Talos Vulnerability Report

TALOS-2016-0051

OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability

July 21, 2016

Report ID

CVE-2016-1513

Description

An exploitable out-of-bounds vulnerability exists in OpenOffice when handling MetaActions. A specially crafted Open Office Impress file can cause an out-of-bounds read/write resulting in potential code execution. An attacker can provide the malicious file to trigger this vulnerability.

Tested Versions

Apache Open Office 4.1.1

Product URLs

http://openoffice.apache.org

Details

In the attached sample an out of bounds occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in a delete of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be followed at line 229 with an out-of-bounds write, writing a new pointer which is gotten by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation.

Below are line 217-230 of main\tools\source\generic\poly2.cxx:

    void PolyPolygon::Replace( const Polygon& rPoly, saluInt16 nPos )
    {
        DBGCHKTHIS( PolyPolygon, NULL );
        DBG_ASSERT( nPos < Count(), "PolyPolygon::Replace(): nPos >= nSize" );
    if ( mpImplPolyPolygon->mnRefCount > 1 )
    {
        mpImplPolyPolygon->mnRefCount--;
        mpImplPolyPolygon = new ImplPolyPolygon( *mpImplPolyPolygon );
    }
    delete mpImplPolyPolygon->mpPolyAry[nPos];
    mpImplPolyPolygon->mpPolyAry[nPos] = new Polygon( rPoly );
    }

While there is a check to ensure that npos is smaller than the array size at line 220, it is simple an assert that is only enabled in debug mode.

The value is read from the sample file in the function MetaPolyPolygonAction::Read in the file main\vcl\source\gdi\metaact.cxx at line 1189:

    rIStm >> nNumberOfComplexPolygons;
    for ( i = 0; i < nNumberOfComplexPolygons; i++ )
    {
        rIStm >> nIndex;
        Polygon aPoly;
        aPoly.Read( rIStm );
        maPolyPoly.Replace( aPoly, nIndex );
    }

Here is the call stack when the problem occurs:

00afe04c 68c2109f tl!Polygon::~Polygon+0x48 [d:\aoo\main\tools\source\generic\poly.cxx @ 667]
00afe058 68c2cb8b tl!Polygon::`scalar deleting destructor'+0xf
00afe0b0 67b3be7e tl!PolyPolygon::Replace+0x10b [d:\aoo\main\tools\source\generic\poly2.cxx @ 228]
00afe0f4 67b374ac vcl!MetaPolyPolygonAction::Read+0xce [d:\aoo\main\vcl\source\gdi\metaact.cxx @ 1193]
00afe3c0 67aee49d vcl!MetaAction::ReadMetaAction+0x144c [d:\aoo\main\vcl\source\gdi\metaact.cxx @ 247]
00afe43c 67b1944d vcl!operator>>+0x19d [d:\aoo\main\vcl\source\gdi\gdimtf.cxx @ 2918]
00afe804 67afc9fb vcl!operator>>+0x4ad [d:\aoo\main\vcl\source\gdi\impgraph.cxx @ 1826]
00afe814 66e97234 vcl!operator>>+0x1b [d:\aoo\main\vcl\source\gdi\graph.cxx @ 818]
00afebcc 665dde56 svt!GraphicFilter::ImportGraphic+0x9b4 [d:\aoo\main\svtools\source\filter\filter.cxx @ 1637]
00afecb4 665dd95f svxcore!SdrGrafObj::ImpSwapHdl+0x4e6 [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 1557]
00afecc0 68bceb64 svxcore!SdrGrafObj::LinkStubImpSwapHdl+0xf [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 1481]
00afecd8 66ef08f8 tl!Link::Call+0x24 [d:\aoo\main\solver\411\wntmsci12\inc\tools\link.hxx @ 135]
00afecec 66eef8aa svt!GraphicObject::GetSwapStream+0x28 [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 480]
00afed44 66ef105f svt!GraphicObject::ImplAutoSwapIn+0xca [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 264]
00afed50 665da3fa svt!GraphicObject::FireSwapInRequest+0xf [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 598]
00afed80 664b6b70 svxcore!SdrGrafObj::ForceSwapIn+0x10a [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 706]
00afed94 664b67e2 svxcore!sdr::contact::ViewObjectContactOfGraphic::doAsynchGraphicLoading+0x50 [d:\aoo\main\svx\source\sdr\contact\viewobjectcontactofgraphic.cxx @ 218]
00afeda0 664c0449 svxcore!sdr::event::AsynchGraphicLoadingEvent::ExecuteEvent+0x12 [d:\aoo\main\svx\source\sdr\contact\viewobjectcontactofgraphic.cxx @ 72]
00afedbc 664c0688 svxcore!sdr::event::EventHandler::ExecuteEvents+0x29 [d:\aoo\main\svx\source\sdr\event\eventhandler.cxx @ 114]
00afedc8 679bc1f1 svxcore!sdr::event::TimerEventHandler::Timeout+0x18 [d:\aoo\main\svx\source\sdr\event\eventhandler.cxx @ 147]
00afedf4 6790c1a8 vcl!Timer::ImplTimerCallbackProc+0xd1 [d:\aoo\main\vcl\source\app\timer.cxx @ 142]
00afee00 6790c0a9 vcl!SalTimer::CallCallback+0x18 [d:\aoo\main\vcl\inc\saltimer.hxx @ 62]
00afee48 67905335 vcl!SalTimerProc+0xe9 [d:\aoo\main\vcl\win\source\app\saltimer.cxx @ 129]
00afee84 67905621 vcl!SalComWndProc+0x275 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 837]
00afeed4 75ddc4e7 vcl!SalComWndProcW+0x61 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 885]
00afef00 75ddc5e7 USER32!InternalCallWinProc+0x23
00afef78 75ddcc19 USER32!UserCallWinProcCheckWow+0x14b
00afefd8 75ddcc70 USER32!DispatchMessageWorker+0x35e
00afefe8 678ec7ed USER32!DispatchMessageW+0xf
00afeff4 67904f35 vcl!ImplDispatchMessage+0xd [d:\aoo\main\vcl\win\source\app\saldata.cxx @ 163]
00aff008 67904e4d vcl!ImplSalDispatchMessage+0x35 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 663]
00aff038 67905050 vcl!ImplSalYield+0x5d [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 683]
00aff060 679ab4ce vcl!WinSalInstance::Yield+0xe0 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 745]
00aff078 679ab59f vcl!ImplYield+0x8e [d:\aoo\main\vcl\source\app\svapp.cxx @ 477]
00aff088 679ab3f1 vcl!Application::Yield+0xf [d:\aoo\main\vcl\source\app\svapp.cxx @ 510]
00aff098 69b9bade vcl!Application::Execute+0x31 [d:\aoo\main\vcl\source\app\svapp.cxx @ 453]
00aff734 679b9866 sofficeapp!desktop::Desktop::Main+0x2c8e [d:\aoo\main\desktop\source\app\app.cxx @ 2234]
00aff768 679b9a13 vcl!ImplSVMain+0xa6 [d:\aoo\main\vcl\source\app\svmain.cxx @ 197]
00aff774 69be162a vcl!SVMain+0x23 [d:\aoo\main\vcl\source\app\svmain.cxx @ 238]
00aff7dc 01361098 sofficeapp!sofficemain+0xea [d:\aoo\main\desktop\source\app\sofficemain.cxx @ 47]
00aff7e4 01361039 soffice!salmain+0x8 [d:\aoo\main\desktop\source\app\main.c @ 32]
00aff7f0 01361078 soffice!main+0x19 [d:\aoo\main\desktop\source\app\main.c @ 30]
00aff808 0136125c soffice!WinMain+0x28 [d:\aoo\main\desktop\source\app\main.c @ 30]
00aff898 7622ee1c soffice!tmainCRTStartup+0x140 [f:\dd\vctools\crtbld\selfx86\crt\src\crtexe.c @ 578]
00aff8a4 775437eb kernel32!BaseThreadInitThunk+0xe
00aff8e4 775437be ntdll!RtlUserThreadStart+0x70
00aff8fc 00000000 ntdll!_RtlUserThreadStart+0x1b

Credit

Discovered by Yves Younan and Richard Johnson of Cisco Talos.

Timeline

2015-10-08 - Initial Vendor Contact
2016-10-30 - Second Vendor Contact
2016-01-13 - Vendor review and communication
2016-07-21 - Patch released