{"uuid": "42057664-53f2-4d45-898b-24bb6871bab3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2020-13579", "type": "seen", "source": "https://t.me/spatland/82", "content": "\u00a0\n\n\u00a0Software\n\n\u00a0Vulnerability Information\n\nVulnerability Information\n\nBACK\n\nVulnerability Reports\n\nMicrosoft Advisories\n\n\u00a0Reputation Center\n\nReputation Center\n\nBACK\n\nIP & Domain Reputation\n\nTalos File Reputation\n\nReputation Support\n\nAMP Threat Naming Conventions\n\nAWBO Exercises\n\nIntelligence Categories\n\n\u00a0Library\n\n\u00a0Support\n\nSupport\n\nBACK\n\nReputation Center Support\n\nSnort Community\n\nClamAV Community\n\nSpamCop\n\n\u00a0Incident Response\n\n\u00a0Careers\n\n\u00a0Blog\n\n\u00a0Podcasts\n\nPodcasts\n\nBACK\n\nBeers with Talos\n\nTalos Takes\n\n\u00a0About\n\nCisco Login\n\nTalos Vulnerability Report\n\nTALOS-2020-1190\n\nSoftMaker Office PlanMaker Document Records 0x8011 and 0x820a integer overflow vulnerability\n\nFEBRUARY 3, 2021\n\nCVE NUMBER\n\nCVE-2020-13579\n\nSummary\n\nAn exploitable integer overflow vulnerability exists in the PlanMaker document parsing functionality of SoftMaker Office 2021\u2019s PlanMaker application. A specially crafted document can cause the document parser perform arithmetic that may overflow which can result in an undersized heap allocation. Later when copying data from the file into this allocation, a heap-based buffer overflow will occur which can corrupt memory. These types of memory corruptions can allow for code execution under the context of the application. An attacker can entice the victim to open a document to trigger this vulnerability.\n\nTested Versions\n\nSoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014)\n\nProduct URLs\n\nhttps://www.softmaker.com/en/softmaker-office\n\nCVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\nCWE\n\nCWE-190 - Integer Overflow or Wraparound\n\nDetails\n\nSoftMaker Software GmbH is a German software company that develops and releases office software. Their flagship product, SoftMaker Office, is supported on a variety of platforms and contains a handful of components which can allow the user to perform a multitude of tasks such as word processing, spreadsheets, presentation design, and even allows for scripting. Thus the SoftMaker Office suite supports a variety of common office file formats, as well as a number of internal formats that the user may choose to use when performing their necessary work.\n\nThe PlanMaker component of SoftMaker\u2019s suite is designed as an all-around spreadsheet tool, and supports of a number of features that allow it to remain competitive with similar office suites that are developed by its competitors. Although the application includes a number of parsers that enable the user to interact with these common document types or templates, a native document format is also included. This undocumented format is labeled as a PlanMaker Document, and will typically have the extension \u201c.pmd\u201d when saved as a file. The PlanMaker Document file format is based on Microsoft\u2019s Compound Document file format and contains two streams, one of which is the \u201cPMW\u201d stream and then the \u201cPMW Objects\u201d stream.\n\nOnce the application unpacks the \u201cPMW\u201d stream, it will check the first few records of the stream in order to fingerprint the document and verify the stream if of the correct format. After this confirmation, the application will then execute the following function to read all of the records in the stream. At [1], the function will take an object containing the state and the stream to parse records from in order to store them on the stack. Later, the function will enter a loop at [2] which is responsible for continuously iterating through all of the records in the stream and then parsing them. The function call at [3] is responsible for parsing a general record. This function will return a pointer to the record\u2019s contents at [4].\n\n0x682f8d: push %rbp 0x682f8e: mov %rsp,%rbp 0x682f91: sub $0x300,%rsp 0x682f98: mov %rdi,-0x2e8(%rbp) ; [1] record object 0x682f9f: mov %rsi,-0x2f0(%rbp) ; [1] stream object 0x682fa6: mov %edx,-0x2f4(%rbp) 0x682fac: mov %fs:0x28,%rax 0x682fb5: mov %rax,-0x8(%rbp) 0x682fb9: xor %eax,%eax ...", "creation_timestamp": "2021-02-18T16:18:53.000000Z"}