Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25557
HistoryJan 27, 2011 - 12:00 a.m.

OpenOffice.org Multiple Memory Corruption Vulnerabilities

2011-01-2700:00:00
vulners.com
25

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     VSR Security Advisory
                   http://www.vsecurity.com/
  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities
Release Date: 2011-01-26
Application: Oracle OpenOffice.org
Versions: 3.2 and earlier
Severity: High
Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status: Patch Released
CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454
Reference: http://www.vsecurity.com/resources/advisory/20110126-1/

  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Product Description


  • From [1]:

"OpenOffice.org 3 is the leading open-source office software suite for word
processing, spreadsheets, presentations, graphics, databases and more. It is
available in many languages and works on all common computers. It stores all
your data in an international open standard format and can also read and write
files from other common office software packages. It can be downloaded and
used completely free of charge for any purpose."

Vulnerability Overview


On August 20th, VSR identified multiple memory corruption vulnerabilities in
OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or
Word document, arbitrary code may be executed on the victim's machine.

Vulnerability Details


CVE-2010-3451:

OpenOffice.org uses its own internal memory management system for parsing
tables in RTF documents. Information about each table row is inserted, element
by element, into an SwTableBoxes object. These objects contain a fixed amount
of data, and when they have reached capacity, a resize() method is called to
double the space previously allocated for cell contents. When this method is
called, the new space will be allocated on top of recently freed memory
containing file data without clearing this memory. Because of a bug in the RTF
parser, corrupt table data may cause the insertion of elements into an
SwTableBoxes object to skip an index rather than remaining strictly sequential.
When this occurs, the nA field, representing the number of data elements used
in the object, will be out-of-sync with the index of the most recently inserted
element, allowing exploitation of a use-after-free vulnerability.

To exploit this issue, corrupt RTF table data first causes the nA field to
become out-of-sync with the index of the most recently inserted element in an
SwTableBoxes object. Next, the resize() method is called when the object
reaches capacity, resulting in its data being reallocated on top of
attacker-controlled memory. Finally, during the parsing of an RTF_ROW token,
the nA field is used to index into the SwTableBoxes cell data in an attempt to
retrieve the most recently added object. Because this index is out-of-sync and
the data was recently moved on top of previously used memory, this will result
in retrieving an attacker-controlled object from the heap. Subsequent usage of
this object may allow an attacker to control program flow and execute arbitrary
code.

CVE-2010-3452:

Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for
multi-level lists, it is possible to trigger a use-after-free vulnerability.
When this tag is followed by an unexpected character, its token value may be
negative. The parser attempts to restrict this value to less than the MAXLEVEL
constant, but since a signed comparison is used, a negative value will pass
this check. This value is then used as an index to retrieve an SwNumFmt object
from an array on the heap. By manipulating the heap, it is possible to cause
the retrieval of an attacker-controlled object. Subsequent usage of this
object may allow an attacker to control program flow and execute arbitrary
code.

CVE-2010-3453:

When processing "override level numbers" in parsing list data for Word
documents, a user-controlled value is used to index into a vector for an
assignment without checking that this index is less than the size of the
vector. As a result, an attacker-controlled object may be written to a
location on the heap past the bounds of the vector, potentially allowing
arbitrary code execution.

CVE-2010-3454:

When parsing Word documents, two signed short values are read directly from the
document file to determine where to place NULL terminators after copying
additional data in. Because these indexes are not checked in any way, an
attacker may use this to write NULL bytes to two arbitrary locations in memory,
potentially allowing arbitrary code execution.

Versions Affected


Versions prior to OpenOffice.org 3.3 are affected.

Vendor Response


The following timeline details OpenOffice.org's response to the reported issues:

2010-08-20 Initial report for CVE-2010-3452
2010-08-23 Response from OpenOffice.org security team
2010-08-30 Initial report for CVE-2010-3453 and CVE-2010-3454
2010-09-01 Response from OpenOffice.org security team
2010-09-10 Initial report for CVE-2010-3451
2010-10-03 Status update requested
2010-10-03 Response from OpenOffice.org
2011-01-26 Coordinated disclosure

Recommendation


Users should install updates provided by downstream distributions or upgrade to
version 3.3.

Common Vulnerabilities and Exposures (CVE) Information


The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers
CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 to these
issues. These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements


Thanks to the OpenOffice.org security team for their prompt response and fix.

  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

  1. "Why OpenOffice.org"
    http://why.openoffice.org
  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure

  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Copyright 2010 Virtual Security Research, LLC. All rights reserved.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk1AdVQACgkQQ1RSUNR+T+jKewCeIm76eTipOhEPPFbEg1nEmtgB
TcwAmwYcM43cMVgZ0KTzt0e/u67IX+dm
=aRBX
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:25557