accept no compromises Multiple Memory Corruption Vulnerabilities Multiple Memory Corruption Vulnerabilities
Posted Jan 26, 2011
Authored by Dan Rosenberg | Site

VSR identified multiple memory corruption vulnerabilities in By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine. Versions prior to 3.3 are affected.

tags | advisory, arbitrary, vulnerability
advisories | CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454
MD5 | 7e847576e7e75f0f8f71e6c73186aa5b Multiple Memory Corruption Vulnerabilities

Change Mirror Download
Hash: SHA1

VSR Security Advisory

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Multiple Memory Corruption Vulnerabilities
Release Date: 2011-01-26
Application: Oracle
Versions: 3.2 and earlier
Severity: High
Author: Dan Rosenberg <drosenberg (at)>
Vendor Status: Patch Released
CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Product Description
- -------------------
- From [1]:

" 3 is the leading open-source office software suite for word
processing, spreadsheets, presentations, graphics, databases and more. It is
available in many languages and works on all common computers. It stores all
your data in an international open standard format and can also read and write
files from other common office software packages. It can be downloaded and
used completely free of charge for any purpose."

Vulnerability Overview
- ----------------------
On August 20th, VSR identified multiple memory corruption vulnerabilities in By convincing a victim to open a maliciously crafted RTF or
Word document, arbitrary code may be executed on the victim's machine.

Vulnerability Details
- ---------------------

CVE-2010-3451: uses its own internal memory management system for parsing
tables in RTF documents. Information about each table row is inserted, element
by element, into an SwTableBoxes object. These objects contain a fixed amount
of data, and when they have reached capacity, a resize() method is called to
double the space previously allocated for cell contents. When this method is
called, the new space will be allocated on top of recently freed memory
containing file data without clearing this memory. Because of a bug in the RTF
parser, corrupt table data may cause the insertion of elements into an
SwTableBoxes object to skip an index rather than remaining strictly sequential.
When this occurs, the nA field, representing the number of data elements used
in the object, will be out-of-sync with the index of the most recently inserted
element, allowing exploitation of a use-after-free vulnerability.

To exploit this issue, corrupt RTF table data first causes the nA field to
become out-of-sync with the index of the most recently inserted element in an
SwTableBoxes object. Next, the resize() method is called when the object
reaches capacity, resulting in its data being reallocated on top of
attacker-controlled memory. Finally, during the parsing of an RTF_ROW token,
the nA field is used to index into the SwTableBoxes cell data in an attempt to
retrieve the most recently added object. Because this index is out-of-sync and
the data was recently moved on top of previously used memory, this will result
in retrieving an attacker-controlled object from the heap. Subsequent usage of
this object may allow an attacker to control program flow and execute arbitrary


Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for
multi-level lists, it is possible to trigger a use-after-free vulnerability.
When this tag is followed by an unexpected character, its token value may be
negative. The parser attempts to restrict this value to less than the MAXLEVEL
constant, but since a signed comparison is used, a negative value will pass
this check. This value is then used as an index to retrieve an SwNumFmt object
from an array on the heap. By manipulating the heap, it is possible to cause
the retrieval of an attacker-controlled object. Subsequent usage of this
object may allow an attacker to control program flow and execute arbitrary


When processing "override level numbers" in parsing list data for Word
documents, a user-controlled value is used to index into a vector for an
assignment without checking that this index is less than the size of the
vector. As a result, an attacker-controlled object may be written to a
location on the heap past the bounds of the vector, potentially allowing
arbitrary code execution.


When parsing Word documents, two signed short values are read directly from the
document file to determine where to place NULL terminators after copying
additional data in. Because these indexes are not checked in any way, an
attacker may use this to write NULL bytes to two arbitrary locations in memory,
potentially allowing arbitrary code execution.

Versions Affected
- -----------------
Versions prior to 3.3 are affected.

Vendor Response
- ---------------
The following timeline details's response to the reported issues:

2010-08-20 Initial report for CVE-2010-3452
2010-08-23 Response from security team
2010-08-30 Initial report for CVE-2010-3453 and CVE-2010-3454
2010-09-01 Response from security team
2010-09-10 Initial report for CVE-2010-3451
2010-10-03 Status update requested
2010-10-03 Response from
2011-01-26 Coordinated disclosure

- --------------
Users should install updates provided by downstream distributions or upgrade to
version 3.3.

Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------

The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers
CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 to these
issues. These are candidates for inclusion in the CVE list
(, which standardizes names for security problems.

- ----------------
Thanks to the security team for their prompt response and fix.

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


1. "Why"

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2010 Virtual Security Research, LLC. All rights reserved.
Version: GnuPG v1.4.10 (GNU/Linux)



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2016 Packet Storm. All rights reserved.

Security Services
Hosting By