According to a recent report, researchers from Cisco Talos discovered multiple security vulnerabilities in the Atlantis Word Processor. A number of versions of this portable word processor allegedly had various code execution bugs. Fortunately, a patch is available for users to mitigate these bugs.
Multiple Vulnerabilities in Atlantis Word Processor
The researchers from Cisco Talos, Cory Duplantis and Ali Rizvi-Santiago, discovered several code vulnerabilities in the Atlantis word processor, some of which allowed for code execution.
Researchers discovered eight different vulnerabilities existing in different versions of the software. Some of these flaws even affected multiple versions. Here we give a quick overview of these vulnerabilities and affected versions.
Uninitialized TDocOleObject Code Execution Vulnerability (CVE-2018-3975)
This exploitable vulnerability existed in the RTF-parsing functionality. Receiving a CVSS score of 7.5, the vulnerability affected the AWP version 3.2.6. As described by the researchers regarding the flaw,
“A specially crafted RTF file can leverage an uninitialized stack address, resulting in an out-of-bounds write, which in turn could lead to code execution.”
Word Document Complex Piece Descriptor Table Fc.Compressed Code Execution Vulnerability (CVE-2018-3978)
It was an out-of-bounds write flaw affecting the AWP versions 3.0.2.3, 3.0.2.5. To exploit this vulnerability, an attacker must have social engineer a user to open a malicious file. Researchers stated:
“A specially crafted document can cause Atlantis to write a value outside the bounds of a heap allocation, resulting in a buffer overflow.”
Empty TTableRow TList Code Execution Vulnerability (CVE-2018-3981)
Regarding this uninitialized pointer vulnerability, Cisco stated,
“A specially crafted document can cause an array fetch to return an uninitialized pointer and then performs some arithmetic before writing a value to the result.”
This uninitialized pointer could then corrupt heap memory leading to code execution. Nonetheless, to exploit this flaw and execute an attack, the attacker must lure the victim to open the malicious file.
Document Endnote Reference Code Execution Vulnerability (CVE-2018-3982)
This exploitable arbitrary write vulnerability affected Atlantis Word Processor versions 3.0.2.3 and 3.0.2.5. An attacker could exploit this vulnerability by convincing a user to open a malicious document that will, in turn, corrupt the memory and execute code “under the context of the application”. The vulnerability received a high CVSS score of 8.8.
Uninitialized Length Vulnerability (CVE-2018-3984)
This vulnerability existed in the Word document parser and has achieved a CVSS score of 8.8. To exploit this vulnerability, the user must open the attacker’s specially crafted document that would cause errors in the software functionality. As explained by the researchers,
“A specially crafted document can cause Atlantis to skip initializing a value representing the number of columns of a table. Later, the application will use this as a length within a loop that will write to a pointer on the heap.”
Ultimately, it would cause buffer overflow leading to code execution. The vulnerability allegedly affected the versions 3.0.2.3 and 3.0.2.5.
Windows Enhanced Metafile Code Execution Vulnerability (CVE-2018-3998)
This critical vulnerability (CVSS 8.8) only affected AWP version 3.2.5.0 and existed in the Windows enhanced metafile parser of the software. The vulnerability could trigger an attack when a potential attacker sends a malicious file to the victim that contained a malicious image causing an undersized allocation.
JPEG Length Underflow Code Execution Vulnerability (CVE-2018-3999)
Describing this vulnerability, the researchers stated,
“A specially crafted image embedded within a document can cause a length to be miscalculated and underflow. This length is then treated as unsigned and then used in a copying operation. Due to the length underflow, the application will then write outside the bounds of a stack buffer, resulting in a buffer overflow.”
This stack-based buffer overflow flaw allegedly affected the version 3.2.5.0 only. Nonetheless, this too was a critical vulnerability with 8.8 CVSS score.
Office Open XML TTableRow Double Free Vulnerability (CVE-2018-4000)
The last vulnerability discovered in this phase by Cisco Talos researchers involves exploiting the Office XML parser. The double-free vulnerability achieved a CVSS score of 8.8, and affected version 3.2.5.0 only. As explained in the Cisco Talos report,
“A specially crafted document can cause a TTableRow instance to be referenced twice, resulting in a double-free vulnerability when both the references go out of scope.”
Like all others, this flaw too required the victim to open the malicious file.
Patch Available
The researchers discovered all these vulnerabilities in the previous month, after which, they disclosed it to the vendors on September 10, 2018. The AWP makers, in turn, patched all the flaws and released the updated version for the public on September 26, 2018. Users of Atlantis Word Processor can simply upgrade to the patched version 3.2.7.2 available on the vendor’s website.
Cisco Talos has made proactive contributions with respect to the discovery of the vulnerabilities. Last month, a researcher from this firm identified privilege escalation bug that affected two popular VPN brands – NordVPN and ProtonVPN.
