what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenOffice.org Multiple Memory Corruption Vulnerabilities

OpenOffice.org Multiple Memory Corruption Vulnerabilities
Posted Jan 26, 2011
Authored by Dan Rosenberg | Site vsecurity.com

VSR identified multiple memory corruption vulnerabilities in OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine. Versions prior to 3.3 are affected.

tags | advisory, arbitrary, vulnerability
advisories | CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454
SHA-256 | 76148fa5fbd6a847442ba5146f5992a028c81ea3ce77f8550dd19a9ce932f325

OpenOffice.org Multiple Memory Corruption Vulnerabilities

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


VSR Security Advisory
http://www.vsecurity.com/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities
Release Date: 2011-01-26
Application: Oracle OpenOffice.org
Versions: 3.2 and earlier
Severity: High
Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status: Patch Released
CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454
Reference: http://www.vsecurity.com/resources/advisory/20110126-1/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- -------------------
- From [1]:

"OpenOffice.org 3 is the leading open-source office software suite for word
processing, spreadsheets, presentations, graphics, databases and more. It is
available in many languages and works on all common computers. It stores all
your data in an international open standard format and can also read and write
files from other common office software packages. It can be downloaded and
used completely free of charge for any purpose."

Vulnerability Overview
- ----------------------
On August 20th, VSR identified multiple memory corruption vulnerabilities in
OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or
Word document, arbitrary code may be executed on the victim's machine.

Vulnerability Details
- ---------------------

CVE-2010-3451:

OpenOffice.org uses its own internal memory management system for parsing
tables in RTF documents. Information about each table row is inserted, element
by element, into an SwTableBoxes object. These objects contain a fixed amount
of data, and when they have reached capacity, a resize() method is called to
double the space previously allocated for cell contents. When this method is
called, the new space will be allocated on top of recently freed memory
containing file data without clearing this memory. Because of a bug in the RTF
parser, corrupt table data may cause the insertion of elements into an
SwTableBoxes object to skip an index rather than remaining strictly sequential.
When this occurs, the nA field, representing the number of data elements used
in the object, will be out-of-sync with the index of the most recently inserted
element, allowing exploitation of a use-after-free vulnerability.

To exploit this issue, corrupt RTF table data first causes the nA field to
become out-of-sync with the index of the most recently inserted element in an
SwTableBoxes object. Next, the resize() method is called when the object
reaches capacity, resulting in its data being reallocated on top of
attacker-controlled memory. Finally, during the parsing of an RTF_ROW token,
the nA field is used to index into the SwTableBoxes cell data in an attempt to
retrieve the most recently added object. Because this index is out-of-sync and
the data was recently moved on top of previously used memory, this will result
in retrieving an attacker-controlled object from the heap. Subsequent usage of
this object may allow an attacker to control program flow and execute arbitrary
code.

CVE-2010-3452:

Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for
multi-level lists, it is possible to trigger a use-after-free vulnerability.
When this tag is followed by an unexpected character, its token value may be
negative. The parser attempts to restrict this value to less than the MAXLEVEL
constant, but since a signed comparison is used, a negative value will pass
this check. This value is then used as an index to retrieve an SwNumFmt object
from an array on the heap. By manipulating the heap, it is possible to cause
the retrieval of an attacker-controlled object. Subsequent usage of this
object may allow an attacker to control program flow and execute arbitrary
code.

CVE-2010-3453:

When processing "override level numbers" in parsing list data for Word
documents, a user-controlled value is used to index into a vector for an
assignment without checking that this index is less than the size of the
vector. As a result, an attacker-controlled object may be written to a
location on the heap past the bounds of the vector, potentially allowing
arbitrary code execution.

CVE-2010-3454:

When parsing Word documents, two signed short values are read directly from the
document file to determine where to place NULL terminators after copying
additional data in. Because these indexes are not checked in any way, an
attacker may use this to write NULL bytes to two arbitrary locations in memory,
potentially allowing arbitrary code execution.

Versions Affected
- -----------------
Versions prior to OpenOffice.org 3.3 are affected.

Vendor Response
- ---------------
The following timeline details OpenOffice.org's response to the reported issues:

2010-08-20 Initial report for CVE-2010-3452
2010-08-23 Response from OpenOffice.org security team
2010-08-30 Initial report for CVE-2010-3453 and CVE-2010-3454
2010-09-01 Response from OpenOffice.org security team
2010-09-10 Initial report for CVE-2010-3451
2010-10-03 Status update requested
2010-10-03 Response from OpenOffice.org
2011-01-26 Coordinated disclosure

Recommendation
- --------------
Users should install updates provided by downstream distributions or upgrade to
version 3.3.

Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------

The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers
CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 to these
issues. These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements
- ----------------
Thanks to the OpenOffice.org security team for their prompt response and fix.

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. "Why OpenOffice.org"
http://why.openoffice.org

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2010 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk1AdVQACgkQQ1RSUNR+T+jKewCeIm76eTipOhEPPFbEg1nEmtgB
TcwAmwYcM43cMVgZ0KTzt0e/u67IX+dm
=aRBX
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close