Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor

TalosIntelligence

Security / TalosIntelligence 57 Views 0


A member of Cisco Talos discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing three remote code execution vulnerabilities in the Atlantis Word Processor. Atlantis Word Processor is a traditional word processor that provides a number of basic features for users, in line with what is in other similar types of software. This application is written in Delphi and keeps the majority of its capabilities in a single, relocatable binary. An attacker could exploit these vulnerabilities to corrupt the memory of the application, which can result in remote code execution under the context of the application.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlantis to ensure that these issues are resolved and that an update is available for affected customers.


Vulnerability details

Atlantis Word Processor open document format NewAnsiString length remote code execution vulnerability (TALOS-2018-0711/CVE-2018-4038)

The word processor contains an exploitable arbitrary write vulnerability in the open document format parser while trying to null-terminate a string. A specially crafted document could allow an attacker to pass an untrusted value as a length to a constructor, which miscalculates a length and then uses it to calculate the position to write a null byte. This particular bug lies in the `NewAnsiString` function.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor Huffman table code length remote code execution vulnerability (TALOS-2018-0712/CVE-2018-4039)

Atlantis Word Processor contains an out-of-bounds write vulnerability in its PNG implementation. When opening a specially crafted document, which would need to be supplied by an attacker, the application fingerprints it in order to determine the correct file format parser. Eventually, an attacker could corrupt memory, which would allow them to execute arbitrary code in the context of the application. A user only needs to open the document to trigger this vulnerability.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor rich text format uninitialized TAutoList remote code execution vulnerability (TALOS-2018-0713/CVE-2018-4040)

An exploitable uninitialized pointer vulnerability exists in the rich text format parser of Atlantis Word Procesor. A specially crafted document can cause certain RTF tokens to dereference an uninitialized pointer and then write to it. When opening up an RTF document, the application will first fingerprint it in order to determine the correct file format parser. Eventually, this would corrupt the memory of the application, allowing a user to execute code in the context of the application.

For more information on this vulnerability, read the full advisory here.

Versions tested

Talos tested and confirmed that Atlantis Word Processor, version 3.2.7.2 is affected by these vulnerabilities.

Conclusion

All three of these vulnerabilities are triggered by the user opening a malicious, specially crafted document. The easiest way to avoid these issues is for the user to ensure that they don’t open any documents from untrusted sources. The latest update from Atlantis will also cover these vulnerabilities, as will the Snort rules listed below.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48385, 48386, 48389 - 48392

Comments