High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LibreOffice which could be exploited to perform denial of service (DoS) attacks.
1) Multiple vulnerabilities in LibreOffice: CVE-2012-4233 1.1 NULL pointer dereference error was found in the vcllo.dll while processing .odt files. A remote attacker can create a specially crafted .odt file, trick a user into opening that file and terminate the application.
Technical details The access violation occurs in the vcllo.dll module (vcllo!Region::operator=+0x12:) when the instruction inc dword ptr [eax+4] tries to increment a non-valid pointer : (744.3cc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=6cd6e982 ebx=050d1e20 ecx=00b4f404 edx=000000d6 esi=00b4f404 edi=00b4f2d8 eip=6b44f247 esp=00b4f3cc ebp=00b4f3d4 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\LibreOffice 3.5\program\vcllo.dll - vcllo!Region::operator=+0x12: 6b44f247 ff4004 inc dword ptr [eax+4] ds:0023:6cd6e986=db4a6001 2:002> cdb: Reading initial command 'r;!exploitable -v;q' eax=6cd6e982 ebx=050d1e20 ecx=00b4f404 edx=000000d6 esi=00b4f404 edi=00b4f2d8 eip=6b44f247 esp=00b4f3cc ebp=00b4f3d4 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282 vcllo!Region::operator=+0x12: 6b44f247 ff4004 inc dword ptr [eax+4] ds:0023:6cd6e986=db4a6001
Proof of Concept Please see the attached file: HTB23106-LibreOffice-3.5.5.3.rar Password: high-tech-bridge
1.2 Null pointer dereference error was found in svxcorelo.dll while processing the ODG (Drawing document) files. A remote attacker can create a specially crafted ODG file, trick a user into opening that file and terminate the application.
Technical details Access violation occurs in the svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence+0x39: function when the application tries to call the EDX+4 pointer. Since EDX value is not properly set, this causes a bad-pointer dereference. 67302686 ff5204 call dword ptr [edx+4] ds:0023:00000004=???????? Crash After studying the crash the problem arises after the application renders the page and accesses for the forty-third time the following function. svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence: 6443264d 6a28 push 28h 6443264f b8c4bf5e64 mov eax,offset svxcorelo!EnhancedCustomShape::FunctionParser::parseFunction+0x487fc (645ebfc4) 64432654 e8d8851700 call svxcorelo!EnhancedCustomShape::FunctionParser::parseFunction+0x7469 (645aac31) 64432659 8bf9 mov edi,ecx 6443265b 8365ec00 and dword ptr [ebp-14h],0 6443265f 8d4df0 lea ecx,[ebp-10h] 64432662 e8e24af1ff call svxcorelo!E3dView::BreakSingle3DObj+0xe2 (64347149) 64432667 c745fc01000000 mov dword ptr [ebp-4],1 6443266e 8b4f08 mov ecx,dword ptr [edi+8] 64432671 e8e067ffff call svxcorelo!sdr::contact::ObjectContact::GetViewObjectContactRedirector (64428e56) 64432676 ff750c push dword ptr [ebp+0Ch] 64432679 8d4d0c lea ecx,[ebp+0Ch] 6443267c 85c0 test eax,eax 6443267e 740f je svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence+0x42 (6443268f) 64432680 8b10 mov edx,dword ptr [eax] 64432682 57 push edi 64432683 51 push ecx 64432684 8bc8 mov ecx,eax 64432686 ff5204 call dword ptr [edx+4] Crash The EDX register inherits its value from the previous mov edx,dword ptr [eax] instruction. When a non-well formatted ODG file is opened, the EAX register passes a wrong pointer to EDX which leads to a bad-pointer dereference in the call dword ptr [edx+4] instruction.
Proof of Concept
Please see the attached file: HTB23106-ODG.rar Password: high-tech-bridge
1.3 Null pointer dereference error was found in tllo.dll when handling the PolyPolygon record within embedded .wmf file in the Microsoft PowerPoint 2003 (PPT) files. A remote attacker can create a specially crafted .ppt file, trick a user into opening that file and terminate the application.
Technical details The malformed PPT file calls the tllo!Polygon::Polygon function and makes a subsequent call to the MSVCR90!memcpy procedure. The procedure inherits the value from the ESI pointer which references to an invalid or corrupted memory which leads to crash of entire application.
Proof of Concept Please see the attached file: HTB23106-PPT.rar Password: high-tech-bridge
1.4 Null pointer dereference error was found in scfiltlo.dll while processing the Microsoft Excel 2003 (XLS) files. A remote attacker can create a specially crafted XLS file, trick a user into opening that file and terminate the application.
Technical details The error is triggered when application makes call to the scfiltlo!scfilt_component_getFactory function to process the malformed Microsoft XLS file. eax=00000001 ebx=00000000 ecx=00000000 edx=00000002 esi=00a4b9a8 edi=0000ffff eip=67ad6a56 esp=00a4b950 ebp=00a4b984 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 scfiltlo!scfilt_component_getFactory+0x63eb3: 67ad6a56 6689412e mov word ptr [ecx+2Eh],ax ds:0023:0000002e=???? The crash occurs at address 0x5fa46a51 when the value of the ESI pointer is transferred into the ECX register. This value is always set to null which leads to crash of entire application.
5fa46a41 8b450c mov eax,dword ptr [ebp+0Ch] 5fa46a44 8b4004 mov eax,dword ptr [eax+4] 5fa46a47 0fb780a4000000 movzx eax,word ptr [eax+0A4h] 5fa46a4e 8b7508 mov esi,dword ptr [ebp+8] 5fa46a51 8b0e mov ecx,dword ptr [esi] 5fa46a53 ff7510 push dword ptr [ebp+10h] 5fa46a56 6689412e mov word ptr [ecx+2Eh],ax ds:0023:0000002e=???
Proof of Concept Please see the attached file: HTB23106-XLS.rar Password: high-tech-bridge
Attack vectors These vulnerabilities require that user opens a specially crafted file with an affected version of LibreOffice Suite software. An attacker could use several ways to deliver malicious file to the system. In a web-based scenario, an attacker could host a file on a website or WebDav share and trick a user into downloading and opening this file. In an email scenario, an attacker could exploit this vulnerability by sending an email with attached malicious file. |