CVE-2009-0200 in OpenOffice
Summary
by MITRE
Integer underflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/StarSuite 7, 8, and 9 might allow remote attackers to execute arbitrary code via crafted records in the document table of a Word document, leading to a heap-based buffer overflow.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/20/2021
The vulnerability identified as CVE-2009-0200 represents a critical integer underflow flaw affecting OpenOffice.org versions prior to 3.1.1 and StarOffice/StarSuite versions 7, 8, and 9. This vulnerability resides in the document parsing functionality that processes Microsoft Word documents, specifically within the handling of table records that form part of the document structure. The flaw manifests when the application encounters malformed Word documents containing crafted table records that trigger incorrect arithmetic operations during memory allocation calculations.
The technical implementation of this vulnerability involves an integer underflow condition that occurs during the processing of table data structures within Word documents. When the application parses table records, it performs calculations to determine buffer sizes needed for memory allocation. The integer underflow causes these calculations to produce unexpectedly small values, which subsequently leads to heap-based buffer overflows when the application attempts to write data beyond the allocated memory boundaries. This type of vulnerability falls under CWE-191 Integer Underflow (Wrap or Wraparound) and represents a classic example of how improper input validation can lead to memory corruption issues.
The operational impact of this vulnerability is severe as it enables remote code execution capabilities for attackers who can craft malicious Word documents. The heap-based buffer overflow allows adversaries to manipulate memory contents in ways that can lead to arbitrary code execution, potentially enabling full system compromise. The attack vector requires only that a user opens a specially crafted Word document, making this vulnerability particularly dangerous in environments where users frequently open documents from untrusted sources. This vulnerability aligns with ATT&CK technique T1203 Exploitation for Client Execution and T1059 Command and Scripting Interpreter, as it leverages document parsing to execute malicious code.
The exploitation process involves creating Word documents with malformed table records that, when processed by vulnerable versions of OpenOffice.org or StarOffice, trigger the integer underflow condition. The resulting buffer overflow can be leveraged to overwrite memory structures, potentially allowing attackers to inject and execute malicious code with the privileges of the user running the vulnerable application. This vulnerability represents a significant risk in corporate environments where document sharing is common and users may inadvertently open malicious documents. Organizations should immediately implement patches to update to versions 3.1.1 or later for OpenOffice.org and corresponding versions for StarOffice/StarSuite, while also deploying network-based intrusion detection systems to monitor for potential exploitation attempts.