Exploitable Buffer Overflow in OpenOffice.org

Memorize writes "It turns out that OpenOffice.org can't read MS Office documents safely, either. A buffer overflow in OpenOffice.org has been confirmed and would allow an attacker to write a specially-constructed .doc file that will take control over an OpenOffice.org user's machine. This vulnerability is exploitable and it exists on every computer with OpenOffice 1.14 or 2.0b installed. OpenOffice.org will have a fix ready within days, but how quickly will Linux users patch? This paves the way for Linux users to be vulnerable to a virus that spreads by sending itself as email attachments which unsuspecting users then open. Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application."

"Take over the machine"?

[aurum42]

Is OO running setuid root for some reason?

And opening a malicious document is different how?

[mokiejovis]

Regardless of whether or not users would have to open a malicious document with an unpatched application, I think the story poster is reasonable when positing the opinion that Linux viruses may be on their way. Daily, Microsoft users open malicious documents in their email with unpatched applications.

Certainly, not all Linux users are power users, and even then they may or may not be aware of whether or not their application needs to be patched, or could be duped into opening an email.

A security hole by any other name...

[r_naked]

Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application." Hmmm, so, Linux is secure because its users are more intelligent than windows users? Or is it that Linux is such a pain in the ass to use as a desktop OS that you have no choice but to have a PHD in CS to use it and therefore would know not to open an unknown atachment. I just love the double standards. PS - I know quite a few people that use Linux as a desktop OS that would blindly open an attachment.

Re:Virus?

[RdsArts]

Why would you need to be root to execute code?

Ya, and if I can convince anyone to open a HTML file or look at a JPeG, the silly fool deserves what they get, right? It's a fucking DOC file. If you can get malicious code run from opening a non-executable file it is a big fucking problem.

Re:Virus?

[Nos.]

Its not hard to convince someone to open the document... .doc fly around in emails all the time, and often turn up in search results on google. It would be no harder to get them to open a rogue .doc then it would be to get them to open a .pdf

Re:Virus?

[ChiralSoftware]

That is not an accurate assessment. You don't need to be running OOo as root to get hit. Malware can do plenty of damage without needing root privileges. The biggest piece of damage such a virus could do is... look in the user's mailbox and send itself on to all the email addresses it finds, which just happens to be exactly what all these Outlook viruses do.

The fact that Linux separates users from root won't prevent this hypothetical virus from acting just like a lot of Outlook viruses.

Also, getting someone to open a script is quite different from getting someone to open an OOo document. Most mail readers will present one or more dialog boxes asking "are you sure you want to do this" before they run a script or application, and they will probably have you choose an application to use to open it, whereas most are configured to open up .doc documents without asking anything. It all comes down to MIME types. There is a MIME type that lets Kmail (etc) easily open MS Word documents but there is no MIME type that associates a shell script with the application "/bin/sh", for example. I'm sure some thought was given to security when putting together the MIME types, and no one assumed that OOo would be exploitable like this.

As a side note, this really shows the value of XML-based document formats vs. weird proprietary binary formats (ie, MS Word). You can't exploit software that's based on XML because all such software uses off-the-shelf, open source XML parsers which have been so thoroughly tested, debugged, scrutinized and hammered on that the chances of an overflow are very very low. Also the format is saner and it's easier for a human to write code to parse it.

Re:Virus?

[bushidocoder]

Either way... Not root? Not a problem.

I get really sick of this kind of thinking. Whether I run as root or not, an exploit in a desktop application can affect anything in my user's space - it can delete all my files (or worse, slightly modify them all so I won't notice for a while). It can read and sniff all my email. It can install and run sniffer applications, so long as they run in my context. Given that most people do 99% of their work in their user context, it has the capacity to affect 99% of their work.

Personally, between having my box turned into a zombie machine spamming the rest of the free world, and having someone intelligently attack my mailbox and web history and potentially discovering one or more of my accounts someplace, I'd take the zombie machine - that's alot easier to fix than someone cracking open my bank account.

That's not to say that running as root is a good idea - its horrible. You can screw around with someone alot more with admin privledges on a box than you can without. All of the attacks capable running as a lesser user are still available (and easier most of the time) running as root plus a couple thousand more, and its much harder for normal users to determine that they have been penetrated when the attack is at an admin level. But an exploit at ANY level is dangerous, and pretending that's not the case is not helpful.