Vulnerability in OpenOffice, allowing you to execute code when opening a file

In the Apache OpenOffice office pack Detected Vulnerability (CVE-2021-33035), which allows you to achieve the execution of code when opening a specially decorated file in DBF format. Related by the problem Researcher Warn About creating a working exploit for the Windows platform. Correction of the vulnerability is currently only available in patch form in the project repository, which became part of the Test assemblies OpenOffice 4.1.11. Updates for a stable branch have not yet been formed.

The problem is caused by the fact that when you allocate the memory of OpenOffice, I relied on the FieldLength and FieldType values ​​in the DBF file header without checking the actual data type in the fields. To make an attack, you can specify in the value of the FieldType type Integer, but place the larger data and specify the fieldLength value, which does not correspond to the data size with the Integer type, which will result in the tail of the data from the field will be recorded beyond the allocated buffer. As a result of the controlled overflow of the buffer, the researcher managed to override a refund pointer from the function and using receptions of return-oriented programming (ROP – RETURN-ORIENTED PROGRAMMING) to achieve its code.

When using the ROP technology, the attacker does not attempt to place its code in memory, and operates already existing in the loaded libraries with pieces of machine instructions that end the control instructions (as a rule, it is the end of library functions). The operation of the exploit is reduced to the construction of a chain chain of such blocks (“gadgets”) to obtain the desired functionality. As gadgets in the exploit for
OpenOffice used code from the libxml2 library used in the OpenOffice, which, unlike the OpenOffice itself, was collected without Data Execution Prevention and ASLR (Address Space Layout Randomization).

OpenOffice developers were notified of the issue of May 4, after which, on August 30, the public disclosure of vulnerability information was appointed. Since it was not formed to update the stable branch to the outlined date, the researcher moved the disclosure of parts on September 18, but the developers of OpenOffice did not have time to form a release 4.1.11 and to this term. It is noteworthy that during the same study, a similar Vulnerability in the DBF Support Code Microsoft Office Access (CVE-2021-38646), the details of which will be disclosed later. In LibreOffice no problems found.

/Media reports.