Apache OpenOffice (AOO) Bugzilla – Issue 72614
WW8: Word exploit PoC crashes Writer
Last modified: 2013-08-07 14:42:35 UTC
This Word exploits seems to work on oowriter (the DoS part at least): http://www.milw0rm.com/exploits/2922 This is what I get when I open the corrupted file : ---start copy and paste here--- (I) x.org loaded video driver of... (II) Loading /usr/lib/xorg/modules/drivers/nvidia_drv.so (III) Desktop is: GNOME (IV) libgcj version is: libgcj-4.1.1-30-i386 (V) kernel is: Linux 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 2006 i686 i686 i386 (VI) OpenOffice.org core rpm version is: openoffice.org-core-2.0.4-5.5.3-i386 (VII) depth of root window: 24 planes (VIII) accessibility is: false (VIV) fedora release is: Fedora Core release 6 (Zod) ...start sestatus details ... SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted ...end sestatus details ... ...start stackreport details ... 0x414a2f28: /usr/lib/openoffice.org2.0/program/libuno_sal.so.3 + 0x22f28 0x414a3bbb: /usr/lib/openoffice.org2.0/program/libuno_sal.so.3 + 0x23bbb 0x74b420: + 0x420 (__kernel_sigreturn + 0x0) 0x414a8932: /usr/lib/openoffice.org2.0/program/libuno_sal.so.3 + 0x28932 0x435543db: /lib/libpthread.so.0 + 0x53db 0x434ae06e: /lib/libc.so.6 + 0xcd06e (clone + 0x5e) ...end stackreport details ... ...start sample ldd details ... linux-gate.so.1 => (0x00c9d000) libuno_sal.so.3 => /usr/lib/openoffice.org2.0/program/libuno_sal.so.3 (0x00110000) libuno_salhelpergcc3.so.3 => /usr/lib/openoffice.org2.0/program/libuno_salhelpergcc3.so.3 (0x00b8e000) libstore.so.3 => /usr/lib/openoffice.org2.0/program/libstore.so.3 (0x0090e000) libdl.so.2 => /lib/libdl.so.2 (0x002d4000) libpthread.so.0 => /lib/libpthread.so.0 (0x0086f000) libstlport_gcc.so => /usr/lib/openoffice.org2.0/program/libstlport_gcc.so (0x00477000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00e96000) libm.so.6 => /lib/libm.so.6 (0x00396000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x002d8000) libc.so.6 => /lib/libc.so.6 (0x00cf2000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x002e4000) /lib/ld-linux.so.2 (0x42a12000) ...end sample ldd details ... ---end copy and paste here---
I confirm a crash on OOO 2.1 Windows XP.
Created attachment 41454 [details] http://www.milw0rm.com/sploits/12122006-djtest.doc
*** Issue 72641 has been marked as a duplicate of this issue. ***
I got this kind of error messages when opening it: "Main memory shortage. Please quit another applications or close some windows before continuing." and then it crashed and tried to recovered it and asking to send a report to Sun. Here's the report when i got when i tried to open it in Windows XP SP2 with OOo 2.1 (from my Issue 72641): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE errormail:errormail PUBLIC "-//OpenOffice.org//DTD ErrorMail 1.0//EN" "errormail.dtd"> <errormail:errormail xmlns:errormail="http://openoffice.org/2002/errormail" usertype=""> <reportmail:mail xmlns:reportmail="http://openoffice.org/2002/reportmail" version="1.1" feedback="false" email=""> <reportmail:title></reportmail:title> <reportmail:attachment name="description.txt" media-type="text/plain;charset=UTF-8" class="UserComment"/> <reportmail:attachment name="user.dmp" media-type="application/octet-stream" class="UserDump"/> </reportmail:mail> <officeinfo:officeinfo xmlns:officeinfo="http://openoffice.org/2002/officeinfo" build="680m6(Build:9095)" platform="wntmsci10.pro" language="" procpath="C:\Program Files\OpenOffice.org 2.1\program\" exceptiontype="0xC0000005" product="OpenOffice.org 2.1"/> <systeminfo:systeminfo xmlns:systeminfo="http://openoffice.org/2002/systeminfo"> <systeminfo:System name="Windows NT" version="5.1" build="2600" locale="0x00000409"/> <systeminfo:CPU type="x86"/> </systeminfo:systeminfo> <errormail:Stack type="Win32"> <errormail:StackInfo pos="0" ip="0x611D73FF" rel="0x003873FF" ordinal="component_getFactory+0x0025D394" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="1" ip="0x611DACCE" rel="0x0038ACCE" ordinal="component_getFactory+0x00260C63" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="2" ip="0x611DD023" rel="0x0038D023" ordinal="component_getFactory+0x00262FB8" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="3" ip="0x611DD921" rel="0x0038D921" ordinal="component_getFactory+0x002638B6" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="4" ip="0x611DFA05" rel="0x0038FA05" ordinal="component_getFactory+0x0026599A" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="5" ip="0x610E0100" rel="0x00290100" ordinal="component_getFactory+0x00166095" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="6" ip="0x610E0DB7" rel="0x00290DB7" ordinal="component_getFactory+0x00166D4C" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="7" ip="0x610E0FA5" rel="0x00290FA5" ordinal="component_getFactory+0x00166F3A" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="8" ip="0x610E10D7" rel="0x002910D7" ordinal="component_getFactory+0x0016706C" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="9" ip="0x60F8D8A6" rel="0x0013D8A6" ordinal="component_getFactory+0x0001383B" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="10" ip="0x60F05EBE" rel="0x000B5EBE" ordinal="Ordinal3746+0x000000AE" name="sw680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="11" ip="0x624EEC32" rel="0x000CEC32" ordinal="Ordinal1260+0x000005CE" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="12" ip="0x6246368A" rel="0x0004368A" ordinal="Ordinal1455+0x000003B5" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="13" ip="0x6251DA72" rel="0x000FDA72" ordinal="Ordinal3250+0x0001838A" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="14" ip="0x653FEDC1" rel="0x0007EDC1" ordinal="component_getFactory+0x00057E38" name="fwk680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="15" ip="0x653FEF52" rel="0x0007EF52" ordinal="component_getFactory+0x00057FC9" name="fwk680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="16" ip="0x653FF009" rel="0x0007F009" ordinal="component_getFactory+0x00058080" name="fwk680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="17" ip="0x65394A63" rel="0x00014A63" ordinal="component_getDescriptionFunc+0x00013A5D" name="fwk680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="18" ip="0x62449A50" rel="0x00029A50" ordinal="Ordinal413+0x00002A7B" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="19" ip="0x624FA522" rel="0x000DA522" ordinal="Ordinal1556+0x00000466" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="20" ip="0x624711C4" rel="0x000511C4" ordinal="Ordinal2120+0x000003C8" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="21" ip="0x624726E7" rel="0x000526E7" ordinal="Ordinal2139+0x000001A5" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="22" ip="0x624735E9" rel="0x000535E9" ordinal="Ordinal2145+0x000000ED" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="23" ip="0x624734F8" rel="0x000534F8" ordinal="Ordinal2144+0x0000001A" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="24" ip="0x624478E5" rel="0x000278E5" ordinal="Ordinal413+0x00000910" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="25" ip="0x624FA522" rel="0x000DA522" ordinal="Ordinal1556+0x00000466" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="26" ip="0x624711C4" rel="0x000511C4" ordinal="Ordinal2120+0x000003C8" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="27" ip="0x6247391D" rel="0x0005391D" ordinal="Ordinal2148+0x000000C3" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="28" ip="0x62473858" rel="0x00053858" ordinal="Ordinal2126+0x0000000E" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="29" ip="0x6097564D" rel="0x0000564D" ordinal="Ordinal163+0x00000011" name="tl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="30" ip="0x6253960E" rel="0x0011960E" ordinal="Ordinal3250+0x00033F26" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="31" ip="0x6253962B" rel="0x0011962B" ordinal="Ordinal3250+0x00033F43" name="sfx680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="32" ip="0x6097564D" rel="0x0000564D" ordinal="Ordinal163+0x00000011" name="tl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="33" ip="0x602DD902" rel="0x000BD902" ordinal="Ordinal5581+0x0000039E" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="34" ip="0x60222451" rel="0x00002451" ordinal="Ordinal851+0x00000016" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="35" ip="0x60348303" rel="0x00128303" ordinal="Ordinal3189+0x0001022B" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="36" ip="0x60348566" rel="0x00128566" ordinal="Ordinal3189+0x0001048E" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="37" ip="0x77D48734" rel="0x00008734" ordinal="GetDC+0x0000006D" name="USER32.dll" path="C:\WINDOWS\system32\"/> <errormail:StackInfo pos="38" ip="0x77D48816" rel="0x00008816" ordinal="GetDC+0x0000014F" name="USER32.dll" path="C:\WINDOWS\system32\"/> <errormail:StackInfo pos="39" ip="0x77D489CD" rel="0x000089CD" ordinal="GetWindowLongW+0x00000127" name="USER32.dll" path="C:\WINDOWS\system32\"/> <errormail:StackInfo pos="40" ip="0x77D48A10" rel="0x00008A10" ordinal="DispatchMessageW+0x0000000F" name="USER32.dll" path="C:\WINDOWS\system32\"/> <errormail:StackInfo pos="41" ip="0x60339A5D" rel="0x00119A5D" ordinal="Ordinal3189+0x00001985" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="42" ip="0x602D790C" rel="0x000B790C" ordinal="Ordinal4404+0x00000510" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="43" ip="0x602D7966" rel="0x000B7966" ordinal="Ordinal4404+0x0000056A" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="44" ip="0x602D7A4F" rel="0x000B7A4F" ordinal="Ordinal4404+0x00000653" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="45" ip="0x60252ED9" rel="0x00032ED9" ordinal="Ordinal7468+0x0000003D" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="46" ip="0x6025407C" rel="0x0003407C" ordinal="Ordinal1201+0x0000001E" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="47" ip="0x60388C76" rel="0x00168C76" ordinal="Ordinal1332+0x000002EB" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="48" ip="0x60388D26" rel="0x00168D26" ordinal="Ordinal1333+0x0000001C" name="vcl680mi.dll" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="49" ip="0x00401024" rel="0x00001024" name="soffice.BIN" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="50" ip="0x00401066" rel="0x00001066" name="soffice.BIN" path="C:\Program Files\OpenOffice.org 2.1\program\"/> <errormail:StackInfo pos="51" ip="0x7C816FD7" rel="0x00016FD7" ordinal="RegisterWaitForInputIdle+0x00000049" name="kernel32.dll" path="C:\WINDOWS\system32\"/> </errormail:Stack> <errormail:Checksums type="MD5"> <errormail:Checksum sum="0xD5B83B2FF7918ABFD5E7AA9E03194333" bytes="2486272" file="soffice.BIN"/> <errormail:Checksum sum="0x6AFB7CDA040948E3D192BB9837101ABF" bytes="1339392" file="fwk680mi.dll"/> <errormail:Checksum sum="0xE1DF08FDB6FC281585308DBEF6CA08E3" bytes="2269184" file="sfx680mi.dll"/> <errormail:Checksum sum="0xD8DB5397DE07577C1CB50BA6D23B3AD4" bytes="984064" file="kernel32.dll"/> <errormail:Checksum sum="0xFE525F6B902C2096697EE8054064F738" bytes="2297856" file="vcl680mi.dll"/> <errormail:Checksum sum="0x43F0E2DA713DDEDBEF7D6926F841C87A" bytes="5951488" file="sw680mi.dll"/> <errormail:Checksum sum="0xDE2DB164BBB35DB061AF0997E4499054" bytes="577024" file="USER32.dll"/> <errormail:Checksum sum="0x74895FC0673A3C44A9AFAD63DEB47CE6" bytes="397312" file="tl680mi.dll"/> </errormail:Checksums> </errormail:errormail>
*** Issue 72615 has been marked as a duplicate of this issue. ***
Updating summary to reflect what PoC means to prevent duplicates. James McKenzie
Confirmed that this vulnerability exists on Mac OS X version. James McKenzie
This thread might be useful: http://www.securityfocus.com/archive/1/454545/30/0/threaded
MRU->HBRINKM: this security issue in the WW8 filter should be fixed for OO 2.2 IMO. Confirmed this issue on 680m197 build; opening mentioned document will end up in OO consuming high amount of memory.
adding Caolan to CC:.
Actually I've been looking at this and have a patch, so I'll take it if that's ok. Note, not a security threat in our opinion, just a crash.
done in cmcfixes30
Is there a chance to get the patch?
Created attachment 41555 [details] patch from cws cmcfixes30
cmc->mru: http://ooo.services.openoffice.org/pub/OpenOffice.org/cws/upload/cmcfixes30 windows will follow at that location shortly
Verified fix in CWS cmcfixes30.
seen in master