This vulnerability was discovered by Richard Johnson and Yves Younan of Cisco Talos.

Talos is releasing an advisory for a vulnerability in OpenOffice Impress. (TALOS-2016-0051/CVE-2016-1513). Talos has discovered an exploitable out-of-bounds vulnerability which exists in OpenOffice when handling MetaActions. A specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file can cause an out-of-bounds read/write resulting in denial-of-service (memory corruption and application crash) and possible execution of arbitrary code.

Overview

OpenOffice is an open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and other office functions. It works on various operating systems and is available in a host of languages. It uses an international open standard format for the common file types and can also read and write files from other common office software packages, such as Microsoft Office. It’s flexibility and open source nature has led to wide adoption.

OpenOffice currently reports a user base of over 84 million, over 125 million downloads, 87% of which runs Microsoft Windows. An attacker could trigger this vulnerability by enticing an end user to open a malicious file specially crafted to exploit this vulnerability. This could be accomplished by directing a user to open a file hosted on a web server, sent as an attachment in a phishing email, or any other means that could be used to convince a user to open the malicious file.

Details In the attached sample the out of bounds vulnerability occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in the deletion of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be immediately followed by an out-of-bounds write, writing a new pointer which is obtained by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation. Below are line 217-230 of main\tools\source\generic\poly2.cxx:


While there is a check to ensure that npos is smaller than the array size, at line 220, it is simply an assert that is only enabled in debug mode.

The value is read from the sample file in the function MetaPolyPolygonAction::Read in the file main\vcl\source\gdi\metaact.cxx at line 1189:

Here is the call stack when the problem occurs:

Conclusion

Finding and responsibly disclosing zero-day vulnerabilities helps improve the overall security of the software people use on a day-to-day basis. Talos is committed to this effort by developing programmatic ways to identify vulnerabilities that could be otherwise exploited by malicious adversaries. This helps secure the platforms and software customers use and also helps provide insight into how Cisco can improve its own processes to develop better, more secure products.

In addition, Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort Rules:35828-35829.

For further zero day or vulnerability reports and information visit:
http://www.talosintelligence.com/vulnerability-reports/