Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

OpenOffice Vulnerability Exposes Users to Code Execution Attacks

A buffer overflow vulnerability in Apache OpenOffice could be exploited to execute arbitrary code on target machines using malicious documents.

A buffer overflow vulnerability in Apache OpenOffice could be exploited to execute arbitrary code on target machines using malicious documents.

Tracked as CVE-2021-33035 and discovered by security researcher Eugene Lim, the bug affects OpenOffice versions up to 4.1.10, with patches deployed in the 4.1.11 beta only, meaning that most installations out there are likely vulnerable.

The issue was identified while researching for potential security holes in software that parses the .dbf file format, explains Lim, a white hat hacker and researcher with the GovTech Singapore Cyber Security Group.

As part of his work, Lim came up with a dumb fuzzing template that would trigger the bug on a target machine and tested it on several DBF processors, which helped him discover two vulnerabilities, namely CVE-2021–35297 in Scalabium dBase Viewer and CVE-2021–33035 in Apache OpenOffice, an open source office suite with hundreds of millions of downloads.

The identified issue is a buffer overflow that basically exists because the buffer size of a DBF file is determined either by the fieldLength or the fieldType in the header. Thus, if one is trusted when allocating the buffer and the other one when copying into that buffer, an overflow could be triggered.

With that in mind, the researcher was able to use his dumb fuzzing template to trigger a crash but, because OpenOffice has protections such as address space layout randomization (ASLR) and Data Execution Prevention (DEP), a bypass of these was also needed for a return-oriented programming (ROP) chain.

Further analysis revealed that the libxml2 module in the office suite wasn’t compiled with DEP or ASLR protections, and the researcher was eventually able to exploit the vulnerability using a specially crafted .dbf file.

Although OpenOffice is an open-source application, meaning that it is likely scanned by numerous code analyzers, the issue was not identified because scanners such as LGTM were looking for Python and JavaScript code in the suite, but not for C++ code, where the bug resides.

Advertisement. Scroll to continue reading.

“This demonstrates the importance of sanity-checking automated static analysis tools; if your tools don’t know the code exists, it can’t find those vulnerabilities,” Lim points out.

The security researcher reported the vulnerability in May and Apache updated OpenOffice’s source code on GitHub, but has yet to make the patches available in a stable release. The researcher, who agreed to an August 30 public disclosure, published details on the bug on September 18, after presenting it at HackerOne’s Hacktivity online conference.

The bug in Scalabium dBase viewer was addressed in June, two days after it was reported.

Related: Potential RCE Flaw Patched in PyPI’s GitHub Repository

Related: Third-Party Patch Released for Code Execution Flaw in OpenOffice

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.