Systems with Apache OpenOffice are vulnerable by malicious documents

Get a free Techzine subscription!

Apache OpenOffice is currently vulnerable to a remote code execution flaw. The app’s source code has been patched but the fix is only available as beta software, awaiting the official release.

That means that people running the open-source office suite, which has been downloaded hundreds of millions of times and was last updated in May, are exposed.

On September 18th, a security researcher by the name of Eugene Lim detailed the vulnerability tracked as CVE-2021-33035. Lim did this at the HackerOne Hacktivity online conference after an August 30 public disclosure date came and went with no fix deployed.

Lim explains

Lim is known online as SpaceRacoon and is a vulnerability researcher at GovTech Singapore Cyber Security Group. He explained that the flaw is a buffer overflow by a .dbf file which overrides a return pointer with a DEP (data execution prevention) and ASLR (address space layout randomization) bypass to execute arbitrary commands by the hacker.

A malicious file opened by the software is capable of deploying malware on the machine.

Lim discovered the flaw after examining the .dfb file format, which first appeared in the dBase II application in 1983, and setting up a template to inject data into the stack to cause a crash.

What Lim found

As it emerged, the .dfb file format can use one of two values in the header; fieldLength or fieldType. They determine the buffer size of a database record.

It is possible to allocate a buffer using one and to use the other to set a size of a copy operation into the same buffer, causing a buffer overflow.

Lim continued his explanation of the flaw, wondering at one point how this had never been caught and noticed that GitHub’s LGTM automated security scan for open-source projects tagged Python and JavaScript for Apache OpenOffice, but not C++.