Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities Release Date: 2011-01-26 Application: Oracle OpenOffice.org Versions: 3.2 and earlier Severity: High Author: Dan Rosenberg
Vendor Status: Patch Released CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454 Reference: http://www.vsecurity.com/resources/advisory/20110126-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- From : "OpenOffice.org 3 is the leading open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and more. It is available in many languages and works on all common computers. It stores all your data in an international open standard format and can also read and write files from other common office software packages. It can be downloaded and used completely free of charge for any purpose." Vulnerability Overview ---------------------- On August 20th, VSR identified multiple memory corruption vulnerabilities in OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine. Vulnerability Details --------------------- CVE-2010-3451: OpenOffice.org uses its own internal memory management system for parsing tables in RTF documents. Information about each table row is inserted, element by element, into an SwTableBoxes object. These objects contain a fixed amount of data, and when they have reached capacity, a resize() method is called to double the space previously allocated for cell contents. When this method is called, the new space will be allocated on top of recently freed memory containing file data without clearing this memory. Because of a bug in the RTF parser, corrupt table data may cause the insertion of elements into an SwTableBoxes object to skip an index rather than remaining strictly sequential. When this occurs, the nA field, representing the number of data elements used in the object, will be out-of-sync with the index of the most recently inserted element, allowing exploitation of a use-after-free vulnerability. To exploit this issue, corrupt RTF table data first causes the nA field to become out-of-sync with the index of the most recently inserted element in an SwTableBoxes object. Next, the resize() method is called when the object reaches capacity, resulting in its data being reallocated on top of attacker-controlled memory. Finally, during the parsing of an RTF_ROW token, the nA field is used to index into the SwTableBoxes cell data in an attempt to retrieve the most recently added object. Because this index is out-of-sync and the data was recently moved on top of previously used memory, this will result in retrieving an attacker-controlled object from the heap. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3452: Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for multi-level lists, it is possible to trigger a use-after-free vulnerability. When this tag is followed by an unexpected character, its token value may be negative. The parser attempts to restrict this value to less than the MAXLEVEL constant, but since a signed comparison is used, a negative value will pass this check. This value is then used as an index to retrieve an SwNumFmt object from an array on the heap. By manipulating the heap, it is possible to cause the retrieval of an attacker-controlled object. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3453: When processing "override level numbers" in parsing list data for Word documents, a user-controlled value is used to index into a vector for an assignment without checking that this index is less than the size of the vector. As a result, an attacker-controlled object may be written to a location on the heap past the bounds of the vector, potentially allowing arbitrary code execution. CVE-2010-3454: When parsing Word documents, two signed short values are read directly from the document file to determine where to place NULL terminators after copying additional data in. Because these indexes are not checked in any way, an attacker may use this to write NULL bytes to two arbitrary locations in memory, potentially allowing arbitrary code execution. Versions Affected ----------------- Versions prior to OpenOffice.org 3.3 are affected. Vendor Response --------------- The following timeline details OpenOffice.org's response to the reported issues: 2010-08-20 Initial report for CVE-2010-3452 2010-08-23 Response from OpenOffice.org security team 2010-08-30 Initial report for CVE-2010-3453 and CVE-2010-3454 2010-09-01 Response from OpenOffice.org security team 2010-09-10 Initial report for CVE-2010-3451 2010-10-03 Status update requested 2010-10-03 Response from OpenOffice.org 2011-01-26 Coordinated disclosure Recommendation -------------- Users should install updates provided by downstream distributions or upgrade to version 3.3. Common Vulnerabilities and Exposures (CVE) Information ------------------------------------------------------ The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements ---------------- Thanks to the OpenOffice.org security team for their prompt response and fix. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. "Why OpenOffice.org" http://why.openoffice.org -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/company/disclosure -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Copyright 2010 Virtual Security Research, LLC. All rights reserved.
Editor’s note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.