|
|
|
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=691, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=692, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=693 and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=694
|
|
Vulnerable Systems:
* OpenOffice version 2.3
* OpenOffice version 2.3.1
Immune Systems:
* OpenOffice version 2.4
Multiple Vendor OpenOffice QPRO File Parsing Integer Underflow Vulnerability
One of the file formats that OpenOffice supports is Quattro Pro (QPRO). This format is used by Corel's QuattroPro spreadsheet application.
Remote exploitation of an integer underflow vulnerability in OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user.
The vulnerability exists within the code responsible for converting the QPRO file into an internal representation used by OpenOffice. A 16-bit integer is read in from the file, and later used as a loop counter that controls how many values are stored into local stack buffers. When verifying the value of this counter, the code decrements the counter without checking to see if this operation will underflow. This results in the loop running for many iterations, which leads to a stack based buffer overflow. This allows for the execution of arbitrary code.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. In order to exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Workaround:
Renaming the shared library that contains the vulnerable code will prevent OpenOffice from opening QPRO files. On Fedora Core 7, the library can be found at:
/usr/lib/openoffice.org/program/libsc680li.so
Renaming this file to libsc680li.so.bak will prevent it from being loaded. In addition to preventing the use of QPRO files, this also prevents users from opening various other file formats.
Vendor response:
The OpenOffice.org team has addressed this vulnerability with the release of version 2.4. For more information, consult the OOo Security Bulletin at the following URL. http://www.openoffice.org/security/cves/CVE-2007-5745.html
CVE Information:
CVE-2007-5747
Multiple Vendor OpenOffice QPRO Multiple Heap Overflow Vulnerabilities
One of the file formats that OpenOffice supports is Quattro Pro (QPRO). This format is used by Corel's QuattroPro spreadsheet application.
Remote exploitation of multiple buffer overflow vulnerabilities in OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user.
The first vulnerability occurs when parsing "Attribute" records from the file. Due to a lack of bounds checking during a loop that reads these records, an attacker can trigger a heap overflow by inserting more than 256 records.
The second vulnerability is nearly identical to the first one, but involves the "Font Description" record instead of the "Attribute"
record.
Analysis:
Exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the user opening the file. In
order to exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Workaround:
Renaming the shared library that contains the vulnerable code will prevent OpenOffice from opening QPRO files. On Fedora Core 7, the library can be found at:
/usr/lib/openoffice.org/program/libsc680li.so
Renaming this file to libsc680li.so.bak will prevent it from being loaded. In addition to preventing the use of QPRO files, this also prevents users from opening various other file formats.
Vendor response:
The OpenOffice.org team has addressed these vulnerabilities with the release of version 2.4. For more information, consult the OOo Security Bulletin at the following URL. http://www.openoffice.org/security/cves/CVE-2007-5745.html
CVE Information:
CVE-2007-5745
Multiple Vendor OpenOffice EMF EMR_BITBLT Record Integer Overflow Vulnerability
One of the file formats that OpenOffice supports is Windows Enhanced Metafile (EMF). EMF files are used to render images.
Remote exploitation of an integer overflow vulnerability in OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user.
The vulnerability exists within the code responsible for parsing the EMR_STRETCHBLT record in an EMF file. This code reads in two 32-bit integers from the file, and then uses them in an arithmetic operation that calculates the number of bytes to allocate for a dynamic buffer. This calculation can overflow, resulting in an insufficiently sized buffer being allocated. Subsequently, this buffer is overflowed with data from the file.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. In order to exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Vendor response:
The OpenOffice.org team has addressed these vulnerabilities with the release of version 2.4. For more information, consult the OOo Security Bulletin at the following URL. http://www.openoffice.org/security/cves/CVE-2007-5746.html
CVE Information:
CVE-2007-5746
Multiple Vendor OpenOffice OLE DocumentSummaryInformation Heap Overflow Vulnerability
Object Linking and Embedding (OLE) is a proprietary binary file format developed by Microsoft. OLE is used for Office files such as PowerPoint (PPT), Excel (XLS), and Word (DOC).
Remote exploitation of a heap based buffer overflow vulnerability in OpenOffice.org's OpenOffice, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the current user.
The vulnerability exists within the importer for files stored using the OLE format. When parsing the "DocumentSummaryInformation" stream, the vulnerable code does not correctly verify the size of a destination buffer before copying data from the file into it. This results in an exploitable heap overflow.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Vendor response:
The OpenOffice.org team has addressed this vulnerability with the release of version 2.4. For more information, consult the OOo Security Bulletin at the following URL. http://www.openoffice.org/security/cves/CVE-2008-0320.html
CVE Information:
CVE-2008-0320
|
|
|
|