Skip to navigation Skip to main content Skip to footer

Technical Advisory – OpenOffice.org Multiple Memory Corruption Vulnerabilities

26 January 2011

By Christian Powills

 Virtual Security Research, LLC.
                  http://www.vsecurity.com/
                     Security Advisory

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities
  Release Date: 2011-01-26
   Application: Oracle OpenOffice.org
      Versions: 3.2 and earlier
      Severity: High
        Author: Dan Rosenberg 
 Vendor Status: Patch Released
CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454
     Reference: http://www.vsecurity.com/resources/advisory/20110126-1/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
-------------------
From [1]:

 "OpenOffice.org 3 is the leading open-source office software suite for word
  processing, spreadsheets, presentations, graphics, databases and more.  It is
  available in many languages and works on all common computers.  It stores all
  your data in an international open standard format and can also read and write
  files from other common office software packages.  It can be downloaded and
  used completely free of charge for any purpose."

Vulnerability Overview
----------------------
On August 20th, VSR identified multiple memory corruption vulnerabilities in
OpenOffice.org.  By convincing a victim to open a maliciously crafted RTF or
Word document, arbitrary code may be executed on the victim's machine.

Vulnerability Details
---------------------

CVE-2010-3451:

OpenOffice.org uses its own internal memory management system for parsing
tables in RTF documents.  Information about each table row is inserted, element
by element, into an SwTableBoxes object.  These objects contain a fixed amount
of data, and when they have reached capacity, a resize() method is called to
double the space previously allocated for cell contents.  When this method is
called, the new space will be allocated on top of recently freed memory
containing file data without clearing this memory.  Because of a bug in the RTF
parser, corrupt table data may cause the insertion of elements into an
SwTableBoxes object to skip an index rather than remaining strictly sequential.
When this occurs, the nA field, representing the number of data elements used
in the object, will be out-of-sync with the index of the most recently inserted
element, allowing exploitation of a use-after-free vulnerability.

To exploit this issue, corrupt RTF table data first causes the nA field to
become out-of-sync with the index of the most recently inserted element in an
SwTableBoxes object.  Next, the resize() method is called when the object
reaches capacity, resulting in its data being reallocated on top of
attacker-controlled memory.  Finally, during the parsing of an RTF_ROW token,
the nA field is used to index into the SwTableBoxes cell data in an attempt to
retrieve the most recently added object.  Because this index is out-of-sync and
the data was recently moved on top of previously used memory, this will result
in retrieving an attacker-controlled object from the heap.  Subsequent usage of
this object may allow an attacker to control program flow and execute arbitrary
code.

CVE-2010-3452:

Due to a signedness error in parsing the pnseclvl RTF tag, which is used for
multi-level lists, it is possible to trigger a use-after-free vulnerability.
When this tag is followed by an unexpected character, its token value may be
negative.  The parser attempts to restrict this value to less than the MAXLEVEL
constant, but since a signed comparison is used, a negative value will pass
this check.  This value is then used as an index to retrieve an SwNumFmt object
from an array on the heap.  By manipulating the heap, it is possible to cause
the retrieval of an attacker-controlled object.  Subsequent usage of this
object may allow an attacker to control program flow and execute arbitrary
code.

CVE-2010-3453:

When processing "override level numbers" in parsing list data for Word
documents, a user-controlled value is used to index into a vector for an
assignment without checking that this index is less than the size of the
vector.  As a result, an attacker-controlled object may be written to a
location on the heap past the bounds of the vector, potentially allowing
arbitrary code execution.

CVE-2010-3454:

When parsing Word documents, two signed short values are read directly from the
document file to determine where to place NULL terminators after copying
additional data in.  Because these indexes are not checked in any way, an
attacker may use this to write NULL bytes to two arbitrary locations in memory,
potentially allowing arbitrary code execution.

Versions Affected
-----------------
Versions prior to OpenOffice.org 3.3 are affected.

Vendor Response
---------------
The following timeline details OpenOffice.org's response to the reported issues:

2010-08-20    Initial report for CVE-2010-3452
2010-08-23    Response from OpenOffice.org security team
2010-08-30    Initial report for CVE-2010-3453 and CVE-2010-3454
2010-09-01    Response from OpenOffice.org security team
2010-09-10    Initial report for CVE-2010-3451
2010-10-03    Status update requested
2010-10-03    Response from OpenOffice.org
2011-01-26    Coordinated disclosure

Recommendation
--------------
Users should install updates provided by downstream distributions or upgrade to
version 3.3.

Common Vulnerabilities and Exposures (CVE) Information
------------------------------------------------------

The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers
CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 to these
issues.  These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements
----------------
Thanks to the OpenOffice.org security team for their prompt response and fix.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. "Why OpenOffice.org"
 http://why.openoffice.org

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere 
hope that it will help promote public safety.  This advisory comes with 
absolutely NO WARRANTY; not even the implied warranty of merchantability or 
fitness for a particular purpose.  Virtual Security Research, LLC nor the author 
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure
practices:
  http://www.vsecurity.com/company/disclosure

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
     Copyright 2010 Virtual Security Research, LLC.  All rights reserved.

To view the advisory as a txt. click here.

Editor’s note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.