Vigil@nce: OpenOffice, memory corruption on 64bit
August 2008 by Vigil@nce
An attacker can create a malicious document leading to code
execution on a 64 bit platform.
– Gravity: 2/4
– Consequences: user access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 28/08/2008
– Identifier: VIGILANCE-VUL-8068
IMPACTED PRODUCTS
– Microsoft Windows - plateform
– Red Hat Enterprise Linux [confidential versions]
– Unix - plateform
DESCRIPTION
The sal/rtl/source/alloc_global.c file of the OpenOffice suite
implements a memory allocation handler.
The rtl_allocateMemory() function uses an internal variable of
type "int" as an array index. However, on a 64 bit platform, if
the OpenOffice file contains a value superior to 2^32, such as
0x1F2345678, the variable is truncated and becomes negative
(0xF2345678). The array index is thus invalid, and its usage
corrupts the memory.
An attacker can therefore create a malicious OpenOffice document
leading to code execution on a 64 bit platform.
CHARACTERISTICS
– Identifiers: 458056, 92217, BID-30866, CVE-2008-3282,
RHSA-2008:0835-01, VIGILANCE-VUL-8068
– Url: https://vigilance.aql.fr/tree/1/8068