|
|
|
|
| |
Credit:
The information has been provided by Dan Rosenberg.
The original article can be found at: http://seclists.org/fulldisclosure/2011/Jan/487
|
| |
Vulnerable Systems:
* Oracle OpenOffice 3.2 and earlier
Immune Systems:
* Oracle OpenOffice 3.3
By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine.
CVE-2010-3451:
OpenOffice.org uses its own internal memory management system for parsing tables in RTF documents. Information about each table row is inserted, element by element, into an SwTableBoxes object. These objects contain a fixed amount of data, and when they have reached capacity, a resize() method is called to double the space previously allocated for cell contents. When this method is called, the new space will be allocated on top of recently freed memory containing file data without clearing this memory. Because of a bug in the RTF parser, corrupt table data may cause the insertion of elements into an SwTableBoxes object to skip an index rather than remaining strictly sequential. When this occurs, the nA field, representing the number of data elements used in the object, will be out-of-sync with the index of the most recently inserted element, allowing exploitation of a use-after-free vulnerability.
To exploit this issue, corrupt RTF table data first causes the nA field to become out-of-sync with the index of the most recently inserted element in an SwTableBoxes object. Next, the resize() method is called when the object reaches capacity, resulting in its data being reallocated on top of attacker-controlled memory. Finally, during the parsing of an RTF_ROW token, the nA field is used to index into the SwTableBoxes cell data in an attempt to retrieve the most recently added object. Because this index is out-of-sync and the data was recently moved on top of previously used memory, this will result in retrieving an attacker-controlled object from the heap. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary
code.
CVE-2010-3452:
Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for multi-level lists, it is possible to trigger a use-after-free vulnerability. When this tag is followed by an unexpected character, its token value may be negative. The parser attempts to restrict this value to less than the MAXLEVEL constant, but since a signed comparison is used, a negative value will pass this check. This value is then used as an index to retrieve an SwNumFmt object from an array on the heap. By manipulating the heap, it is possible to cause the retrieval of an attacker-controlled object. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary
code.
CVE-2010-3453:
When processing "override level numbers" in parsing list data for Word documents, a user-controlled value is used to index into a vector for an assignment without checking that this index is less than the size of the vector. As a result, an attacker-controlled object may be written to a location on the heap past the bounds of the vector, potentially allowing arbitrary code execution.
CVE-2010-3454:
When parsing Word documents, two signed short values are read directly from the document file to determine where to place NULL terminators after copying additional data in. Because these indexes are not checked in any way, an attacker may use this to write NULL bytes to two arbitrary locations in memory, potentially allowing arbitrary code execution.
CVE Information:
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
Disclosure Timeline:
2010-08-20 Initial report for CVE-2010-3452
2010-08-23 Response from OpenOffice.org security team
2010-08-30 Initial report for CVE-2010-3453 and CVE-2010-3454
2010-09-01 Response from OpenOffice.org security team
2010-09-10 Initial report for CVE-2010-3451
2010-10-03 Status update requested
2010-10-03 Response from OpenOffice.org
2011-01-26 Coordinated disclosure
|
|
|
|
|
