Information Assurance

Mitchell Beard


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

OpenOffice StarCalc Buffer Overflow

back to bugtraq analyses page

The Problem
StarOffice is an office suite program with a number of programs and proprietary file formats, which includes a spreadsheet tool called StarCalc. Another office suite program, OpenOffice, is known for being able to handle a large number of file types, including StarCalc documents. However, the OpenOffice StarCalc file converter code contains a security vulnerability known as a buffer overflow. Due to inadequate bounds checking, a carefully crafted StarCalc document is able to overflow a character buffer in OpenOffice and potentially be able to execute any malicious code that the attacked wants. The code can be found below, italicized for emphasis:

sc\source\filter\starcalc\scflt.cxx

USHORT NoteLen;
rStream >> NoteLen;
if (NoteLen != 0)
{
sal_Char Note[4096];
rStream.Read(Note, NoteLen);
Note[NoteLen] = 0;
String aText( SC10TOSTRING(Note));
ScPostIt aNote(aText, pDoc);
pDoc->SetNote(Col, static_cast (Row), Tab, aNote );
}

Vulnerability Spread
OpenOffice is not often used on Windows machines due to the prevalence of Microsoft Office; however, it is considered a standard package on many Linux distributions. The following is a list of some of the operating systems at risk from the vulnerability.

Ubuntu Linux 6.10, 6.4, 5.10 S.u.S.E. openSUSE 10.2
S.u.S.E. Linux 10.1, 10.0, 9.3 RedHat Enterprise Linux
RedHat Desktop 4.0, 3.0 Debian Linux 4.0, 3.1

Prevention
The solution to the problem is rather simple; all that the program needs to do is perform some kind of bounds checking on the stream that reads in data to Note to ensure that it is not more than 4096 characters. This would prevent an overflow and the overwriting of other data on the stack.

Work-Arounds & Future Protection
The vulnerable code is present in version 2.1 and earlier of OpenOffice. OpenOffice patch 1.1.5 has been released to resolve the vulnerability and OpenOffice versions 2.2 and up have also resolved the issue. Updating the software is the easiest way to protect your system. You may also protect your system by not opening StarCalc files from un-trusted sources until you know that your system has been patched. This problem could also have been easily prevented through better bounds checking in general, either directly through better coding or indirectly through a compiler that added bounds checking to user code at compile time.