CVE-2008-0320
published 2008-04-17CVE-2008-0320: Heap-based buffer overflow in the OLE importer in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
57.02%
98.9th percentile
Heap-based buffer overflow in the OLE importer in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an OLE file with a crafted DocumentSummaryInformation stream.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openoffice | openoffice.org | <= 2.3.1 | — |
| openoffice | openoffice.org | — | — |
| openoffice | openoffice.org | — | — |
| openoffice | openoffice.org | — | — |
| openoffice | openoffice.org | — | — |
| openoffice | openoffice.org | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
RET gadget: 0x609345fe (add esp, ebx # ... # ret from tl680mi)
- →Look for OLE files (.doc) with a malformed/oversized DocumentSummaryInformation stream being opened by OpenOffice.org processes (soffice.exe, soffice.bin); heap overflow occurs during OLE import. ↗
- →Payload space is constrained to 407 bytes; detect shellcode patterns within that size embedded at offset 115808 of a crafted OLE document template. ↗
- →The exploit sets EXITFUNC to 'process', meaning the shellcode will terminate the OpenOffice process on exit; monitor for abnormal soffice.exe termination shortly after opening a .doc file. ↗
- ·The exploit only targets OpenOffice 2.3.0 and 2.3.1 on Windows XP SP3; the vulnerability itself affects all OpenOffice.org versions before 2.4, including the 1.1 branch on multiple platforms. ↗
- ·The vulnerability also affects OpenOffice.org 1.1 series, not just the 2.x branch, broadening the scope of affected deployments beyond what the Metasploit module targets. ↗
- ·The ROP gadget addresses (0x609345fe, 0x60915cbd) and EBX value (0xffffefa8) are hardcoded for the specific tl680mi library version shipped with OpenOffice 2.3.x on XP SP3; these offsets will not be valid on other OS versions or OpenOffice builds. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenOffice.org vulnerabilities
vendor_ubuntu·2008-05-06·CVSS 9.3
CVE-2007-5745 [CRITICAL] OpenOffice.org vulnerabilities
Title: OpenOffice.org vulnerabilities
Summary: OpenOffice.org vulnerabilities
It was discovered that arbitrary Java methods were not filtered out when
opening databases in OpenOffice.org. If a user were tricked into running
a specially crafted query, a remote attacker could execute arbitrary
Java with user privileges. (CVE-2007-4575)
Multiple memory overflow flaws were discovered in OpenOffice.org's
handling of Quattro Pro, EMF, and OLE files. If a user were tricked
into opening a specially crafted document, a remote attacker might be
able to execute arbitrary code with user privileges. (CVE-2007-5745,
CVE-2007-5746, CVE-2007-5747, CVE-2008-0320)
Instructions: After a standard system upgrade you need to restart OpenOffice.org to effect
the necessary changes.
Red Hat
openoffice.org: OLE files parsing heap overflows
vendor_redhat·2008-04-17·CVSS 9.3
CVE-2008-0320 [CRITICAL] openoffice.org: OLE files parsing heap overflows
openoffice.org: OLE files parsing heap overflows
Heap-based buffer overflow in the OLE importer in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an OLE file with a crafted DocumentSummaryInformation stream.
GHSA
GHSA-56hf-q7h3-4m8c: Heap-based buffer overflow in the OLE importer in OpenOffice
ghsa_unreviewed·2022-05-01
CVE-2008-0320 [HIGH] CWE-119 GHSA-56hf-q7h3-4m8c: Heap-based buffer overflow in the OLE importer in OpenOffice
Heap-based buffer overflow in the OLE importer in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an OLE file with a crafted DocumentSummaryInformation stream.
No detection rules found.
Exploit-DB
OpenOffice - OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)
exploitdb·2012-05-25
CVE-2008-0320 OpenOffice - OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)
OpenOffice - OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 "OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow",
'Description' => %q{
This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on
Microsoft Windows XP SP3.
By supplying a OLE file with a malformed DocumentSummaryInformation stream, an
attacker can gain control of the execution flow, which results arbitrary code
execution under the context of the user.
},
'License' => MSF_LICENSE,
'Aut
Metasploit
OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
metasploit
OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on Microsoft Windows XP SP3. By supplying a OLE file with a malformed DocumentSummaryInformation stream, an attacker can gain control of the execution flow, which results arbitrary code execution under the context of the user.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=694http://secunia.com/advisories/29844http://secunia.com/advisories/29852http://secunia.com/advisories/29864http://secunia.com/advisories/29871http://secunia.com/advisories/29910http://secunia.com/advisories/29913http://secunia.com/advisories/29987http://secunia.com/advisories/30100http://secunia.com/advisories/30179http://security.gentoo.org/glsa/glsa-200805-16.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-231642-1http://www.debian.org/security/2008/dsa-1547http://www.mandriva.com/security/advisories?name=MDVSA-2008:090http://www.mandriva.com/security/advisories?name=MDVSA-2008:095http://www.novell.com/linux/security/advisories/2008_23_openoffice.htmlhttp://www.openoffice.org/security/bulletin.htmlhttp://www.openoffice.org/security/cves/CVE-2007-4770.htmlhttp://www.openoffice.org/security/cves/CVE-2007-5745.htmlhttp://www.openoffice.org/security/cves/CVE-2008-0320.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0175.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0176.htmlhttp://www.securityfocus.com/bid/28819http://www.securitytracker.com/id?1019890http://www.ubuntu.com/usn/usn-609-1http://www.vupen.com/english/advisories/2008/1253/referenceshttp://www.vupen.com/english/advisories/2008/1375/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41860https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10318https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00448.htmlhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=694http://secunia.com/advisories/29844http://secunia.com/advisories/29852http://secunia.com/advisories/29864http://secunia.com/advisories/29871http://secunia.com/advisories/29910http://secunia.com/advisories/29913http://secunia.com/advisories/29987http://secunia.com/advisories/30100http://secunia.com/advisories/30179http://security.gentoo.org/glsa/glsa-200805-16.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-231642-1http://www.debian.org/security/2008/dsa-1547http://www.mandriva.com/security/advisories?name=MDVSA-2008:090http://www.mandriva.com/security/advisories?name=MDVSA-2008:095http://www.novell.com/linux/security/advisories/2008_23_openoffice.htmlhttp://www.openoffice.org/security/bulletin.htmlhttp://www.openoffice.org/security/cves/CVE-2007-4770.htmlhttp://www.openoffice.org/security/cves/CVE-2007-5745.htmlhttp://www.openoffice.org/security/cves/CVE-2008-0320.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0175.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0176.htmlhttp://www.securityfocus.com/bid/28819http://www.securitytracker.com/id?1019890http://www.ubuntu.com/usn/usn-609-1http://www.vupen.com/english/advisories/2008/1253/referenceshttp://www.vupen.com/english/advisories/2008/1375/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41860https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10318https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00448.html
2008-04-17
Published