OpenOffice.org Multiple Memory
Corruption Vulnerabilities

Release Date 2011-01-26
Application Oracle OpenOffice.org
Versions 3.2 and earlier
Severity High
Discovered by Dan Rosenberg <drosenberg {at} vsecurity.com>
Vendor Status Patch Released
CVE Candidates CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454
Reference Original Advisory

Product Description

From [1]:

"OpenOffice.org 3 is the leading open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and more. It is available in many languages and works on all common computers. It stores all your data in an international open standard format and can also read and write files from other common office software packages. It can be downloaded and used completely free of charge for any purpose."

Vulnerability Overview

On August 20th, VSR identified multiple memory corruption vulnerabilities in OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine.

Vulnerability Details

CVE-2010-3451

OpenOffice.org uses its own internal memory management system for parsing tables in RTF documents. Information about each table row is inserted, element by element, into an SwTableBoxes object. These objects contain a fixed amount of data, and when they have reached capacity, a resize() method is called to double the space previously allocated for cell contents. When this method is called, the new space will be allocated on top of recently freed memory containing file data without clearing this memory. Because of a bug in the RTF parser, corrupt table data may cause the insertion of elements into an SwTableBoxes object to skip an index rather than remaining strictly sequential. When this occurs, the nA field, representing the number of data elements used in the object, will be out-of-sync with the index of the most recently inserted element, allowing exploitation of a use-after-free vulnerability.

To exploit this issue, corrupt RTF table data first causes the nA field to become out-of-sync with the index of the most recently inserted element in an SwTableBoxes object. Next, the resize() method is called when the object reaches capacity, resulting in its data being reallocated on top of attacker-controlled memory. Finally, during the parsing of an RTF_ROW token, the nA field is used to index into the SwTableBoxes cell data in an attempt to retrieve the most recently added object. Because this index is out-of-sync and the data was recently moved on top of previously used memory, this will result in retrieving an attacker-controlled object from the heap. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code.

CVE-2010-3452

Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for multi-level lists, it is possible to trigger a use-after-free vulnerability. When this tag is followed by an unexpected character, its token value may be negative. The parser attempts to restrict this value to less than the MAXLEVEL constant, but since a signed comparison is used, a negative value will pass this check. This value is then used as an index to retrieve an SwNumFmt object from an array on the heap. By manipulating the heap, it is possible to cause the retrieval of an attacker-controlled object. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code.

CVE-2010-3453

When processing "override level numbers" in parsing list data for Word documents, a user-controlled value is used to index into a vector for an assignment without checking that this index is less than the size of the vector. As a result, an attacker-controlled object may be written to a location on the heap past the bounds of the vector, potentially allowing arbitrary code execution.

CVE-2010-3454

When parsing Word documents, two signed short values are read directly from the document file to determine where to place NULL terminators after copying additional data in. Because these indexes are not checked in any way, an attacker may use this to write NULL bytes to two arbitrary locations in memory, potentially allowing arbitrary code execution.

Versions Affected

Versions prior to OpenOffice.org 3.3 are affected.

Vendor Response

The following timeline details OpenOffice.org's response to the reported issues:

2010-08-20 Initial report for CVE-2010-3452
2010-08-23 Response from OpenOffice.org security team
2010-08-30 Initial report for CVE-2010-3453 and CVE-2010-3454
2010-09-01 Response from OpenOffice.org security team
2010-09-10 Initial report for CVE-2010-3451
2010-10-03 Status update requested
2010-10-03 Response from OpenOffice.org security team
2011-01-26 Coordinated disclosure

Recommendation

Users should install updates provided by downstream distributions or upgrade to version 3.3.

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 to this issue. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks to the OpenOffice.org security team for their prompt response and fix.


References

1. "Why OpenOffice.org?"
http://why.openoffice.org

This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure practices.


Copyright 2010 Virtual Security Research, LLC. All rights reserved.

2014-09-17
Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com