SEC Consult Vulnerability Lab Security Advisory < 20120518-0 >
=======================================================================
title: libwpd WPXContentListener::_closeTableRow() memory
overwrite
product: OpenOffice.org
vulnerable version: 3.3.0/3.4 Beta 1 and probably earlier versions
fixed version: 3.4
CVE: CVE-2012-2149
impact: high
homepage: http://www.openoffice.org/
found: 2011-09-01
by: K. Gudinavicius
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"OpenOffice.org 3 is the leading open-source office software suite for
word processing, spreadsheets, presentations, graphics, databases and
more. It is available in many languages and works on all common
computers."
Source: http://why.openoffice.org/
Vulnerability overview/description:
-----------------------------------
OpenOffice.org includes the customized libwpd version 0.8.8 library for
parsing WordPerfect documents. The used version of the libwpd library
suffers from a memory overwrite vulnerability when reading a specially
crafted WPD file. Successful exploitation of this vulnerability could
result in an arbitrary code execution within the OpenOffice.org
software suite.
Proof of concept:
-----------------
The vulnerability resides in the WPXContentListener::_closeTableRow()
function which is declared in the WPXContentListener.cpp file. The
function doesn't check if the variable's m_ps->m_currentTableCol value
is less than zero before entering the while loop which leads to an
integer overflow and decrementation of the memory location pointed by
m_ps->m_numRowsToSkip[m_ps->m_currentTableCol] address if the
conditions are met. Related code excerpt:
void WPXContentListener::_closeTableRow()
{
if (m_ps->m_isTableRowOpened)
{
while ((long)m_ps->m_currentTableCol <
(long)m_ps->m_numRowsToSkip.size()) {
if
(!m_ps->m_numRowsToSkip[m_ps->m_currentTableCol]) {
RGBSColor tmpCellBorderColor(0x00,
0x00, 0x00, 0x64); _openTableCell(1, 1, 0xFF, 0, 0,
&tmpCellBorderColor, TOP); _closeTableCell();
}
else
m_ps->m_numRowsToSkip[m_ps->m_currentTableCol++]--;
}
if (m_ps->m_isTableCellOpened)
_closeTableCell();
m_listenerImpl->closeTableRow();
}
m_ps->m_isTableRowOpened = false;
}
The variable's m_ps->m_currentTableCol value can be influenced by
calling WPXContentListener::_closeTable() function which sets its value
to -1 after the call to WPXContentListener::_openTableRow() function.
Calling the _openTableRow() function again results in
WPXContentListener::_closeTableRow() being called and the memory
location pointed by the m_ps->m_numRowsToSkip[-1] address is being
decremented.
It was possible to build a specially crafted WPD file containing byte
sequences that represent the above mentioned functions to decrement
valid C++ object's pointer as many times as it needed to achieve
arbitrary code execution when virtual functions of that object were
called. The exploit code will not be published.
Debugger output:
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb288 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb287 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb286 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c850 ebp=0185c85c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb285 <...>
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in versions 3.3.0 and
3.4 Beta 1 of OpenOffice.org, which were the most recent versions at
the time of discovery.
Vendor contact timeline:
------------------------
2011-09-19: Contacting vendor through securityteam@openoffice.org
2011-09-21: Vendor response, clarification request
2011-09-21: Sent answer
2011-10-05: Vendor response, clarification request
2011-10-05: Sent answer
2011-10-13: Contacted vendor asking for status
2011-11-23: Contacted vendor asking for status
2011-11-23: Vendor response, project moved to Apache
2011-11-24: Contacting vendor through ooo-security@incubator.apache.org
2011-12-05: Contacted vendor asking for status
2011-12-05: Vendor response
2012-01-09: Contacted vendor asking for status
2012-01-09: Vendor response, Apache OpenOffice 3.4 release is planned
in Q1 2012.
2012-03-22: Contacted vendor asking for status
2012-04-19: Contacted vendor asking for status
2012-04-23: Vendor response
2012-04-24: Contacted vendor asking for CVE#
2012-04-30: Vendor response including CVE#
2012-05-07: Contacted vendor asking for status
2012-05-07: Vendor response, date of the release announcement for
OpenOffice 3.4
2012-05-07: Vendor releases Apache OpenOffice 3.4
2012-05-16: Vendor releases security bulletin which addresses this
vulnerability
2012-05-18: SEC Consult releases detailed advisory
Solution:
---------
OpenOffice.org 3.3.0 and 3.4 beta users should upgrade to Apache
OpenOffice 3.4.
Workaround:
-----------
Untrusted WPD documents should be avoided.
Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
EOF K. Gudinavicius / @2012
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/