what you don't know can hurt you

libwpd WPXContentListener::_closeTableRow() Memory Overwrite

libwpd WPXContentListener::_closeTableRow() Memory Overwrite
Posted May 18, 2012
Authored by Kestutis Gudinavicius | Site sec-consult.com

OpenOffice.org includes the customized libwpd version 0.8.8 library for parsing WordPerfect documents. The used version of the libwpd library suffers from a memory overwrite vulnerability when reading a specially crafted WPD file. Successful exploitation of this vulnerability could result in an arbitrary code execution within the OpenOffice.org software suite.

tags | advisory, arbitrary, code execution
advisories | CVE-2012-2149
MD5 | 3ccebc2967c3d54458d31d8698a6518d

libwpd WPXContentListener::_closeTableRow() Memory Overwrite

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20120518-0 >
=======================================================================
title: libwpd WPXContentListener::_closeTableRow() memory
overwrite
product: OpenOffice.org
vulnerable version: 3.3.0/3.4 Beta 1 and probably earlier versions
fixed version: 3.4
CVE: CVE-2012-2149
impact: high
homepage: http://www.openoffice.org/
found: 2011-09-01
by: K. Gudinavicius
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"OpenOffice.org 3 is the leading open-source office software suite for
word processing, spreadsheets, presentations, graphics, databases and
more. It is available in many languages and works on all common
computers."

Source: http://why.openoffice.org/



Vulnerability overview/description:
-----------------------------------
OpenOffice.org includes the customized libwpd version 0.8.8 library for
parsing WordPerfect documents. The used version of the libwpd library
suffers from a memory overwrite vulnerability when reading a specially
crafted WPD file. Successful exploitation of this vulnerability could
result in an arbitrary code execution within the OpenOffice.org
software suite.



Proof of concept:
-----------------
The vulnerability resides in the WPXContentListener::_closeTableRow()
function which is declared in the WPXContentListener.cpp file. The
function doesn't check if the variable's m_ps->m_currentTableCol value
is less than zero before entering the while loop which leads to an
integer overflow and decrementation of the memory location pointed by
m_ps->m_numRowsToSkip[m_ps->m_currentTableCol] address if the
conditions are met. Related code excerpt:

void WPXContentListener::_closeTableRow()
{
if (m_ps->m_isTableRowOpened)
{
while ((long)m_ps->m_currentTableCol <
(long)m_ps->m_numRowsToSkip.size()) {
if
(!m_ps->m_numRowsToSkip[m_ps->m_currentTableCol]) {
RGBSColor tmpCellBorderColor(0x00,
0x00, 0x00, 0x64); _openTableCell(1, 1, 0xFF, 0, 0,
&tmpCellBorderColor, TOP); _closeTableCell();
}
else
m_ps->m_numRowsToSkip[m_ps->m_currentTableCol++]--;
}

if (m_ps->m_isTableCellOpened)
_closeTableCell();
m_listenerImpl->closeTableRow();
}
m_ps->m_isTableRowOpened = false;
}

The variable's m_ps->m_currentTableCol value can be influenced by
calling WPXContentListener::_closeTable() function which sets its value
to -1 after the call to WPXContentListener::_openTableRow() function.
Calling the _openTableRow() function again results in
WPXContentListener::_closeTableRow() being called and the memory
location pointed by the m_ps->m_numRowsToSkip[-1] address is being
decremented.

It was possible to build a specially crafted WPD file containing byte
sequences that represent the above mentioned functions to decrement
valid C++ object's pointer as many times as it needed to achieve
arbitrary code execution when virtual functions of that object were
called. The exploit code will not be published.

Debugger output:

Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb288 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb287 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb286 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c850 ebp=0185c85c iopl=0 nv
up ei pl zr ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b
gs=0000 efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax]
ds:0023:070fcbd4=0ebdb285 <...>



Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in versions 3.3.0 and
3.4 Beta 1 of OpenOffice.org, which were the most recent versions at
the time of discovery.



Vendor contact timeline:
------------------------
2011-09-19: Contacting vendor through securityteam@openoffice.org
2011-09-21: Vendor response, clarification request
2011-09-21: Sent answer
2011-10-05: Vendor response, clarification request
2011-10-05: Sent answer
2011-10-13: Contacted vendor asking for status
2011-11-23: Contacted vendor asking for status
2011-11-23: Vendor response, project moved to Apache
2011-11-24: Contacting vendor through ooo-security@incubator.apache.org
2011-12-05: Contacted vendor asking for status
2011-12-05: Vendor response
2012-01-09: Contacted vendor asking for status
2012-01-09: Vendor response, Apache OpenOffice 3.4 release is planned
in Q1 2012.
2012-03-22: Contacted vendor asking for status
2012-04-19: Contacted vendor asking for status
2012-04-23: Vendor response
2012-04-24: Contacted vendor asking for CVE#
2012-04-30: Vendor response including CVE#
2012-05-07: Contacted vendor asking for status
2012-05-07: Vendor response, date of the release announcement for
OpenOffice 3.4
2012-05-07: Vendor releases Apache OpenOffice 3.4
2012-05-16: Vendor releases security bulletin which addresses this
vulnerability
2012-05-18: SEC Consult releases detailed advisory



Solution:
---------
OpenOffice.org 3.3.0 and 3.4 beta users should upgrade to Apache
OpenOffice 3.4.


Workaround:
-----------
Untrusted WPD documents should be avoided.



Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF K. Gudinavicius / @2012

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close