Bug#304469: openoffice.org: Invalid range checking in DOC header parsing leading to possible heap overflow

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#304469: openoffice.org: Invalid range checking in DOC header parsing leading to possible heap overflow
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 13 Apr 2005 14:08:39 +0200
Message-id: <[🔎] E1DLgfg-0002cF-AI@localhost.localdomain>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 304469@bugs.debian.org

Package: openoffice.org
Version: 1.1.3-8
Severity: grave
Tags: security
Justification: user security hole

Lee Xioajun <airsupply@segfault.cn> reported an issue with invalid input
checks in DOC header parsing, which can possibly be exploited with remote
code execution. I'm including his advisory verbose, as I could not find a
WWW reference for it. The relevant issue #s seems to be 46276 and 46388.
It's supposed to be fixed upstream, but I couldn't find it in the plethora
of CVS modules and subprojects.

Cheers,
        Moritz

OpenOffice DOC document Heap Overflow
[Security Advisory]

Advisory:[AD_LAB-05001] OpenOffice DOC document Heap Overflow
Class: Design Error
DATE:30/3/2005
CVEID:CAN-2005-0941
Vulnerable:
    <=OpenOffice OpenOffice 1.1.4
    -OpenOffice OpenOffice 2.0dev
    
Unvulnerable:
	Unknow
Vendor:
 	www.openoffice.org

I.DESCRIPTION: 
-------------
 	OpenOffice.org is an office productivity suite, including word
processing, spreadsheets, presentations, drawings, data charting,
formula editing, and file conversion facilities.
The vulnerability is caused due to a  error within the .Doc document header 
processing.This can be exploited to cause a heap-based buffer overflow. 

II.DETAILS:
----------
	There is a vulnerability in  StgCompObjStream::Load() function,
When reading DOC document information of format,memory is allocated by DOC provide length. 
DOC provided a 32 bits integer,and will use the low 16 bits of this number to allocate memory,
but when reading doc information,still use the 32 bits number as length,this maybe cause heap
overflow, and when free happened ,will cause write pointer,maybe cause arbitrary code excute .

BOOL StgCompObjStream::Load()
{
	memset( &aClsId, 0, sizeof( ClsId ) );
	nCbFormat = 0;
	aUserName.Erase();
	if( GetError() != SVSTREAM_OK )
		return FALSE;
	Seek( 8L );		
	INT32 nMarker = 0;
	*this >> nMarker;
	if( nMarker == -1L )
	{
		*this >> aClsId;
		INT32 nLen1 = 0;
		*this >> nLen1; // we can control this 32 bits int
		sal_Char* p = new sal_Char[ (USHORT) nLen1 ]; //use low 16 bits value to allocate memory 
		if( Read( p, nLen1 ) == (ULONG) nLen1 )  //still use 32 bits int as length,if failed,
							// will goto free step,maybe cause write pointer.
		{
			aUserName = String( p, gsl_getSystemTextEncoding() );
			....
			nCbFormat = ReadClipboardFormat( *this );
		}
		else
			SetError( SVSTREAM_GENERALERROR );
        delete [] p; //free step,heap overflow cause write pointer.
	}
	return BOOL( GetError() == SVSTREAM_OK );
}
example:
	if we provide 0x10000018 to nLen1,will allocate 0x18 length memory,
 Read( p, nLen1 ) still use 0x10000018 as length,then, read will fail,
 but readed length is bigger than allocated memory,and overwrite the next chunk.
when goto delete [] p;,write pointer happened. we had triggered this problem successful.
	StartOffice maybe affected too. did not test.
	

III.CREDIT: 
----------
    AD-LAB discovery this vuln:)
Vulnerability analysis and advisory by A1rsupp1y.
Special thanks to xalan's  discussion.
Thank to Sam,icbm,liangbin and all Venustech AD-Lab guys:P.



V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2005 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages openoffice.org depends on:
ii  dictionaries-common [openof 0.25.3       Common utilities for spelling dict
ii  openoffice.org-bin          1.1.2dfsg1-2 OpenOffice.org office suite binary
ii  openoffice.org-debian-files 1.1.2-5+1    Debian specific parts of OpenOffic
ii  openoffice.org-l10n-de [ope 1.1.2dfsg1-2 German language package for OpenOf
ii  openoffice.org-l10n-en [ope 1.1.2dfsg1-2 English (US) language package for 
ii  ttf-opensymbol              1.1.3-8      The OpenSymbol TrueType font

-- no debconf information

Reply to:

Follow-Ups:
- Bug#304469: marked as done (openoffice.org: Invalid range checking in DOC header parsing leading to possible heap overflow)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: bug 304412 is forwarded to http://www.openoffice.org/issues/show_bug.cgi?id=46388
Next by Date: Processed: merging 304412 304469
Previous by thread: Processed: bug 304412 is forwarded to http://www.openoffice.org/issues/show_bug.cgi?id=46388
Next by thread: Bug#304469: marked as done (openoffice.org: Invalid range checking in DOC header parsing leading to possible heap overflow)
Index(es):
- Date
- Thread