SEC Consult Vulnerability Lab Security Advisory < 20120518-0 >
=======================================================================
title: libwpd WPXContentListener::_closeTableRow() memory overwrite
product: OpenOffice.org
vulnerable version: 3.3.0/3.4 Beta 1 and probably earlier versions
fixed version: 3.4
CVE: CVE-2012-2149
impact: high
homepage: www.openoffice.org
found: 2011-09-01
by: K. Gudinavicius
SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
"OpenOffice.org 3 is the leading open-source office software suite for word
processing, spreadsheets, presentations, graphics, databases and more. It
is available in many languages and works on all common computers."
Source: why.openoffice.org
Vulnerability overview/description:
-----------------------------------
OpenOffice.org includes the customized libwpd version 0.8.8 library for parsing
WordPerfect documents. The used version of the libwpd library suffers from a memory
overwrite vulnerability when reading a specially crafted WPD file. Successful
exploitation of this vulnerability could result in an arbitrary code execution
within the OpenOffice.org software suite.
Proof of concept:
-----------------
The vulnerability resides in the WPXContentListener::_closeTableRow() function which
is declared in the WPXContentListener.cpp file. The function doesn't check if the
variable's m_ps->m_currentTableCol value is less than zero before entering the while
loop which leads to an integer overflow and decrementation of the memory location
pointed by m_ps->m_numRowsToSkip[m_ps->m_currentTableCol] address if the conditions
are met. Related code excerpt:
void WPXContentListener::_closeTableRow()
{
if (m_ps->m_isTableRowOpened)
{
while ((long)m_ps->m_currentTableCol < (long)m_ps->m_numRowsToSkip.size())
{
if (!m_ps->m_numRowsToSkip[m_ps->m_currentTableCol])
{
RGBSColor tmpCellBorderColor(0x00, 0x00, 0x00, 0x64);
_openTableCell(1, 1, 0xFF, 0, 0, &tmpCellBorderColor, TOP);
_closeTableCell();
}
else
m_ps->m_numRowsToSkip[m_ps->m_currentTableCol++]--;
}
if (m_ps->m_isTableCellOpened)
_closeTableCell();
m_listenerImpl->closeTableRow();
}
m_ps->m_isTableRowOpened = false;
}
The variable's m_ps->m_currentTableCol value can be influenced by calling
WPXContentListener::_closeTable() function which sets its value to -1 after
the call to WPXContentListener::_openTableRow() function. Calling the
_openTableRow() function again results in WPXContentListener::_closeTableRow()
being called and the memory location pointed by the m_ps->m_numRowsToSkip[-1]
address is being decremented.
It was possible to build a specially crafted WPD file containing byte sequences that
represent the above mentioned functions to decrement valid C++ object's pointer as many
times as it needed to achieve arbitrary code execution when virtual functions of that
object were called. The exploit code will not be published.
Debugger output:
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920
eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv up ei pl zr ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256
wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb288
0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920
eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv up ei pl zr ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256
wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb287
0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920
eip=0eb9167e esp=0185c860 ebp=0185c86c iopl=0 nv up ei pl zr ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256
wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb286
0:000> g
Breakpoint 0 hit
eax=070fcbd4 ebx=00000000 ecx=ffffffff edx=0ebd25f0 esi=0185c928 edi=0185c920
eip=0eb9167e esp=0185c850 ebp=0185c85c iopl=0 nv up ei pl zr ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256
wpftmi!component_getFactory+0x20355:
0eb9167e ff08 dec dword ptr [eax] ds:0023:070fcbd4=0ebdb285
<...>
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in versions 3.3.0 and
3.4 Beta 1 of OpenOffice.org, which were the most recent versions at
the time of discovery.
Vendor contact timeline:
------------------------
2011-09-19: Contacting vendor through securityteam@openoffice.org
2011-09-21: Vendor response, clarification request
2011-09-21: Sent answer
2011-10-05: Vendor response, clarification request
2011-10-05: Sent answer
2011-10-13: Contacted vendor asking for status
2011-11-23: Contacted vendor asking for status
2011-11-23: Vendor response, project moved to Apache
2011-11-24: Contacting vendor through ooo-security@incubator.apache.org
2011-12-05: Contacted vendor asking for status
2011-12-05: Vendor response
2012-01-09: Contacted vendor asking for status
2012-01-09: Vendor response, Apache OpenOffice 3.4 release is planned in Q1 2012.
2012-03-22: Contacted vendor asking for status
2012-04-19: Contacted vendor asking for status
2012-04-23: Vendor response
2012-04-24: Contacted vendor asking for CVE#
2012-04-30: Vendor response including CVE#
2012-05-07: Contacted vendor asking for status
2012-05-07: Vendor response, date of the release announcement for OpenOffice 3.4
2012-05-07: Vendor releases Apache OpenOffice 3.4
2012-05-16: Vendor releases security bulletin which addresses this vulnerability
2012-05-18: SEC Consult releases detailed advisory
Solution:
---------
OpenOffice.org 3.3.0 and 3.4 beta users should upgrade to Apache OpenOffice 3.4.
Workaround:
-----------
Untrusted WPD documents should be avoided.
Advisory URL:
-------------
www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
EOF K. Gudinavicius / @2012