They discovered a critical vulnerability in Apache OpenOffice

Some days ago a vulnerability was disclosed that was identified in the Apache OpenOffice office suite, this bug listed under CVE-2021-33035 allows code execution when opening a specially crafted file in DBF format.

The problem it is because OpenOffice relies on fieldLength and fieldType values in the header of the DBF files to allocate memory without checking the actual data type in the fields.

About vulnerability

To perform an attack, you can specify INTEGER type in fieldType value, but put bigger data and specify the fieldLength value that does not correspond to the INTEGER data size, which will lead to the fact that the field's queue data will be written out of the allocated buffer.

As a result of a controlled buffer overflow, the researcher was able to redefine the return pointer of the function and using Return Oriented Programming (ROP) techniques, achieve the execution of his code.

One piece of advice I received early in the vulnerability research trip was to focus on one file format, not a specific piece of software. There are two main advantages of this approach. First, as a beginner, you lacked the experience to quickly identify unique attack vectors in individual applications, while file format analysis tends to be a common entry point among many applications. 

Additionally, common file formats are well documented using Requests for Comments (RFCs) or open source code, reducing the amount of effort required to reverse engineer the format..

When using the ROP technique, the attacker does not try to put his code in memory, but instead that operates on the parts of the machine instructions that are already available in the loaded libraries, ending with a control return statement (as a rule, these are the end of the functions library).

The work of the exploit comes down to building a chain of calls to similar blocks ("gadgets") to get the required functionality.

As gadgets in the exploit for OpenOffice, it is mentioned that the code from the libxml2 library used in OpenOffice was used, which, unlike OpenOffice, turned out to be assembled without DEP (Data Execution Prevention) and ASLR (Address Space) protection mechanisms. Layout Randomization).

OpenOffice developers were notified about the problem on May 4, after which a public disclosure of the vulnerability was scheduled for August 30.

Since the stable branch was not updated on the date planned, andThe investigator postponed the release of details until September 18, but the OpenOffice developers didn't have time to build version 4.1.11 at that time. It should be noted that in the course of the same study, a similar vulnerability was revealed in the code to support the DBF format in Microsoft Office Access (CVE-2021-38646), the details of which will be disclosed later. No problems found in LibreOffice.

The file format documentation for dBase was relatively easy to discover; Wikipedia has a simple description of version 5 of the format and dBase LLC also provides an updated specification. The Library of Congress lists an incredible catalog of file formats, including DBF. The various versions and extensions of the DBF format provide ample opportunities for programmers to introduce scanning vulnerabilities.

The DBF format consists of two main sections: the header and the body. The header includes a prefix that describes the dBase database version, the last update timestamp, and other metadata. More importantly, it specifies the length of each record in the database, the length of the header structure, the number of records, and the data fields in a record.

The researcher who identified the problem warned about creating a functional exploit for the Windows platform. The fix for the vulnerability is only available as a patch in the project repository, which was included in the OpenOffice 4.1.11 test builds.

Finally, if you are interested in knowing more about it, you can consult the original note at the following link.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

2 comments, leave yours

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Diego Vallejo placeholder image said

    Is OpenOffice still used in 2021?
    Haven't you heard that there is LibreOffice.org with support?

  2.   Paul Cormier CEO Red Hat, Inc. said

    Are there people today who use that zombie called openoffice?