SSD Advisory – Apache OpenOffice Virtual Table Corruption

Vulnerabilities Summary
The following advisory discusses a vulnerability found in Apache OpenOffice. The vulnerability lays inside the part that responsible for parsing documents, which contains has an overflow that let attackers take control over program execution.

Vendor Response
“We obtained a CVE number for the vulnerability you reported: CVE-2018-11790.
The release will need to undergo a community vote and it is thus not completely predictable. But, based on experience from recent releases, at the stage we are in it normally takes one month before the release is made public.”

CVE
CVE-2018-11790

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
Apache OpenOffice for Windows before version 4.1.6

Vulnerability Details
The vulnerability is in the HTML files processing. When opening a document, OpenOffice does its best to perform format sniffing. It tries to identify format based on the document contents and not on filename extension. Knowing this, attacker can send a victim specially crafted document with any extension, for example, “odt”, “rtf” or “docx”.

PoC

When the following Document is opened by OpenOffice, an overflow occurs which let us override RIP and the Structured Exception Handler(SEH).

*** This is a Security Bloggers Network syndicated blog from SecuriTeam Blogs authored by SSD / Ori Nimron. Read the original post at: https://blogs.securiteam.com/index.php/archives/3758