SEC Consult Vulnerability Lab Security Advisory < 20120518-0 >
=======================================================================
              title: libwpd WPXContentListener::_closeTableRow() memory
                     overwrite
 	    product: OpenOffice.org
 vulnerable version: 3.3.0/3.4 Beta 1 and probably earlier versions
      fixed version: 3.4
                CVE: CVE-2012-2149
             impact: high
           homepage: http://www.openoffice.org/
              found: 2011-09-01
                 by: K. Gudinavicius 
                     SEC Consult Vulnerability Lab 
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"OpenOffice.org 3 is the leading open-source office software suite for
word processing, spreadsheets, presentations, graphics, databases and
more. It is available in many languages and works on all common
computers."

Source: http://why.openoffice.org/



Vulnerability overview/description:
-----------------------------------
OpenOffice.org includes the customized libwpd version 0.8.8 library for
parsing WordPerfect documents. The used version of the libwpd library
suffers from a memory overwrite vulnerability when reading a specially
crafted WPD file. Successful exploitation of this vulnerability could
result in an arbitrary code execution within the OpenOffice.org
software suite.



Proof of concept:
-----------------
The vulnerability resides in the WPXContentListener::_closeTableRow()
function which is declared in the WPXContentListener.cpp file. The
function doesn't check if the variable's m_ps->m_currentTableCol value
is less than zero before entering the while loop which leads to an
integer overflow and decrementation of the memory location pointed by
m_ps->m_numRowsToSkip[m_ps->m_currentTableCol] address if the
conditions are met. Related code excerpt:

void WPXContentListener::_closeTableRow()
{
	if (m_ps->m_isTableRowOpened)
	{
		while ((long)m_ps->m_currentTableCol <
(long)m_ps->m_numRowsToSkip.size()) {
			if
(!m_ps->m_numRowsToSkip[m_ps->m_currentTableCol]) {
				RGBSColor tmpCellBorderColor(0x00,
0x00, 0x00, 0x64); _openTableCell(1, 1, 0xFF, 0, 0,
&tmpCellBorderColor, TOP); _closeTableCell();
			}
			else
				m_ps->m_numRowsToSkip[m_ps->m_currentTableCol++]--;
		}

		if (m_ps->m_isTableCellOpened)
			_closeTableCell();
		m_listenerImpl->closeTableRow();
	}
	m_ps->m_isTableRowOpened = false;
}

The variable's m_ps->m_currentTableCol value can be influenced by
calling WPXContentListener::_closeTable() function which sets its value
to -1 after the call to WPXContentListener::_openTableRow() function.
Calling the _openTableRow() function again results in
WPXContentListener::_closeTableRow() being called and the memory
location pointed by the m_ps->m_numRowsToSkip[-1] address is being
decremented.

It was possible to build a specially crafted WPD file containing byte
sequences that represent the above mentioned functions to decrement
valid C++ object's pointer as many times as it needed to achieve
arbitrary code execution when virtual functions of that object were
called. The exploit code will not be published.

Debugger output:

Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0         nv
up ei pl zr ac pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b
gs=0000             efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08            dec     dword ptr [eax]
ds:0023:070fcbd4=0ebdb288 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0         nv
up ei pl zr ac pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b
gs=0000             efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08            dec     dword ptr [eax]
ds:0023:070fcbd4=0ebdb287 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0         nv
up ei pl zr ac pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b
gs=0000             efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08            dec     dword ptr [eax]
ds:0023:070fcbd4=0ebdb286 0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928
edi=0185c920 eip=0eb9167e esp=0185c850 ebp=0185c85c iopl=0         nv
up ei pl zr ac pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b
gs=0000             efl=00000256 wpftmi!component_getFactory+0x20355:
0eb9167e ff08            dec     dword ptr [eax]
ds:0023:070fcbd4=0ebdb285 <...>



Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in versions 3.3.0 and 
3.4 Beta 1 of OpenOffice.org, which were the most recent versions at 
the time of discovery.



Vendor contact timeline:
------------------------
2011-09-19: Contacting vendor through securityteam@openoffice.org
2011-09-21: Vendor response, clarification request
2011-09-21: Sent answer
2011-10-05: Vendor response, clarification request
2011-10-05: Sent answer
2011-10-13: Contacted vendor asking for status
2011-11-23: Contacted vendor asking for status
2011-11-23: Vendor response, project moved to Apache
2011-11-24: Contacting vendor through ooo-security@incubator.apache.org
2011-12-05: Contacted vendor asking for status
2011-12-05: Vendor response
2012-01-09: Contacted vendor asking for status
2012-01-09: Vendor response, Apache OpenOffice 3.4 release is planned
            in Q1 2012.
2012-03-22: Contacted vendor asking for status
2012-04-19: Contacted vendor asking for status
2012-04-23: Vendor response
2012-04-24: Contacted vendor asking for CVE#
2012-04-30: Vendor response including CVE#
2012-05-07: Contacted vendor asking for status
2012-05-07: Vendor response, date of the release announcement for
            OpenOffice 3.4
2012-05-07: Vendor releases Apache OpenOffice 3.4
2012-05-16: Vendor releases security bulletin which addresses this
            vulnerability 
2012-05-18: SEC Consult releases detailed advisory



Solution:
---------
OpenOffice.org 3.3.0 and 3.4 beta users should upgrade to Apache
OpenOffice 3.4. 


Workaround:
-----------
Untrusted WPD documents should be avoided.



Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF K. Gudinavicius / @2012

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/