openoffice.org: Invalid range checking in DOC header parsing leading to possible heap overflow

Message-Id: <email address hidden>
Date: Wed, 13 Apr 2005 14:08:39 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: openoffice.org: Invalid range checking in DOC header parsing leading to
 possible heap overflow

Package: openoffice.org
Version: 1.1.3-8
Severity: grave
Tags: security
Justification: user security hole

Lee Xioajun <email address hidden> reported an issue with invalid input
checks in DOC header parsing, which can possibly be exploited with remote
code execution. I'm including his advisory verbose, as I could not find a
WWW reference for it. The relevant issue #s seems to be 46276 and 46388.
It's supposed to be fixed upstream, but I couldn't find it in the plethora
of CVS modules and subprojects.

Cheers,
        Moritz

OpenOffice DOC document Heap Overflow
[Security Advisory]

Advisory:[AD_LAB-05001] OpenOffice DOC document Heap Overflow
Class: Design Error
DATE:30/3/2005
CVEID:CAN-2005-0941
Vulnerable:
    <=OpenOffice OpenOffice 1.1.4
    -OpenOffice OpenOffice 2.0dev

Unvulnerable:
 Unknow
Vendor:
  www.openoffice.org

I.DESCRIPTION:
-------------
  OpenOffice.org is an office productivity suite, including word
processing, spreadsheets, presentations, drawings, data charting,
formula editing, and file conversion facilities.
The vulnerability is caused due to a error within the .Doc document header
processing.This can be exploited to cause a heap-based buffer overflow.

II.DETAILS:
----------
 There is a vulnerability in StgCompObjStream::Load() function,
When reading DOC document information of format,memory is allocated by DOC provide length.
DOC provided a 32 bits integer,and will use the low 16 bits of this number to allocate memory,
but when reading doc information,still use the 32 bits number as length,this maybe cause heap
overflow, and when free happened ,will cause write pointer,maybe cause arbitrary code excute .

BOOL StgCompObjStream::Load()
{
 memset( &aClsId, 0, sizeof( ClsId ) );
 nCbFormat = 0;
 aUserName.Erase();
 if( GetError() != SVSTREAM_OK )
  return FALSE;
 Seek( 8L );
 INT32 nMarker = 0;
 *this >> nMarker;
 if( nMarker == -1L )
 {
  *this >> aClsId;
  INT32 nLen1 = 0;
  *this >> nLen1; // we can control this 32 bits int
  sal_Char* p = new sal_Char[ (USHORT) nLen1 ]; //use low 16 bits value to allocate memory
  if( Read( p, nLen1 ) == (ULONG) nLen1 ) //still use 32 bits int as length,if failed,
       // will goto free step,maybe cause write pointer.
  {
   aUserName = String( p, gsl_getSystemTextEncoding() );
   ....
   nCbFormat = ReadClipboardFormat( *this );
  }
  else
   SetError( SVSTREAM_GENERALERROR );
        delete [] p; //free step,heap overflow cause write pointer.
 }
 return BOOL( GetError() == SVSTREAM_OK );
}
example:
 if we provide 0x10000018 to nLen1,will allocate 0x18 length memory,
 Read( p, nLen1 ) still use 0x10000018 as length,then, read will fail,
 but readed length is bigger than allocated memory,and overwrite the next chunk.
when goto delete [] p;,write pointer happened. we had triggered this problem successful.
 StartOffice maybe affected too. did not test.

III.CREDIT:
-------...

Marking as duplicate based on debbugs merge (304412,304469)

This bug has been marked as a duplicate of bug 15434.

Message-Id: <email address hidden>
Date: Wed, 13 Apr 2005 14:12:24 +0100
From: Chris Halls <email address hidden>
To: <email address hidden>
Subject: merging 304412 304469

forwarded 304469 http://www.openoffice.org/issues/show_bug.cgi?id=46388
merge 304412 304469
thanks

Message-Id: <20050414111657.990AC6A1FA@localhost>
Date: Thu, 14 Apr 2005 13:16:57 +0200 (CEST)
From: <email address hidden> (Rene Engelhard)
To: <email address hidden>
Subject: tagging 304412

 # fixed for sid (1.1.3-9)
tags 304412 - sid

Message-Id: <20050417175353.B96C36A292@localhost>
Date: Sun, 17 Apr 2005 19:53:53 +0200 (CEST)
From: <email address hidden> (Rene Engelhard)
To: <email address hidden>
Subject: tagging 304412

 # fixed for experimental (1.1.4-2)
tags 304412 - experimental

Message-Id: <20050417175406.E34D56A292@localhost>
Date: Sun, 17 Apr 2005 19:54:06 +0200 (CEST)
From: <email address hidden> (Rene Engelhard)
To: <email address hidden>
Subject: tagging 304412

 # uploaded to sid/experimental, so not "pending upload" anymore
tags 304412 - pending

Message-ID: <email address hidden>
Date: Wed, 20 Apr 2005 02:00:19 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: CAN-2005-0941: "OpenOffice DOC document Heap Overflow"

--eAbsdosE1cNLO4uF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all,

OOo 1.1.3-9 has been built on all architectures now, and (barring any sudden
new uploads of the package between now and dinstall) will make its way into
testing tomorrow.

Cheers,
--=20
Steve Langasek
postmodern programmer

--eAbsdosE1cNLO4uF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCZhoeKN6ufymYLloRAkj1AKDDRrS3uxP+MNkKWIHamrY8LkFp3wCgxDh0
R+KqIRPny5km/MBIUXsI76M=
=DvfO
-----END PGP SIGNATURE-----

--eAbsdosE1cNLO4uF--