High Risk Vulnerability in OpenOffice (RTF Document Handling)

John Heasman of NGSSoftware has discovered a high risk vulnerability
in the handling of RTF documents within OpenOffice.

The vulnerability affects all versions of OpenOffice prior to 2.2.1. If
an attacker can coax a user into opening a specially crafted RTF
document then the attacker can execute arbitrary code in the security
context of their victim.

Details
*******

When parsing the “prtdata” tag, the OpenOffice RTF parser allocates memory
based on the first proceeding token but copies the contents of the second,
thus by setting the first token to a value smaller than the length of the
second it is possible to overwrite heap data.  This can be exploited to
execute arbitrary code by overwriting vtable entries.

Solution
********

This issue has now been resolved; OpenOffice users are strongly recommended
to install OpenOffice 2.2.1, or obtain the latest OpenOffice packages
appropriate to their distribution.

Further details are available at http://www.openoffice.org

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070