by Tan Chew Keong
Release Date: 2007-07-11
A vulnerability has been found in QuarkXPress. When exploited, the vulnerability allows execution of arbitrary code when the user imports text from a MSWord 6 document (DOC) file.
- QuarkXPress 7.2 for Windows (Evaluation version) with "Word 6-2000 Filter.xnt" version 188.8.131.52 Build 4139
A stack-based buffer overflow vulnerability exists within the MSWord text-import extension ("Word 6-2000 Filter.xnt") that is distributed with QuarkXpress 7.2. The purpose of this extension is to allow the user to import text into the layout from a MSWord DOC file using the "Rectangle Text Box" tool. The boundary error occurs when the "Word 6-2000 Filter.xnt" DLL is handling the font-names that were read from a MSWord 6 document (DOC).
The vulnerable function uses the "lstrcpy()" function to perform unsafe copying of each font-name that is read from the DOC file into a 256-byte stack buffer. The unsafe "lstrcpy()" occurs at ImageBase + 0x0000F608 in "Word 6-2000 Filter.xnt". This can be exploited to trigger a stack-based buffer overflow via a specially crafted DOC file that contains an overly long font-name.
In order to exploit this vulnerability successfully, the user must be convinced to import text from a malicious MSWord DOC file. Execution of arbitrary code using this vulnerability has been confirmed on English WinXP SP2.
The following screen capture shows that it is possible to overwrite the saved EIP when importing text from a MSWord 6 DOC file that contains an overly long font-name.
POC / Test Code
The following POC DOC files will exploit the vulnerability to run calc.exe or crash QuarkXPress 7.2. The code execution POC has been successfully tested on English WinXP SP2.
Instructions to reproduce the vulnerability:
- Download the POC files and save them to the hard-disk.
- Run QuarkXPress.
- Create a new project in QuarkXPress by selecting "File->New->Project..." from the main menu.
- Select the "Rectangle Text Box Tool" from the toolbar and draw a textbox on the layout.
- Select the "Content tool" from the toolbar.
- Move the mouse cursor over the textbox that was just drawn and right-click on it. The context menu will popup.
- Select "Import Text..." from the context menu. A file-open dialog box will appear.
- Select the POC file using the file-open dialog box and click "Open".
- Successful exploit will run calc.exe or crash QuarkXPress.
Patch / Workaround
Do not import text from non-trusted MSWord document (DOC) files.
2007-06-23 - Vulnerability discovered.
2007-06-24 - Initial vendor notification.
2007-06-25 - Initial vendor reply.
2007-06-25 - Vulnerability description and POC files sent to vendor.
2007-06-30 - Vendor reminder sent. (no reply)
2007-07-08 - Vendor reminder sent. (no reply)
2007-07-11 - Public disclosure.