Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28725
HistoryNov 02, 2012 - 12:00 a.m.

Multiple Vulnerabilities in LibreOffice

2012-11-0200:00:00
vulners.com
10

Advisory ID: HTB23106
Product: LibreOffice Suite
Vendor: LibreOffice
Vulnerable Version(s): 3.5.5.3 and probably prior
Tested Version: 3.5.5.3
Vendor Notification: July 26, 2012
Public Disclosure: October 31, 2012
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4233
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Solution Status: Fixed by Vendor
Risk Level: Medium
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )


Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LibreOffice which could be exploited to perform denial of service (DoS) attacks.

1) Multiple vulnerabilities in LibreOffice: CVE-2012-4233

1.1 NULL pointer dereference error was found in the vcllo.dll while processing .odt files. A remote attacker can create a specially crafted .odt file, trick a user into opening that file and terminate the application.

Technical details
The access violation occurs in the vcllo.dll module (vcllo!Region::operator=+0x12:) when the instruction inc dword ptr [eax+4] tries to increment a non-valid pointer :
(744.3cc): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=6cd6e982 ebx=050d1e20 ecx=00b4f404 edx=000000d6 esi=00b4f404 edi=00b4f2d8
eip=6b44f247 esp=00b4f3cc ebp=00b4f3d4 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:\Program Files\LibreOffice 3.5\program\vcllo.dll -
vcllo!Region::operator=+0x12:
6b44f247 ff4004 inc dword ptr [eax+4] ds:0023:6cd6e986=db4a6001
2:002> cdb: Reading initial command 'r;!exploitable -v;q'
eax=6cd6e982 ebx=050d1e20 ecx=00b4f404 edx=000000d6 esi=00b4f404 edi=00b4f2d8
eip=6b44f247 esp=00b4f3cc ebp=00b4f3d4 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
vcllo!Region::operator=+0x12:
6b44f247 ff4004 inc dword ptr [eax+4] ds:0023:6cd6e986=db4a6001

Proof of Concept
Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-LibreOffice-3.5.5.3.rar&quot;&gt;HTB23106-LibreOffice-3.5.5.3.rar&lt;/a&gt;
Password: high-tech-bridge

1.2 Null pointer dereference error was found in svxcorelo.dll while processing the ODG (Drawing document) files. A remote attacker can create a specially crafted ODG file, trick a user into opening that file and terminate the application.

Technical details

Access violation occurs in the svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence+0x39: function when the application tries to call the EDX+4 pointer. Since EDX value is not properly set, this causes a bad-pointer dereference.

67302686 ff5204 call dword ptr [edx+4] ds:0023:00000004=??? Crash

After studying the crash the problem arises after the application renders the page and accesses for the forty-third time the following function.

svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence:
6443264d 6a28 push 28h
6443264f b8c4bf5e64 mov eax,offset svxcorelo!EnhancedCustomShape::FunctionParser::parseFunction+0x487fc (645ebfc4)
64432654 e8d8851700 call svxcorelo!EnhancedCustomShape::FunctionParser::parseFunction+0x7469 (645aac31)
64432659 8bf9 mov edi,ecx
6443265b 8365ec00 and dword ptr [ebp-14h],0
6443265f 8d4df0 lea ecx,[ebp-10h]
64432662 e8e24af1ff call svxcorelo!E3dView::BreakSingle3DObj+0xe2 (64347149)
64432667 c745fc01000000 mov dword ptr [ebp-4],1
6443266e 8b4f08 mov ecx,dword ptr [edi+8]
64432671 e8e067ffff call svxcorelo!sdr::contact::ObjectContact::GetViewObjectContactRedirector (64428e56)
64432676 ff750c push dword ptr [ebp+0Ch]
64432679 8d4d0c lea ecx,[ebp+0Ch]
6443267c 85c0 test eax,eax
6443267e 740f je svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence+0x42 (6443268f)
64432680 8b10 mov edx,dword ptr [eax]
64432682 57 push edi
64432683 51 push ecx
64432684 8bc8 mov ecx,eax
64432686 ff5204 call dword ptr [edx+4] Crash

The EDX register inherits its value from the previous mov edx,dword ptr [eax] instruction. When a non-well formatted ODG file is opened, the EAX register passes a wrong pointer to EDX which leads to a bad-pointer dereference in the call dword ptr [edx+4] instruction.

Proof of Concept

Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-ODG.rar&quot;&gt;HTB23106-ODG.rar&lt;/a&gt;

Password: high-tech-bridge

1.3 Null pointer dereference error was found in tllo.dll when handling the PolyPolygon record within embedded .wmf file in the Microsoft PowerPoint 2003 (PPT) files. A remote attacker can create a specially crafted .ppt file, trick a user into opening that file and terminate the application.

Technical details

The malformed PPT file calls the tllo!Polygon::Polygon function and makes a subsequent call to the MSVCR90!memcpy procedure. The procedure inherits the value from the ESI pointer which references to an invalid or corrupted memory which leads to crash of entire application.

Proof of Concept

Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-PPT.rar&quot;&gt;HTB23106-PPT.rar&lt;/a&gt;

Password: high-tech-bridge

1.4 Null pointer dereference error was found in scfiltlo.dll while processing the Microsoft Excel 2003 (XLS) files. A remote attacker can create a specially crafted XLS file, trick a user into opening that file and terminate the application.

Technical details

The error is triggered when application makes call to the scfiltlo!scfilt_component_getFactory function to process the malformed Microsoft XLS file.

eax=00000001 ebx=00000000 ecx=00000000 edx=00000002 esi=00a4b9a8 edi=0000ffff
eip=67ad6a56 esp=00a4b950 ebp=00a4b984 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
scfiltlo!scfilt_component_getFactory+0x63eb3:
67ad6a56 6689412e mov word ptr [ecx+2Eh],ax ds:0023:0000002e=???

The crash occurs at address 0x5fa46a51 when the value of the ESI pointer is transferred into the ECX register. This value is always set to null which leads to crash of entire application.

5fa46a41 8b450c mov eax,dword ptr [ebp+0Ch]
5fa46a44 8b4004 mov eax,dword ptr [eax+4]
5fa46a47 0fb780a4000000 movzx eax,word ptr [eax+0A4h]
5fa46a4e 8b7508 mov esi,dword ptr [ebp+8]
5fa46a51 8b0e mov ecx,dword ptr [esi]
5fa46a53 ff7510 push dword ptr [ebp+10h]
5fa46a56 6689412e mov word ptr [ecx+2Eh],ax ds:0023:0000002e=???

Proof of Concept

Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-XLS.rar&quot;&gt;HTB23106-XLS.rar&lt;/a&gt;

Password: high-tech-bridge

Attack vectors
These vulnerabilities require that user opens a specially crafted file with an affected version of LibreOffice Suite software. An attacker could use several ways to deliver malicious file to the system.

In a web-based scenario, an attacker could host a file on a website or WebDav share and trick a user into downloading and opening this file.

In an email scenario, an attacker could exploit this vulnerability by sending an email with attached malicious file.


Solution:

Upgrade to LibreOffice 3.5.7.2
http://www.libreoffice.org/download/


References:

[1] High-Tech Bridge Advisory HTB23106 - https://www.htbridge.com/advisory/HTB23106 - Denial of Service Vulnerability in LibreOffice
[2] LibreOffice - http://www.libreoffice.org - LibreOffice is the power-packed free and open source personal productivity suite for Windows, Macintosh and GNU/Linux.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.


Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.