OpenOffice畸形Word文件整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192444 漏洞类型 缓冲区溢出
发布时间 2006-12-18 更新时间 2006-12-19
CVE编号 CVE-2006-6628 CNNVD-ID CNNVD-200612-384
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2006120111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-384
|漏洞详情
OpenOffice(OOo)是美国阿帕奇(Apache)软件基金会的一款开源的办公软件套件。该套件包含文本文档、电子表格、演示文稿、绘图、数据库等。OpenOffice.org(OOo)2.1版本中存在整数溢出漏洞。通过特制的DOC文件,用户协助的远程攻击者利用该漏洞导致拒绝服务(应用程序崩溃)。
|漏洞EXP
> try yourself with OpenOffice.org 2.1:
> http://www.milw0rm.com/sploits/12122006-djtest.doc

This looks like it's an integer overflow that's then crashing on when
memset tries to write lots of zeros onto the heap.

Breakpoint 2, WW8PLCF::GeneratePLCF (this=0xb12a36e8, pSt=0xabae6cc8,
nPN=0, ncpN=587202560)
    at /usr/src/debug/OOD680_m5/sw/source/filter/ww8/ww8scan.cxx:2299
2299        nIMax = ncpN;
Current language:  auto; currently c++
(gdb) list
2294
2295    void WW8PLCF::GeneratePLCF( SvStream* pSt, long nPN, long ncpN )
2296    {
2297        ASSERT(!this, "Not a bug, but I (cmc) want to see this .doc as
an example");
2298        ASSERT( nIMax < (long)ncpN, "Pcl.Fkp: Warum ist PLCF zu gross
?" );

2299        nIMax = ncpN;
2300        long nSiz = 6 * nIMax + 4;
2301        pPLCF_PosArray = new INT32[ ( nSiz + 3 ) / 4 ]; // Pointer auf
Pos-Array
2302        memset( pPLCF_PosArray, 0, (size_t)nSiz );

(gdb) print ncpN
$1 = 587202560
(gdb) print nSiz
$2 = -771751932
(gdb) print *pPLCF_PosArray
$3 = 0

The memset at line 2302 tries to write 3523215364 zeros onto the heap at
the location of pPLCF_PosArray.

I don't see this exploitable beyond a DoS given the codepath here.  If
someone else could take a look and agree or disagree with me I would
appreciate it.

-- 
    JB
|参考资料

来源:BID
名称:21618
链接:http://www.securityfocus.com/bid/21618
来源:BUGTRAQ
名称:20061215Re:FlawinOpenOffice.org2.1:OpenOffice2.1isvulnerabletoMSWord0dayvulnerability!!!
链接:http://www.securityfocus.com/archive/1/archive/1/454545/100/0/threaded
来源:BUGTRAQ
名称:20061215FlawinOpenOffice.org2.1:OpenOffice2.1isvulnerabletoMSWord0dayvulnerability!!!
链接:http://www.securityfocus.com/archive/1/archive/1/454514/100/0/threaded
来源:MISC
链接:http://www.milw0rm.com/sploits/12122006-djtest.doc
来源:MILW0RM
名称:2922
链接:http://www.milw0rm.com/exploits/2922
来源:BUGTRAQ
名称:20061218Re:FlawinOpenOffice.org2.1:OpenOffice2.1isvulnerabletoMSWord0dayvulnerability!!!
链接:http://www.securityfocus.com/archive/1/archive/1/454737/100/0/threaded
来源:BUGTRAQ
名称:20061217Re:FlawinOpenOffice.org2.1:OpenOffice2.1isvulnerabletoMSWord0dayvulnerability!!!
链接:http://www.securityfocus.com/archive/1/archive/1/454722/100/0/threaded
来源:VUPEN
名称:ADV-2006-5051
链接:http://www.frsirt.com/english/advisories/2006/5051
来源:SREASON
名称:2043
链接:http://securi