 for Windows (Evaluation version) with "Word 6-2000 Filter.xnt" version 7.20.0.0 Build 4139 Details A stack-based buffer overflow vulnerability exists within the MSWord text-import extension ("Word 6-2000 Filter.xnt") that is distributed with QuarkXpress 7.2. The purpose of this extension is to allow the user to import text into the layout from a MSWord DOC file using the "Rectangle Text Box" tool. The boundary error occurs when the "Word 6-2000 Filter.xnt" DLL is handling the font-names that were read from a MSWord 6 document (DOC). The vulnerable function uses the "lstrcpy()" function to perform unsafe copying of each font-name that is read from the DOC file into a 256-byte stack buffer. The unsafe "lstrcpy()" occurs at ImageBase + 0x0000F608 in "Word 6-2000 Filter.xnt". This can be exploited to trigger a stack-based buffer overflow via a specially crafted DOC file that contains an overly long font-name. In order to exploit this vulnerability successfully, the user must be convinced to import text from a malicious MSWord DOC file. Execution of arbitrary code using this vulnerability has been confirmed on English WinXP SP2. The following screen capture shows that it is possible to overwrite the saved EIP when importing text from a MSWord 6 DOC file that contains an overly long font-name. POC / Test Code The following POC DOC files will exploit the vulnerability to run calc.exe or crash QuarkXPress 7.2. The code execution POC has been successfully tested on English WinXP SP2. quarkxpress72-EXP.doc (exploits the stack-based buffer overflow to run calc.exe on English WinXP SP2) quarkxpress72-CRASH.doc (crashes QuarkXPress by using the stack-based buffer overflow to overwrite the saved EIP) Instructions to reproduce the vulnerability: Download the POC files and save them to the hard-disk. Run QuarkXPress. Create a new project in QuarkXPress by selecting "File->New->Project..." from the main menu. Select the "Rectangle Text Box Tool" from the toolbar and draw a textbox on the layout. Select the "Content tool" from the toolbar. Move the mouse cursor over the textbox that was just drawn and right-click on it. The context menu will popup. Select "Import Text..." from the context menu. A file-open dialog box will appear. Select the POC file using the file-open dialog box and click "Open". Successful exploit will run calc.exe or crash QuarkXPress.   Patch / Workaround Do not import text from non-trusted MSWord document (DOC) files. Disclosure Timeline 2007-06-23 - Vulnerability discovered. 2007-06-24 - Initial vendor notification. 2007-06-25 - Initial vendor reply. 2007-06-25 - Vulnerability description and POC files sent to vendor. 2007-06-30 - Vendor reminder sent. (no reply) 2007-07-08 - Vendor reminder sent. (no reply) 2007-07-11 - Public disclosure.

Contact

For further enquries, comments, suggestions or bug reports, simply email them to