An gano rauni (CVE-2021-33035) a cikin babban ofishin Apache OpenOffice wanda ke ba da damar aiwatar da lamba lokacin buɗe fayil ɗin da aka ƙera na musamman a cikin tsarin DBF. Mai binciken da ya gano matsalar ya yi gargadi game da samar da wani aiki mai amfani ga dandalin Windows. Gyaran rauni a halin yanzu yana samuwa ne kawai ta hanyar faci a cikin ma'ajin aikin, wanda aka haɗa a cikin ginin gwajin OpenOffice 4.1.11. Babu wani sabuntawa don ingantaccen reshe tukuna.
Matsalar ta samo asali ne ta hanyar OpenOffice dogara ga filin Tsawon da filin Nau'in dabi'u a cikin taken fayilolin DBF don rarraba ƙwaƙwalwar ajiya, ba tare da duba cewa ainihin nau'in bayanan da ke cikin filayen ya dace ba. Don kai hari, zaku iya saka nau'in INTEGER a filin darajarNau'in, amma sanya manyan bayanai kuma saka ƙimar filin Tsawon da bai dace da girman bayanan tare da nau'in INTEGER ba, wanda zai kai ga wutsiyar bayanan. daga filin da ake rubuta fiye da abin da aka keɓe. Sakamakon ambaton buffer mai sarrafawa, mai binciken ya sami damar sake fasalin mai nunin dawowa daga aikin kuma, ta amfani da dabarun shirye-shiryen dawowa (ROP - Return-Oriented Programming), cimma nasarar aiwatar da lambar sa.
Lokacin amfani da dabarar ROP, maharin baya ƙoƙarin sanya lambarsa cikin ƙwaƙwalwar ajiya, amma yana aiki akan guntun umarnin injin da aka riga aka samu a cikin ɗakunan karatu masu ɗorewa, yana ƙarewa tare da umarnin dawo da sarrafawa (a matsayin mai mulkin, waɗannan ƙarshen ayyukan ɗakin karatu) . Ayyukan da ake amfani da su sun zo ne don gina jerin kira zuwa ga tubalan irin wannan ("na'urori") don samun aikin da ake so. Na'urorin da aka yi amfani da su a cikin amfani da OpenOffice lambar su ne daga ɗakin karatu na libxml2 da aka yi amfani da su a cikin OpenOffice, wanda, ba kamar OpenOffice kanta ba, an haɗa shi ba tare da tsarin kariya na DEP (Data Execution Prevention) da ASLR (Address Space Layout Randomization).
An sanar da masu haɓaka OpenOffice game da batun a ranar 4 ga Mayu, bayan haka an shirya bayyana rashin lafiyar jama'a a ranar 30 ga Agusta. Tun da sabuntawa ga reshe na barga ba a kammala shi da ranar da aka tsara ba, mai binciken ya jinkirta bayyana cikakkun bayanai zuwa 18 ga Satumba, amma masu haɓakawa na OpenOffice ba su sami nasarar ƙirƙirar sakin 4.1.11 a wannan kwanan wata ba. Abin lura ne cewa yayin binciken guda ɗaya, an gano irin wannan lahani a cikin lambar tallafin tsarin DBF a cikin Microsoft Office Access (CVE-2021-38646), cikakkun bayanai waɗanda za a bayyana su daga baya. Ba a sami matsala a LibreOffice ba.
source: budenet.ru