Bug 900214 (CVE-2014-3693)

Summary: VUL-0: CVE-2014-3693: LibreOffice Impress Remote Control Use-after-Free Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Petr Mladek <pmladek>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: atimar, jsegitz, pmladek, security-team, tchvatal
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:59752
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Petr Mladek 2014-10-08 07:38:35 UTC
From: Noam Rathaus <noamr@beyondsecurity.com>
Date: Mon, 6 Oct 2014 18:40:20 +0300
To: Michael Meeks <michael.meeks@collabora.com>
Cc: officesecurity@lists.freedesktop.org

LibreOffice Impress Remote Control Use-after-Free Vulnerability
===============================================================

The Bug
-------
In LibreOffice 4.0.0 and later, a new feature was added for remote
control capabilities in Impress. Users can run a smart phone
application to communicate with Impress over a custom protocol to switch
slides and the like. By default whenever Impress is started, it
immediately begins listening on TCP port 1599 on all interfaces.

The protocol used by Impress is currently very simple and is described
here:
https://wiki.documentfoundation.org/Development/Impress_Remote_Protocol

A simple initial handshake message sent by clients looks like:
LO_SERVER_CLIENT_PAIR
client name
client PIN


The message is terminated with a blank line. Encoded, the above message
looks like:
"LO_SERVER_CLIENT_PAIR\nclient name\nclient PIN\n\n"


The source code responsible for handling these requests is in:
sd/source/ui/remotecontrol/Server.cxx
sd/source/ui/remotecontrol/BufferedStreamSocket.cxx

Please see attached the annotated versions of these files, respectively
named:
lo-4.2.6.2-Server_annotated.csv
lo-4.2.6.2-BufferedStreamSocket_annotated.csv


(If you open these in a spreadsheet, be sure to resize columns and rows
so you can actually read the text comments in the right column.)


The vulnerability lies in the line:
118: if ( ! pSocket->readLine( aLine ) ) delete pSocket;

If readLine returns 0, then the pSocket is freed, but execution does not
stop there. Most likely what was intended is:

if ( ! pSocket->readLine( aLine ) )
{
delete pSocket;
/* ... clean up other data structures, as needed, due to this error
condition ... */
continue;
}

However, pSocket continues to be used for the rest of this while loop
iteration. pSocket is used in a few places, but most interestingly,
during the inner do...while loop when the remaining portion of content
is read in. If the freed memory can be overwritten sometime before or
during these later readLine calls, then either the readLine vptr can be
hijacked, or the buffer counters stored within pSocket can be messed
with to generate a subsequent overflow or something similar.


We can easily supply data to this socket while still causing readLine to
return 0
on vulnerable line of code. Looking at the readLine implementation in
BufferedStreamSocket.css, input is capped at 20000 bytes.
(MAX_LINE_LENGTH is the key check we're targeting.)

So for this first request, we want to send a very long PIN, since that is
what
is being read in on the vulnerable line of code.

A one liner like this will cause a reliable crash of Impress and the
rest of LibreOffice:
python -c 'print("LO_SERVER_CLIENT_PAIR\nMYNAME\n"+("A"*30000)+"\n\n")' |
nc 127.0.0.1 1599



Exploitation
------------
I've never exploited a use-after-free bug before, but here's what I
think might be possible, based on my observations--

Step 1: overwrite pSocket
I have definitely seen cases where my socket-supplied strings are
written over the freed pSocket object. I'm just not sure how reliable I
can make that happen. There are two versions of the name string that
get converted to UTF-16 strings. Since the socket read functions care
only about the existence of '\n' bytes, it should be possible to feed
multi-byte UTF-8 strings in as the name line in order to create nearly
arbitrary UTF-16 strings, including ones in pointer ranges.

Note that when sending data to the 1599 port, one can trickle strings in
small chunks by writing to the socket and flushing it repeatedly. This
may give us options for creating smaller objects on the heap that are
more likely to land in the appropriate freed memory.


Step 2/Option A: vptr -> vtable control
If in Step 1 it is possible to control the vptr of pSocket, then we need
a way to heap spray to reliably point vptr to a crafted vtable. Using
the socket interface on port 1599, it is possible to spray maybe
20-40kbytes of data into the heap, but perhaps not much more. It may be
necessary to have the user load up a malicious presentation file first
that contains lots of data to fill in as the vtable. After gaining
control of EIP through the vtable, you'd need to use a ROP chain.

Step 2/Option B: pSocket overflow
If in Step 1 we can overwrite pSocket's data fields but not the vptr, we
could still try to alter the aRead and aBuffer properties to create
an overflow or other secondary memory corruption during the next
readLine call. However, in many tests I performed, I found that often
the pSocket vtable had been overwritten by another object's vtable by
the time it reached the do ... while loop. Not sure if that can be
avoided.





Work-Around: Disable Impress Remote
-----------------------------------
While the remote control service is enabled by default, it can be
disabled easily through the following menus:

1. Open LibreOffice, go to "Tools -> Options..."
2. Select "LibreOffice Impress -> General"
3. Uncheck "Presentation -> Enable remote control"



Affected Systems
----------------
This bug should affect any system running LibreOffice 4.0.0 and later,
which includes Ubuntu versions:
14.04.1 LTS (Trusty Tahr)
13.10 (Saucy Salamander)
13.04 (Raring Ringtail)

Not sure about 12.10 (Quantal Quetzal) as it is no longer supported
Does not affect 12.04.5 LTS (Precise Pangolin) since it runs 3.x

Obviously, any recent desktop Linux distro would be affected in addition
to Windows systems with LibreOffice (all 6 of them ;-).
Comment 1 Petr Mladek 2014-10-08 07:45:48 UTC
It affects LO-4.0 and higher. It means that affected are SLE11, SLE12, openSUSE 13.1, 13.2, and Factory.

The fix seems to be rather simple, see
http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3&id=3d0cffab8d06a0f8af6c0ed7a95728203080a7c5

We still have neither CVE nor the disclosure date, so I suggest to wait with preparing the packages a bit.
Comment 2 Sebastian Krahmer 2014-10-08 07:59:54 UTC
Did anyone already request a CVE? If upstream is informed about it
(as it seems) it is their turn to do so.
Comment 3 Petr Mladek 2014-10-27 12:46:04 UTC
There has been assgined CVE-2014-3693.

The current proposal for the disclosure date is November 5, 2014.
Comment 7 Tomáš Chvátal 2014-10-29 11:57:08 UTC
Submitted to sle11.
For sle12 lets do minor bump to 4.3.3 and same will be done for opensuse 13.2 and Factory.
12.3 and 13.1 pending to be done after embargo is lifted.
Comment 10 Swamp Workflow Management 2014-11-04 10:16:41 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59557
Comment 12 Bernhard Wiedemann 2014-11-05 10:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (900214) was mentioned in
https://build.opensuse.org/request/show/259755 13.1 / libreoffice
https://build.opensuse.org/request/show/259756 Factory / libreoffice
https://build.opensuse.org/request/show/259757 13.2 / libreoffice
Comment 14 Swamp Workflow Management 2014-11-13 10:04:49 UTC
openSUSE-SU-2014:1412-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 900214,900218
CVE References: CVE-2014-3693
Sources used:
openSUSE 13.1 (src):    libreoffice-4.1.6.2-29.1, libreoffice-branding-upstream-4.1.6.2-29.1, libreoffice-help-en-US-4.1.6.2-29.1, libreoffice-help-group1-4.1.6.2-29.1, libreoffice-help-group2-4.1.6.2-29.1, libreoffice-help-group3-4.1.6.2-29.1, libreoffice-help-group4-4.1.6.2-29.1, libreoffice-help-group5-4.1.6.2-29.1, libreoffice-icon-themes-4.1.6.2-29.1, libreoffice-l10n-4.1.6.2-29.3
Comment 15 Bernhard Wiedemann 2014-11-17 12:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (900214) was mentioned in
https://build.opensuse.org/request/show/262029 13.2 / libreoffice
Comment 16 Swamp Workflow Management 2014-11-18 09:04:49 UTC
openSUSE-SU-2014:1443-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 900214,900218,900877
CVE References: CVE-2014-3693
Sources used:
openSUSE 13.2 (src):    libreoffice-4.3.3.2-4.1
Comment 20 Swamp Workflow Management 2014-11-25 13:04:54 UTC
SUSE-SU-2014:1494-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 900214,900218
CVE References: CVE-2014-3693
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    libreoffice-4.3.3.2-6.1
SUSE Linux Enterprise Desktop 12 (src):    libreoffice-4.3.3.2-6.1
SUSE Linux Enterprise Build System Kit 12 (src):    libreoffice-4.3.3.2-6.1
Comment 21 Swamp Workflow Management 2014-12-02 18:05:05 UTC
SUSE-SU-2014:1544-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 900214,900218
CVE References: CVE-2014-3693
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libreoffice-4.0.3.3.26-0.10.2, libreoffice-branding-upstream-4.0.3.3.26-0.10.1, libreoffice-help-en-US-4.0.3.3.26-0.10.2, libreoffice-help-group1-4.0.3.3.26-0.10.2, libreoffice-help-group2-4.0.3.3.26-0.10.2, libreoffice-help-group3-4.0.3.3.26-0.10.2, libreoffice-help-group4-4.0.3.3.26-0.10.2, libreoffice-help-group5-4.0.3.3.26-0.10.2, libreoffice-icon-themes-4.0.3.3.26-0.10.1, libreoffice-l10n-4.0.3.3.26-0.10.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libreoffice-4.0.3.3.26-0.10.2, libreoffice-help-en-US-4.0.3.3.26-0.10.2, libreoffice-help-group1-4.0.3.3.26-0.10.2, libreoffice-help-group2-4.0.3.3.26-0.10.2, libreoffice-help-group3-4.0.3.3.26-0.10.2, libreoffice-help-group4-4.0.3.3.26-0.10.2, libreoffice-help-group5-4.0.3.3.26-0.10.2, libreoffice-icon-themes-4.0.3.3.26-0.10.1, libreoffice-l10n-4.0.3.3.26-0.10.1
Comment 22 Marcus Meissner 2014-12-18 13:53:53 UTC
was opensuse redone? then close
Comment 23 Johannes Segitz 2015-03-25 13:43:14 UTC
(In reply to Marcus Meissner from comment #22)
openSUSE 13.1 and 13.2 are both fixed
Comment 24 Bernhard Wiedemann 2015-08-28 08:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (900214) was mentioned in
https://build.opensuse.org/request/show/327649 Factory / libreoffice
Comment 25 Swamp Workflow Management 2016-02-26 00:12:46 UTC
openSUSE-SU-2016:0588-1: An update that solves 9 vulnerabilities and has 15 fixes is now available.

Category: security (moderate)
Bug References: 679938,829430,889755,897903,900186,900214,900218,907636,910805,910806,915996,916181,926375,929793,934423,936188,936190,939996,940838,943075,945047,945692,951579,954345
CVE References: CVE-2014-3693,CVE-2014-8146,CVE-2014-8147,CVE-2014-9093,CVE-2015-4551,CVE-2015-45513,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Sources used:
openSUSE 13.2 (src):    cmis-client-0.5.0-4.3.2, libetonyek-0.1.3-2.3.2, libmwaw-0.3.6-2.7.2, libodfgen-0.1.4-2.3.2, libpagemaker-0.0.2-2.2, libreoffice-5.0.4.2-28.1, libreoffice-share-linker-1-2.2, libwps-0.4.1-2.4.2, mdds-0.12.1-2.4.2