libwpd WPXContentListener::_closeTableRow() Memory Overwrite

2012.05.19
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

SEC Consult Vulnerability Lab Security Advisory < 20120518-0 > ======================================================================= title: libwpd WPXContentListener::_closeTableRow() memory overwrite product: OpenOffice.org vulnerable version: 3.3.0/3.4 Beta 1 and probably earlier versions fixed version: 3.4 CVE: CVE-2012-2149 impact: high homepage: http://www.openoffice.org/ found: 2011-09-01 by: K. Gudinavicius SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "OpenOffice.org 3 is the leading open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and more. It is available in many languages and works on all common computers." Source: http://why.openoffice.org/ Vulnerability overview/description: ----------------------------------- OpenOffice.org includes the customized libwpd version 0.8.8 library for parsing WordPerfect documents. The used version of the libwpd library suffers from a memory overwrite vulnerability when reading a specially crafted WPD file. Successful exploitation of this vulnerability could result in an arbitrary code execution within the OpenOffice.org software suite. Proof of concept: ----------------- The vulnerability resides in the WPXContentListener::_closeTableRow() function which is declared in the WPXContentListener.cpp file. The function doesn't check if the variable's m_ps->m_currentTableCol value is less than zero before entering the while loop which leads to an integer overflow and decrementation of the memory location pointed by m_ps->m_numRowsToSkip[m_ps->m_currentTableCol] address if the conditions are met. Related code excerpt: void WPXContentListener::_closeTableRow() { if (m_ps->m_isTableRowOpened) { while ((long)m_ps->m_currentTableCol < (long)m_ps->m_numRowsToSkip.size()) { if (!m_ps->m_numRowsToSkip[m_ps->m_currentTableCol]) { RGBSColor tmpCellBorderColor(0x00, 0x00, 0x00, 0x64); _openTableCell(1, 1, 0xFF, 0, 0, &tmpCellBorderColor, TOP); _closeTableCell(); } else m_ps->m_numRowsToSkip[m_ps->m_currentTableCol++]--; } if (m_ps->m_isTableCellOpened) _closeTableCell(); m_listenerImpl->closeTableRow(); } m_ps->m_isTableRowOpened = false; } The variable's m_ps->m_currentTableCol value can be influenced by calling WPXContentListener::_closeTable() function which sets its value to -1 after the call to WPXContentListener::_openTableRow() function. Calling the _openTableRow() function again results in WPXContentListener::_closeTableRow() being called and the memory location pointed by the m_ps->m_numRowsToSkip[-1] address is being decremented. It was possible to build a specially crafted WPD file containing byte sequences that represent the above mentioned functions to decrement valid C++ object's pointer as many times as it needed to achieve arbitrary code execution when virtual functions of that object were called. The exploit code will not be published. Debugger output: Breakpoint 0 hit eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355: 0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb288 0:000> g Breakpoint 0 hit eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355: 0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb287 0:000> g Breakpoint 0 hit eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355: 0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb286 0:000> g Breakpoint 0 hit eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920 eip=0eb9167e esp=0185c850 ebp=0185c85c iopl=0 nv up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355: 0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb285 <...> Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in versions 3.3.0 and 3.4 Beta 1 of OpenOffice.org, which were the most recent versions at the time of discovery. Vendor contact timeline: ------------------------ 2011-09-19: Contacting vendor through securityteam@openoffice.org 2011-09-21: Vendor response, clarification request 2011-09-21: Sent answer 2011-10-05: Vendor response, clarification request 2011-10-05: Sent answer 2011-10-13: Contacted vendor asking for status 2011-11-23: Contacted vendor asking for status 2011-11-23: Vendor response, project moved to Apache 2011-11-24: Contacting vendor through ooo-security@incubator.apache.org 2011-12-05: Contacted vendor asking for status 2011-12-05: Vendor response 2012-01-09: Contacted vendor asking for status 2012-01-09: Vendor response, Apache OpenOffice 3.4 release is planned in Q1 2012. 2012-03-22: Contacted vendor asking for status 2012-04-19: Contacted vendor asking for status 2012-04-23: Vendor response 2012-04-24: Contacted vendor asking for CVE# 2012-04-30: Vendor response including CVE# 2012-05-07: Contacted vendor asking for status 2012-05-07: Vendor response, date of the release announcement for OpenOffice 3.4 2012-05-07: Vendor releases Apache OpenOffice 3.4 2012-05-16: Vendor releases security bulletin which addresses this vulnerability 2012-05-18: SEC Consult releases detailed advisory Solution: --------- OpenOffice.org 3.3.0 and 3.4 beta users should upgrade to Apache OpenOffice 3.4. Workaround: ----------- Untrusted WPD documents should be avoided. Advisory URL: ------------- https://www.sec-consult.com/en/advisories.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com EOF K. Gudinavicius / @2012 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

References:

http://www.openoffice.org/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top