Re: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!

To: gplit@xxxxxxxxxx
Subject: Re: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!
From: Josh Bressers <josh@xxxxxxxxx>
Date: Fri, 15 Dec 2006 16:11:47 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Comments: In-reply-to gplit@xxxxxxxxxx message dated "15 Dec 2006 09:49:54 +0000."
In-reply-to: <20061215094954.31555.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20061215094954.31555.qmail@xxxxxxxxxxxxxxxxx>
Sender: josh@xxxxxxxxx

> try yourself with OpenOffice.org 2.1:
> http://www.milw0rm.com/sploits/12122006-djtest.doc

This looks like it's an integer overflow that's then crashing on when
memset tries to write lots of zeros onto the heap.

Breakpoint 2, WW8PLCF::GeneratePLCF (this=0xb12a36e8, pSt=0xabae6cc8,
nPN=0, ncpN=587202560)
    at /usr/src/debug/OOD680_m5/sw/source/filter/ww8/ww8scan.cxx:2299
2299        nIMax = ncpN;
Current language:  auto; currently c++
(gdb) list
2294
2295    void WW8PLCF::GeneratePLCF( SvStream* pSt, long nPN, long ncpN )
2296    {
2297        ASSERT(!this, "Not a bug, but I (cmc) want to see this .doc as
an example");
2298        ASSERT( nIMax < (long)ncpN, "Pcl.Fkp: Warum ist PLCF zu gross
?" );

2299        nIMax = ncpN;
2300        long nSiz = 6 * nIMax + 4;
2301        pPLCF_PosArray = new INT32[ ( nSiz + 3 ) / 4 ]; // Pointer auf
Pos-Array
2302        memset( pPLCF_PosArray, 0, (size_t)nSiz );

(gdb) print ncpN
$1 = 587202560
(gdb) print nSiz
$2 = -771751932
(gdb) print *pPLCF_PosArray
$3 = 0


The memset at line 2302 tries to write 3523215364 zeros onto the heap at
the location of pPLCF_PosArray.

I don't see this exploitable beyond a DoS given the codepath here.  If
someone else could take a look and agree or disagree with me I would
appreciate it.

-- 
    JB

References:
- Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!
  - From: gplit

Prev by Date: [ MDKSA-2006:206 ] - Updated Thunderbird packages fix multiple vulnerabilities
Next by Date: [OpenPKG-SA-2006.039] OpenPKG Security Advisory (proftpd)
Previous by thread: Re: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!
Next by thread: Re: Re: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!
Index(es):
- Date
- Thread