Vulnerabilities > CVE-2016-6803 - Untrusted Search Path vulnerability in Apache Openoffice

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

apache

CWE-426

nessus

NVD

Published: 2017-11-13

Updated: 2017-11-29

Summary

An installer defect known as an "unquoted Windows search path vulnerability" affected the Apache OpenOffice before 4.1.3 installers for Windows. The PC must have previously been infected by a Trojan Horse application (or user) running with administrative privilege. Any installer with the unquoted search path vulnerability becomes a delayed trigger for the exploit.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Openoffice - Apache Openoffice 1.0.2 Apache Openoffice 1.0.3 Apache Openoffice 1.1.0 Apache Openoffice 1.1.4 Apache Openoffice 1.1.5 Apache Openoffice 2.0.0 Apache Openoffice 2.0.1 Apache Openoffice 2.0.2 Apache Openoffice 2.0.3 Apache Openoffice 2.0.4 Apache Openoffice 2.1.0 Apache Openoffice 2.2.0 Apache Openoffice 2.2.1 Apache Openoffice 2.3.0 Apache Openoffice 2.3.1 Apache Openoffice 2.4.0 Apache Openoffice 2.4.1 Apache Openoffice 2.4.2 Apache Openoffice 2.4.3 Apache Openoffice 3.0.0 Apache Openoffice 3.0.1 Apache Openoffice 3.1.0 Apache Openoffice 3.1.1 Apache Openoffice 3.2.0 Apache Openoffice 3.2.1 Apache Openoffice 3.3.0 Apache Openoffice 3.4.0 Apache Openoffice 3.4.1 Apache Openoffice 4.0.0 Apache Openoffice 4.0.1 Apache Openoffice 4.1.0 Apache Openoffice 4.1.1 Apache Openoffice 4.1.2	38
OS	Microsoft Microsoft Windows -	1

Common Weakness Enumeration (CWE)

CWE-426 - Untrusted Search Path

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

NASL family	Windows
NASL id	OPENOFFICE_413.NASL
description	The version of Apache OpenOffice installed on the remote host is a version prior to 4.1.3. It is, therefore, affected by the following vulnerabilities : - A memory corruption issue exists in the Impress tool due to improper validation of user-supplied input when handling elements in invalid presentations. An unauthenticated, remote attacker can exploit this, via specially crafted MetaActions in an ODP or OTP file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1513) - A privilege escalation vulnerability exists due to the use of an unquoted Windows search path. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2016-6803) - A privilege escalation vulnerability exists due to the use of a fixed path to load system binaries. A local attacker can exploit this, via a specially crafted DLL file in the library path, to inject and execute arbitrary code with elevated privileges. (CVE-2016-6804)
last seen	2020-06-01
modified	2020-06-02
plugin id	94199
published	2016-10-21
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/94199
title	Apache OpenOffice < 4.1.3 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94199); script_version("1.7"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-1513", "CVE-2016-6803", "CVE-2016-6804"); script_bugtraq_id(92079, 93774); script_name(english:"Apache OpenOffice < 4.1.3 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Apache OpenOffice."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an application installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache OpenOffice installed on the remote host is a version prior to 4.1.3. It is, therefore, affected by the following vulnerabilities : - A memory corruption issue exists in the Impress tool due to improper validation of user-supplied input when handling elements in invalid presentations. An unauthenticated, remote attacker can exploit this, via specially crafted MetaActions in an ODP or OTP file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1513) - A privilege escalation vulnerability exists due to the use of an unquoted Windows search path. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2016-6803) - A privilege escalation vulnerability exists due to the use of a fixed path to load system binaries. A local attacker can exploit this, via a specially crafted DLL file in the library path, to inject and execute arbitrary code with elevated privileges. (CVE-2016-6804)"); script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-1513.html"); script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-6803.html"); script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-6804.html"); script_set_attribute(attribute:"see_also", value:"https://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache OpenOffice version 4.1.3 or later. Alternatively, the vendor has released a hotfix for 4.1.2 that resolves CVE-2016-1513. Note that the hotfix only resolves this one vulnerability."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6804"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/21"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:openoffice"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("openoffice_installed.nasl"); script_require_keys("installed_sw/OpenOffice", "SMB/Registry/Enumerated"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); app_name = "OpenOffice"; get_kb_item_or_exit("SMB/Registry/Enumerated"); install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); build = install['version']; path = install['path']; version_ui = install['display_version']; matches = eregmatch(string:build, pattern:"([0-9]+[a-z][0-9]+)\(Build:([0-9]+)\)"); if (isnull(matches)) audit(AUDIT_VER_FAIL, app_name); buildid = int(matches[2]); flag = FALSE; caveat = ''; # Version 4.1.2 is build 9782 if (buildid == 9782) { # A hotfix was made available for version 4.1.2 called "Patch 1" that # updates tl.dll. The version of tl.dll does not change, so we check # the timestamp. fixed_ts = 1467765120; file_path = hotfix_append_path(path:path, value:"\program\tl.dll"); file_ts = hotfix_get_timestamp(path:file_path); # If we were able to get a timestamp, determine vulnerability if (file_ts['error'] == HCF_OK) { file_ts = file_ts['value']; if (file_ts < fixed_ts) flag = TRUE; else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_ui + " (Patch 1)", path); } # If we weren't able to get a timestamp but report paranoia is Paranoid, # report the vuln with a caveat; otherwise, audit out. else if (report_paranoia > 1) { flag = TRUE; caveat = ' \nNote that Nessus was unable to determine if a hotfix has been applied.\n'; } else audit(AUDIT_PARANOID); } # Version 4.1.3 is build 9783 else if (buildid < 9783) flag = TRUE; if (!flag) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_ui, path); port = get_kb_item("SMB/transport"); if (!port) port = 445; report = '\n Path : ' + path + '\n Installed version : ' + version_ui + '\n Fixed version : 4.1.3 (413m1 / build 9783)' + '\n' + caveat; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References