Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2008-2152 to a friend New vulnerability? New tool? Tell us	CVE-2008-2152 Multiple Vendor OpenOffice rtl_allocateMemory() Integer Overflow Vulnerability     Credit: The information has been provided by iDefense Labs Security Advisories. The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=714 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2008-2152 Details Check for CVE-2008-2152 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * OpenOffice version 2.4 Immune Systems:  * OpenOffice version 2.4.1 The vulnerability exists due to the rtl_allocateMemory() function rounding up allocation requests to be aligned on an 8 byte boundary without checking if this rounding results in an integer overflow condition. The vulnerable code is as follows, taken from sal/rtl/source/alloc_global.c:    191 void *    192 SAL_CALL rtl_allocateMemory (sal_Size n)    193 {    194 void * p = 0;    195 if (n > 0)    196 {    197 char * addr;    198 sal_Size size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);    199    200 int index = (size - 1) >> RTL_MEMALIGN_SHIFT;    201 OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));    202    203 try_alloc:    204 if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)    205 addr = (char*)rtl_cache_alloc(g_alloc_table[index]);    206 else    207 addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);    208 The problem occurs at line 198. The n + RTL_MEMALIGN calculation can overflow if n > UINT_MAX - RTL_MEMALIGN. This results in an undersized buffer being allocated at try_alloc. This buffer is then passed back to the calling function, which assumes that the buffer is much larger than it actually is. This results in a heap overflow. As this vulnerability occurs in the core memory allocator, there are numerous ways to trigger the vulnerable code using a wide variety of different file types. Analysis: Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. After opening the file, no further interaction is needed. Vendor response: OpenOffice.Org has addressed this vulnerability by releasing version 2.4.1 of their product. For more information, consult the OOo Security Bulletin at the following URL. http://www.openoffice.org/security/cves/CVE-2008-2152.html CVE Information: CVE-2008-2152  Comments on CVE-2008-2152:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®