Discovered by a Cisco Talos researcher. Blog by Jon Munshaw.
SoftMaker's Office PlanMaker contains multiple vulnerabilities that could allow an adversary to cause a variety of malicious conditions in the software. SoftMaker's flagship product, SoftMaker Office, is supported on a variety of platforms and contains a handful of components that allows the user to write text documents, create spreadsheets, design presentations and more. The SoftMaker Office suite supports a variety of common office file formats, as well as other internal formats that the user may choose to use when performing their necessary work. These vulnerabilities all exist in the PlanMaker component of the suite, which allows users to create and edit spreadsheets.In accordance with our coordinated disclosure policy, Cisco Talos worked with SoftMaker to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
SoftMaker Office PlanMaker Document Records 0x8011 and 0x820a integer overflow vulnerability (TALOS-2020-1190/CVE-2020-13579)
An exploitable integer overflow vulnerability exists in the PlanMaker document-parsing functionality of SoftMaker Office 2021's PlanMaker application. A specially crafted document can cause the document parser to perform arithmetic that may overflow, which can result in an undersized heap allocation. Later, when copying data from the file into this allocation, a heap-based buffer overflow will occur, which can corrupt memory. These types of memory corruptions can allow for code execution under the context of the application. A user could trigger this vulnerability by opening a specially crafted document.
Read the complete vulnerability advisory here for additional information.
SoftMaker Office PlanMaker document record 0x8010 out-of-bounds write vulnerability (TALOS-2020-1191/CVE-2020-13580)
An exploitable heap-based buffer overflow vulnerability exists in the PlanMaker document-parsing functionality of SoftMaker Office 2021's PlanMaker application. A specially crafted document can cause the document parser to explicitly trust a length from a particular record type and use it to write a 16-bit null relative to a buffer allocated on the stack. Due to a lack of bounds-checking on this value, this can allow an attacker to write to memory outside of the buffer and controllably corrupt memory. This can allow an attacker to earn code execution under the context of the application. A user could trigger this vulnerability by opening a specially crafted document.
Read the complete vulnerability advisory here for additional information.
SoftMaker Office PlanMaker document record 0x800d memory corruption vulnerability (TALOS-2020-1192/CVE-2020-13581)
An exploitable heap-based buffer overflow vulnerability exists in the PlanMaker document-parsing functionality of SoftMaker Office 2021's PlanMaker application. A specially crafted document can cause the document parser to copy data from a particular record type into a buffer that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. A user could trigger this vulnerability by opening a specially crafted file.
Read the complete vulnerability advisory here for additional information.
SoftMaker Office PlanMaker Excel document record 0x00fc memory corruption vulnerability (TALOS-2020-1197/CVE-2020-13586)
A memory corruption vulnerability exists in the Excel Document SST Record 0x00fc functionality of SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
SoftMaker Office PlanMaker Excel document CEscherObject::ReadNativeProperties multiple heap buffer overflow vulnerabilities(TALOS-2020-1210/CVE-2020-13586)
An exploitable heap-based buffer overflow vulnerability exists in the Office Art record-parsing functionality of SoftMaker Office 2021's PlanMaker application. A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. An attacker can entice the victim to open a document to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Versions tested
Talos tested and confirmed that this vulnerability affects SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014).
Coverage
The following SNORTⓇ rules from an earlier rule release will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 56209, 55210, 56212, 56213, 56226 - 56229