lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20121105143047.7FB3E2C40136@htbridge.ch>
Date: Mon,  5 Nov 2012 15:30:47 +0100 (CET)
From: advisory@...ridge.com
To: bugtraq@...urityfocus.com
Subject: Multiple Vulnerabilities in LibreOffice

Advisory ID: HTB23106
Product: LibreOffice Suite
Vendor: LibreOffice
Vulnerable Version(s): 3.5.5.3 and probably prior
Tested Version: 3.5.5.3
Vendor Notification: July 26, 2012 
Public Disclosure: October 31, 2012 
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-4233
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Solution Status: Fixed by Vendor
Risk Level: Low 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LibreOffice which could be exploited to perform denial of service (DoS) attacks.


1)	Multiple vulnerabilities in LibreOffice: CVE-2012-4233

1.1	NULL pointer dereference error was found in the vcllo.dll while processing .odt files. A remote attacker can create a specially crafted .odt file, trick a user into opening that file and terminate the application. 


Technical details 
The access violation occurs in the vcllo.dll module (vcllo!Region::operator=+0x12:) when the instruction inc dword ptr [eax+4] tries to increment a non-valid pointer :
(744.3cc): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.


eax=6cd6e982 ebx=050d1e20 ecx=00b4f404 edx=000000d6 esi=00b4f404 edi=00b4f2d8
eip=6b44f247 esp=00b4f3cc ebp=00b4f3d4 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:\Program Files\LibreOffice 3.5\program\vcllo.dll -
vcllo!Region::operator=+0x12:
6b44f247 ff4004 inc dword ptr [eax+4] ds:0023:6cd6e986=db4a6001
2:002> cdb: Reading initial command 'r;!exploitable -v;q'
eax=6cd6e982 ebx=050d1e20 ecx=00b4f404 edx=000000d6 esi=00b4f404 edi=00b4f2d8
eip=6b44f247 esp=00b4f3cc ebp=00b4f3d4 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
vcllo!Region::operator=+0x12:
6b44f247 ff4004 inc dword ptr [eax+4] ds:0023:6cd6e986=db4a6001



Proof of Concept
Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-LibreOffice-3.5.5.3.rar">HTB23106-LibreOffice-3.5.5.3.rar</a>
Password: high-tech-bridge


1.2	Null pointer dereference error was found in svxcorelo.dll while processing the ODG (Drawing document) files. A remote attacker can create a specially crafted ODG file, trick a user into opening that file and terminate the application. 


Technical details

Access violation occurs in the svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence+0x39: function when the application tries to call the EDX+4 pointer. Since EDX value is not properly set, this causes a bad-pointer dereference.

67302686 ff5204          call    dword ptr [edx+4]    ds:0023:00000004=????????  Crash

After studying the crash the problem arises after the application renders the page and accesses for the forty-third time the following function. 


svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence:
6443264d 6a28            push    28h
6443264f b8c4bf5e64      mov     eax,offset svxcorelo!EnhancedCustomShape::FunctionParser::parseFunction+0x487fc (645ebfc4)
64432654 e8d8851700      call    svxcorelo!EnhancedCustomShape::FunctionParser::parseFunction+0x7469 (645aac31)
64432659 8bf9            mov     edi,ecx
6443265b 8365ec00        and     dword ptr [ebp-14h],0
6443265f 8d4df0          lea     ecx,[ebp-10h]
64432662 e8e24af1ff      call    svxcorelo!E3dView::BreakSingle3DObj+0xe2 (64347149)
64432667 c745fc01000000  mov     dword ptr [ebp-4],1
6443266e 8b4f08          mov     ecx,dword ptr [edi+8]
64432671 e8e067ffff      call    svxcorelo!sdr::contact::ObjectContact::GetViewObjectContactRedirector (64428e56)
64432676 ff750c          push    dword ptr [ebp+0Ch]
64432679 8d4d0c          lea     ecx,[ebp+0Ch]
6443267c 85c0            test    eax,eax
6443267e 740f            je      svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence+0x42 (6443268f)
64432680 8b10            mov     edx,dword ptr [eax]
64432682 57              push    edi
64432683 51              push    ecx
64432684 8bc8            mov     ecx,eax
64432686 ff5204          call    dword ptr [edx+4] Crash


The EDX register inherits its value from the previous mov     edx,dword ptr [eax] instruction. When a non-well formatted ODG file is opened, the EAX register passes a wrong pointer to EDX which leads to a bad-pointer dereference in the call    dword ptr [edx+4] instruction. 


Proof of Concept


Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-ODG.rar">HTB23106-ODG.rar</a>

Password: high-tech-bridge


1.3	Null pointer dereference error was found in tllo.dll when handling the PolyPolygon record within embedded .wmf file in the Microsoft PowerPoint 2003 (PPT) files. A remote attacker can create a specially crafted .ppt file, trick a user into opening that file and terminate the application. 


Technical details

The malformed PPT file calls the tllo!Polygon::Polygon function and makes a subsequent call to the MSVCR90!memcpy procedure. The procedure inherits the value from the ESI pointer which references to an invalid or corrupted memory which leads to crash of entire application.


Proof of Concept

Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-PPT.rar">HTB23106-PPT.rar</a>

Password: high-tech-bridge


1.4	Null pointer dereference error was found in scfiltlo.dll while processing the Microsoft Excel 2003 (XLS) files. A remote attacker can create a specially crafted XLS file, trick a user into opening that file and terminate the application. 


Technical details

The error is triggered when application makes call to the scfiltlo!scfilt_component_getFactory function to process the malformed Microsoft XLS file.


eax=00000001 ebx=00000000 ecx=00000000 edx=00000002 esi=00a4b9a8 edi=0000ffff
eip=67ad6a56 esp=00a4b950 ebp=00a4b984 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
scfiltlo!scfilt_component_getFactory+0x63eb3:
67ad6a56 6689412e        mov     word ptr [ecx+2Eh],ax    ds:0023:0000002e=????


The crash occurs at address 0x5fa46a51 when the value of the ESI pointer is transferred into the ECX register. This value is always set to null which leads to crash of entire application.



5fa46a41 8b450c          mov     eax,dword ptr [ebp+0Ch]
5fa46a44 8b4004          mov     eax,dword ptr [eax+4]
5fa46a47 0fb780a4000000  movzx   eax,word ptr [eax+0A4h]
5fa46a4e 8b7508          mov     esi,dword ptr [ebp+8]
5fa46a51 8b0e            mov     ecx,dword ptr [esi]
5fa46a53 ff7510          push    dword ptr [ebp+10h]
5fa46a56 6689412e        mov     word ptr [ecx+2Eh],ax    ds:0023:0000002e=???



Proof of Concept

Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-XLS.rar">HTB23106-XLS.rar</a>

Password: high-tech-bridge


Attack vectors
These vulnerabilities require that user opens a specially crafted file with an affected version of LibreOffice Suite software. An attacker could use several ways to deliver malicious file to the system. 

In a web-based scenario, an attacker could host a file on a website or WebDav share and trick a user into downloading and opening this file.

In an email scenario, an attacker could exploit this vulnerability by sending an email with attached malicious file.


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to LibreOffice 3.5.7.2
http://www.libreoffice.org/download/

More Information:
http://www.libreoffice.org/advisories/cve-2012-4233/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23106 - https://www.htbridge.com/advisory/HTB23106 - Denial of Service Vulnerability in LibreOffice
[2] LibreOffice - http://www.libreoffice.org - LibreOffice is the power-packed free and open source personal productivity suite for Windows, Macintosh and GNU/Linux.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ