Vulnerabilities > CVE-2016-10327 - Out-of-bounds Write vulnerability in Libreoffice

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97496);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2016-10327", "CVE-2017-3157", "CVE-2017-7870");
  script_bugtraq_id(96402, 97668, 97671);

  script_name(english:"LibreOffice < 5.1.6 / 5.2.5 / 5.3.0 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of LibreOffice.");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of LibreOffice installed on the remote Windows host is
prior to 5.1, 5.1.x prior to 5.1.6, or 5.2.x prior to 5.2.5. It is,
therefore, affected by multiple vulnerabilities :

  - An overflow condition exists when processing EMF files,
    specifically in the EnhWMFReader::ReadEnhWMF() function
    within file vcl/source/filter/wmf/enhwmf.cxx, due to
    improper validation of a certain offset value in the
    header that precedes bitmap data. An unauthenticated,
    remote attacker can exploit this, via a specially
    crafted enhanced metafile file (EMF), to cause a denial
    of service condition or the execution of arbitrary code.
    Note that this vulnerability does not affect version
    5.1.x. (CVE-2016-10327)

  - A file disclosure vulnerability exists due to a flaw in
    the content preview feature when handling embedded
    objects. An unauthenticated, remote attacker can exploit
    this, via a specially crafted file, to disclose details
    of a file on the hosting system. (CVE-2017-3157)

  - An overflow condition exists in the Polygon::Insert()
    function within file tools/source/generic/poly.cxx
    when processing polygons in Windows metafiles (WMF) that
    under certain circumstances result in polygons with more
    points than can represented in LibreOffice's internal
    polygon class. An unauthenticated, remote attacker can
    exploit this, via a specially crafted WMF file, to cause
    a denial of service condition or the execution of
    arbitrary code. Note that this vulnerability does not
    affect version 5.1.x. (CVE-2017-7870)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.libreoffice.org/about-us/security/advisories/cve-2016-10327/");
  script_set_attribute(attribute:"see_also", value:"https://www.libreoffice.org/about-us/security/advisories/cve-2017-3157/");
  script_set_attribute(attribute:"see_also", value:"https://www.libreoffice.org/about-us/security/advisories/cve-2017-7870/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to LibreOffice version 5.1.6 / 5.2.5 / 5.3.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7870");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:libreoffice:libreoffice");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("libreoffice_installed.nasl");
  script_require_keys("installed_sw/LibreOffice", "SMB/Registry/Enumerated");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

app_name = "LibreOffice";

get_kb_item_or_exit("SMB/Registry/Enumerated");

install    = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
version    = install['version'];
version_ui = install['display_version'];
path       = install['path'];

if (
  # < 5.x
  version =~ "^[0-4]($|[^0-9])" ||
  # 5.0 < 5.1
  version =~ "^5\.0($|[^0-9])" ||
  # 5.1 < 5.1.6
  version =~ "^5\.1($|\.[0-5])($|[^0-9])" ||
  # 5.2 < 5.2.5
  version =~ "^5\.2($|\.[0-4])($|[^0-9])"
)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  report =
    '\n  Path              : ' + path +
    '\n  Installed version : ' + version_ui +
    '\n  Fixed version     : 5.1.6 / 5.2.5 / 5.3.0' +
    '\n';
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
  exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_ui, path);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3273-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99965);
  script_version("3.7");
  script_cvs_date("Date: 2019/09/18 12:31:47");

  script_cve_id("CVE-2016-10327", "CVE-2017-7870");
  script_xref(name:"USN", value:"3273-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : libreoffice vulnerabilities (USN-3273-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that LibreOffice incorrectly handled EMF image
files. If a user were tricked into opening a specially crafted EMF
image file, a remote attacker could cause LibreOffice to crash, and
possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3273-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libreoffice-core package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libreoffice-core");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04|16\.04|16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"libreoffice-core", pkgver:"1:4.2.8-0ubuntu5.1")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"libreoffice-core", pkgver:"1:5.1.6~rc2-0ubuntu1~xenial2")) flag++;
if (ubuntu_check(osver:"16.10", pkgname:"libreoffice-core", pkgver:"1:5.2.2-0ubuntu2.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libreoffice-core");
}