CVE-2021-33035: Zero-day unpatched vulnerability in Apache OpenOffice allows taking control of network via RCE

Cybersecurity specialists have confirmed that Apache OpenOffice is affected by a remote code execution (RCE) flaw that has been addressed only in its beta version, so active implementations are still affected. In other words, users of this open source suite with millions of downloads are operating vulnerable versions.

Specialist Eugene Lim released a report containing some details of the vulnerability, identified as CVE-2021-33035. The expert describes the failure as a buffer overflow caused by a file .dbf that overrides a return pointer with a DEP and ASLR evasion, which would trigger the execution of arbitrary commands: “A malicious file opened with this software could lead to the total compromise of the affected system,” he says.

The vulnerability was found during a process of parsing the .dbf file format, which first appeared as part of the dBase II application in 1983. The expert reported that the file format .dbf can use one of two values in its header, fieldLength or fieldType, to determine the buffer size of a database record. It is then possible to assign a buffer using one and use the other to set the size of a copy operation on that buffer, leading to a buffer overflow. The Analysis Code .dbf of OpenOffice is as follows:

“Here, we can see a sal_Int32-sized (4 bytes) buffer nValue being instantiated for a field of type INTEGER. Subsequently, memcpy copies a buffer of nLen size, which is a value controlled by the attacker, into nValue without validating that nLen is less than or equal to 4, “says the researcher.

By revising its previous payload generator to the entire fieldType (I), it was possible to increase the size of fieldLength to more than sal_Int32 and launch a proof-of-concept (PoC) attack that consisted of opening the file in OpenOffice Calc and generating a crash in the affected application.

The expert adds that the vulnerability also resides in Scalabium dBase Viewer, although this project has already been protected because it is executed by a single developer. Regarding Apache OpenOffice, although the initial disclosure began in May, the complete solution for all users could be ready until the end of this month. In the meantime, users are advised to stay on top of any updates coming from developers.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.