SSD Advisory – LibreOffice Impress Remote Control Use-after-Free Vulnerability

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
LibreOffice is a powerful office suite; Its clean interface and its powerful tools let you unleash your creativity and grow your productivity. LibreOffice embeds several applications that make it the most powerful Free & Open Source Office suite on the market
Vulnerability Details
A vulnerability in LibreOffice’s Impress Remote Protocol, allows a remote attacker to cause the product to crash, potentially executing arbitrary code by sending the TCP port 1599 (used by the protocol) a malformed request.

In LibreOffice 4.0.0 and later, a new feature was added for remote control capabilities in Impress. Users can run a smart phone application to communicate with Impress over a custom protocol to switch slides and the like. By default whenever Impress is started, it immediately begins listening on TCP port 1599 on all interfaces.
The protocol used by Impress is currently very simple and is described here:
Impress Remote Protocol
A simple initial handshake message sent by clients looks like:
LO_SERVER_CLIENT_PAIR
client name
client PIN

The message is terminated with a blank line. Encoded, the above message looks like:
“LO_SERVER_CLIENT_PAIR\nclient name\nclient PIN\n\n”
The source code responsible for handling these requests is in:
sd/source/ui/remotecontrol/Server.cxx
sd/source/ui/remotecontrol/BufferedStreamSocket.cxx
The vulnerability lies in the line:

118: if ( ! pSocket->readLine( aLine ) ) delete pSocket;

If readLine returns 0, then the pSocket is freed, but execution does not stop there. Most likely what was intended is:

if ( ! pSocket->readLine( aLine ) )
{
 delete pSocket;
 /* ... clean up other data structures, as needed, due to this error condition ... */
 continue;
}

However, pSocket continues to be used for the rest of this while loop iteration. pSocket is used in a few places, but most interestingly, during the inner do…while loop when the remaining portion of content is read in. If the freed memory can be overwritten sometime before or during these later readLine calls, then either the readLine vptr can be hijacked, or the buffer counters stored within pSocket can be messed with to generate a subsequent overflow or something similar.
We can easily supply data to this socket while still causing readLine to return 0 on vulnerable line of code. Looking at the readLine implementation in BufferedStreamSocket.css, input is capped at 20000 bytes. (MAX_LINE_LENGTH is the key check we’re targeting.)
So for this first request, we want to send a very long PIN, since that is what is being read in on the vulnerable line of code.
A one liner like this will cause a reliable crash of Impress and the rest of LibreOffice:
python -c 'print("LO_SERVER_CLIENT_PAIR\nMYNAME\n"+("A"*20000)+"\n\n")' | nc 127.0.0.1 1599
Workaround: Disable Impress Remote
While the remote control service is enabled by default, it can be disabled easily through the following menus:
 

  1. Open LibreOffice, go to "Tools -> Options..."
  2. Select "LibreOffice Impress -> General"
  3. Uncheck "Presentation -> Enable remote control"

Affected Systems
This bug should affect any system running LibreOffice 4.0.0 and later, which includes Ubuntu versions:
14.04.1 LTS (Trusty Tahr)
13.10 (Saucy Salamander)
13.04 (Raring Ringtail)
Vulnerable Version
LibreOffice version 4.2.5.2
Vendor Response
The vendor has issued a patch for this vulnerability, further details can be found at: https://www.libreoffice.org/about-us/security/advisories/CVE-2014-3693/
CVE
A single CVE entry has been assigned to this vulnerability: CVE-2014-3693

?

Get in touch