A vulnerability (CVE-2021-33035) has been identified in the Apache OpenOffice office suite that allows code execution when opening a specially designed DBF file. The researcher who identified the problem warned about the creation of a working exploit for the Windows platform. The vulnerability fix is currently only available in the form of a patch in the project repository, which was included in the test builds of OpenOffice 4.1.11. There is no update for the stable branch yet.
The problem is caused by OpenOffice relying on the fieldLength and fieldType values in the header of the DBF files when allocating memory, without checking that the actual data type in the fields matches. To perform an attack, you can specify the INTEGER type in the fieldType value, but place data of a larger size and specify the fieldLength value that does not correspond to the size of the data with the INTEGER type, which will cause the data tail from the field to be written outside the allocated buffer. As a result of a controlled buffer overflow, the researcher was able to redefine the return pointer from the function and using Return-Oriented Programming (ROP) techniques to achieve the execution of his code.
When using the ROP technique, the attacker does not try to place his code in memory, but operates on the pieces of machine instructions already available in the loaded libraries, ending with a control return instruction (as a rule, these are the endings of library functions). The operation of the exploit comes down to building a chain of calls to similar blocks (“gadgets”) to obtain the desired functionality. As gadgets in the exploit for OpenOffice, the code from the libxml2 library used in OpenOffice was used, which, unlike OpenOffice itself, was assembled without DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protection mechanisms.
OpenOffice developers were notified of the issue on May 4, after which a public disclosure of the vulnerability was scheduled for August 30. Since the update of the stable branch was not formed by the scheduled date, the researcher postponed the disclosure of details to September 18, but the OpenOffice developers did not have time to form the 4.1.11 release by this date either. Notably, the same investigation identified a similar vulnerability in the Microsoft Office Access DBF support code (CVE-2021-38646), details of which will be disclosed later. No issues found in LibreOffice.
Source: opennet.ru