ProHoster > Блог > ozi ịntanetị > adịghị ike na OpenOffice nke na-enye ohere igbu koodu mgbe imepe faịlụ

adịghị ike na OpenOffice nke na-enye ohere igbu koodu mgbe imepe faịlụ

Achọpụtala adịghị ike (CVE-2021-33035) n'ime ụlọ ọrụ Apache OpenOffice nke na-enye ohere igbu koodu mgbe imepe faịlụ ahaziri ahazi na usoro DBF. Onye nyocha nke chọpụtara nsogbu ahụ dọrọ aka ná ntị banyere ịmepụta nrigbu na-arụ ọrụ maka ikpo okwu Windows. Ndozi adịghị ike dị ugbu a naanị n'ụdị patch na ebe nchekwa ọrụ, nke etinyere na nnwale nke OpenOffice 4.1.11. Enweghị mmelite maka alaka ụlọ ọrụ kwụsiri ike.

Ihe kpatara nsogbu a bụ OpenOffice na-adabere n'ọhịa Ogologo na ubi Ụdị ụkpụrụ dị na isi nke faịlụ DBF iji kesaa ebe nchekwa, na-enweghị ịlele na ụdị data dị na ubi dakọtara. Iji mee mwakpo, ị nwere ike ịkọwapụta ụdị INTEGER n'ọhịa Ụdị uru, ma tinye nnukwu data wee kọwaa ubi Ogologo uru nke na-adabaghị na nha data nwere ụdị INTEGER, nke ga-eduga na ọdụ data ahụ. site na ubi a na-ede n'ofe ihe nchekwa ekenyela. N'ihi oke njupụta nke nchekwa a na-achịkwa, onye nyocha ahụ nwere ike ịkọwapụta ihe nkwụghachi azụ site na ọrụ ahụ na, site na iji usoro mmemme nke nlọghachi (ROP - Return-oriented Programming), nweta mmezu nke koodu ya.

Mgbe ị na-eji usoro ROP, onye na-awakpo ahụ anaghị anwa itinye koodu ya na ebe nchekwa, kama ọ na-arụ ọrụ na mpempe akwụkwọ ntuziaka dị na ụlọ akwụkwọ ndị a na-ebu ibu, na-ejedebe na ntuziaka nlọghachi (dịka iwu, ndị a bụ njedebe nke ọrụ ụlọ akwụkwọ) . Ọrụ nke nrigbu na-agbadata iji wuo usoro oku na ngọngọ ndị yiri ya ("ngwa") iji nweta ọrụ achọrọ. Ngwa eji eme ihe na OpenOffice bụ koodu sitere na ọbaakwụkwọ libxml2 ejiri na OpenOffice, nke, n'adịghị ka OpenOffice n'onwe ya, achịkọtara na-enweghị usoro nchekwa DEP (Mgbochi Data Execution) na ASLR (Address Space Layout Randomization).

A mara ọkwa ndị mmepe OpenOffice maka okwu a na Mee 4, mgbe nke ahụ gasịrị, akwadoro mkpughe ọhaneze maka adịghị ike ahụ maka August 30. Ebe ọ bụ na emechabeghị mmelite ahụ na ngalaba kwụsiri ike site na ụbọchị a kara aka, onye nyocha ahụ yigharịrị mkpughe nke nkọwa ya na Septemba 18, mana ndị mmepe OpenOffice enwebeghị ike imepụta ntọhapụ 4.1.11 site na ụbọchị a. Ọ bụ ihe kwesịrị ịrịba ama na n'otu oge nyocha ahụ, a chọpụtara ihe ọghọm yiri nke ahụ na koodu nkwado DBF na Microsoft Office Access (CVE-2021-38646), nkọwa nke a ga-egosipụta ma emechaa. Enweghị nsogbu ahụrụ na LibreOffice.

isi: opennet.ru

Tinye a comment