Discovered by Marcin Noga of Cisco Talos

Overview

Cisco Talos has identified six vulnerabilities in the Antenna House Office Server Document Converter (OSDC). These vulnerabilities can be used to remotely execute code on a vulnerable system. Antenna House Office Server Document Converter is a product designed to convert Microsoft Office documents into PDF and SVG documents.

The vulnerabilities can be exploited to locally execute code, or even remotely if the product is used in batch mode by the owners. In this context, the maliciously crafted document could be automatically handled by the product, and a successful exploitation could result in full control of the vulnerable system.

The six vulnerabilities can be exploited by a specially crafted Microsoft Office document.

Details

TALOS-2018-0596 (CVE-2018-3929): Antenna House Office Server Document Converter OLEread Code Execution Vulnerability

This vulnerability is located in the conversion process of a PowerPoint (.ppt) to a PDF, JPEG, and other file formats. A specially crafted .ppt file can lead to heap corruption and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0596

TALOS-2018-0597 (CVE-2018-3930): Antenna House Office Server Document Converter vbgetfp Code Execution vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to a PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to heap corruption and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0597

TALOS-2018-0598 (CVE-2018-3931): Antenna House Office Server Document Converter putShapeProperty Code Execution Vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to a PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0598

TALOS-2018-0599 (CVE-2018-3932): Antenna House Office Server Document Converter putlsttbl Code Execution Vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.

More details can be found in the vulnerability report:
TALOS-2018-0599

TALOS-2018-0600 (CVE-2018-3933): Antenna House Office Server Document Converter vbputanld Code Execution Vulnerability

This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to PDF, JPEG and other formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution..

More details can be found in the vulnerability report:
TALOS-2018-0600

TALOS-2018-0603 (CVE-2018-3936): Antenna House Office Server Document Converter GetShapePropery 0x105 Code Execution Vulnerability

An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the `GetShapePropery` method.

More details can be found in the vulnerability report:
TALOS-2018-0603

Tested Versions:

Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)

Coverage

The following Snort rules will detect exploitation attempts. Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Snort Rules: 46843, 46844, 46845, 46946, 46768, 46769, 46761, 46762