This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea

We start this week with a good write-up by [Eugene Lim] on getting started on vulnerability hunting, and news of a problem in OpenOffice’s handling of DBase files. [Lim] decided to concentrate on a file format, and picked the venerable dbase format, .dbf. This database format was eventually used all over the place, and is still supported in Microsoft Office, Libreoffice, and OpenOffice. He put together a fuzzing approach using Peach Fuzzer, and found a handful of possible vulnerabilities in the file format, by testing a very simple file viewer that supported the format. He managed to achieve code execution in dbfview, but that wasn’t enough.

Armed with a vulnerability in one application, [Lim] turned his attention to OpenOffice. He knew exactly what he was looking for, and found vulnerable code right away. A buffer is allocated based on the specified data type, but data is copied into this buffer with a different length, also specified in the dbase file. Simple buffer overflow. Turning this into an actual RCE exploit took a bit of doing, but is possible. The disclosure didn’t include a full PoC, but will likely be reverse engineered shortly.

Normally we’d wrap by telling you to go get the update, but OpenOffice doesn’t have a stable release with this fix in it. There is a release candidate that does contain the fix, but every stable install of OpenOffice in the world is currently vulnerable to this RCE. The vulnerability report was sent way back on May 4th, over 90 days before full disclosure. And what about LibreOffice, the fork of OpenOffice? Surely it is also vulnerable? Nope. LibreOffice fixed this in routine code maintenance back in 2014. The truth of the matter is that when the two projects forked, the programmers who really understood the codebase went to LibreOffice, and OpenOffice has had a severe programmer shortage ever since. I’ve said it before: Use LibreOffice, OpenOffice is known to be unsafe. Continue reading “This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea”

OpenOffice Or LibreOffice? A Star Is Torn

When it comes to open source office suites, most people choose OpenOffice or LibreOffice, and they both look suspiciously similar. That isn’t surprising since they both started with exactly the same code base. However, the LibreOffice team recently penned an open letter to the Apache project — the current keepers of OpenOffice — asking them to redirect new users to the LibreOffice project. Their logic is that OpenOffice has huge name recognition, but hasn’t had a new major release in several years. LibreOffice, on the other hand, is a very active project. We could argue that case either way, but we won’t. But it did get us thinking about how things got here.

It all started when German Marco Börries wrote StarWriter in 1985 for the Zilog Z80. By 1986, he created a company, Star Division, porting the word processor to platforms like CP/M and MSDOS. Eventually, the company added other office suite programs and with support for DOS, OS/2, and Windows, the suite became known as StarOffice.

The program was far less expensive than most competitors, costing about $70, yet in 1999 that price point prompted Sun Microsystems to buy StarOffice. We don’t mean they bought a copy or a license, they bought the entire thing for just under $74 million. The story was that it was still cheaper than buying a license for each Sun employee, particularly since most had both a Windows machine and a Unix machine which still required some capability.

Sun in Charge

Sun provided StarOffice 5.2 in 2000 as a free download for personal use, which gave the software a lot of attention. It eventually released much of the code under an open source license producing OpenOffice. Sun contributed to the project and would periodically snapshot the code to market future versions of StarOffice.

This was the state of affairs for a while. StarOffice 6.0 corresponded to OpenOffice 1.0. In 2003, release 1.1 turned into StarOffice 7. A couple of years later, StarOffice 8/OpenOffice 2.0 appeared and by 2008, we had StarOffice 9 with OpenOffice 3.0 just before Oracle entered the picture.

Continue reading “OpenOffice Or LibreOffice? A Star Is Torn”

Barcode Challenge – Part 2

HaD_barcode

Yesterday we issued a barcode challenge in honor of the Barcode’s birthday. Congratulations to [The Moogle] for winning this challenge. His submission offers a very detailed explanation of how he solved the puzzle using Photoshop, OpenOffice Calc, and some web resources. We’ve got a detailed writeup on it after the break.

Honorable mentions go to [nex] for putting up a Java solution and to [jwmaag] for showing a Python solution. Finally, kudos to all who used a CueCat in one way or another to decode the string. Just having one of those still around is pretty hack-it-y.

Because of the ubiquity of Barcode scanners and online image translation programs the challenge might have been a bit too easy. Do you think you’re up for a greater challenge? Download the new barcode and get to work. This one should be quite a bit harder to decipher. Once again, leave a comment that includes the message stored in the Barcode. Please remember, only entries that solve the puzzle and include a full description of the process will be considered. Good luck, and let the games begin.

Update: It only took [JP] 19 minutes to post a correct solution to the new Barcode.  Great work!

Continue reading “Barcode Challenge – Part 2”