Discovered by Marcin ‘Icewall’ Noga of Cisco Talos

Overview Today, Talos is releasing details of three new vulnerabilities discovered within Apache OpenOffice application. The first vulnerability, TALOS-2017-0295 within OpenOffice Writer, the second TALOS-2017-0300 in the Draw application, and the third TALOS-2017-0301 discovered in the Writer application. All three vulnerabilities allow arbitrary code execution to be performed.

TALOS-2017-0295 - Apache OpenOffice Remote Code Execution Vulnerability in Apache OpenOffice DOC WW8Fonts Constructor (CVE-2017-9806) The vulnerability is in the WW8Fonts::WW8Fonts class of the OpenOffice word processor application. An attacker can build a malicious .doc (Microsoft Word Binary File Format) file with a specially crafted malicious font, if this font is parsed by the WW8Fonts::WW8Fonts class constructor it leads to an out of bound write vulnerability which leads to remote code execution.

More technical details can be found in the Talos Vulnerability Report.
And in the OpenOffice Advisory.

Known vulnerable versions Apache OpenOffice 4.1.3

TALOS-2017-0300 - Apache OpenOffice PPT PPTStyleSheet Level Code Execution Vulnerability (CVE-2017-12607) An exploitable out of bound write vulnerability exists in the ‘PPTStyleSheet:PPTStyleSheet’ functionality of Apache OpenOffice. This component is part of the Draw application used to create slideshow presentations. An attacker can create a specifically crafted PPT file which exploits this vulnerability causing an out of bound write and resulting in arbitrary code execution locally on the victim's machine in the context of the current user.

More technical details can be found in the Talos Vulnerability Report.
And in the OpenOffice Advisory.

Known vulnerable versions Apache OpenOffice 4.1.3

TALOS-2017-0301 - Apache OpenOffice DOC ImportOldFormatStyles Code Execution Vulnerability (CVE-2017-12608) An exploitable out-of-bounds write vulnerability exists in the ‘WW8RStyle::ImportOldFormatStyles’ functionality of Apache OpenOffice 4.1.3, specifically within the Write application, used for document creation. A specially crafted doc file will cause an out of bound write and result in arbitrary code execution locally on the victim's machine in the same context of the current running user.

More technical details can be found in the Talos Vulnerability Report.
And in the OpenOffice Advisory.

Known vulnerable versions Apache OpenOffice 4.1.3

Discussion

Apache OpenOffice is a popular, free and open source alternative to other office suite products. Vulnerabilities in office suite software such as word processors are very useful to attackers for client side attacks. Attackers often send malicious documents attached to emails exploiting such vulnerabilities to execute malicious commands when the victim is tricked into opening the file through some form of social engineering. OpenOffice is not alone with this kind of issue, similar vulnerabilities have been discovered by Talos before in other word processor applications and libraries, for example LibreOffice or even in the font drivers in the Windows kernel.

We have monitored many campaigns using this attack vector for targeted attacks. The recently analysed attack against South Korean users is a good example. The adversaries used a vulnerability in the Hangul Word Processor(HWP) to infect their victims.This shows how important it is to keep all applications up to date and not only the operation system. If you are an OpenOffice user we strongly recommend you to install the necessary updates as soon as possible.

Coverage

The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org

Snort rules: 42008 - 42009, 42144 - 42145, 42076 - 42077.