Partially controlled memory write vulnerability exists in Mac Word file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in code execution.
When parsing a Mac Word document a single-byte value from a file is used as a starting value for a counter which is used in arithmetic operations for memory access. No size checks are performed after the arithmetic operations resulting in an out of bounds 4 byte memory write.
Although the file is identified by OIT CA SDK as FIMACWORD5, leading to it being
parsed by libvsword library, the vulnerability can be triggered by the example
parsepst application supplied with the SDK.
Technical information below:
Vulnerability is present in function at address 0xB74A83AC in libvs_word.so library (with image base at 0xB74A2000), specifically starting in the following basic block:
.text:B74A937C loc_B74A937C: ; CODE XREF: sub_B74A83AC+FC1j .text:B74A937C movzx edx, di  .text:B74A937F movzx eax, si .text:B74A9382 movzx ecx, word ptr [ebp+eax*2+0A30h] .text:B74A938A mov [ebp+edx*2+0A30h], cx .text:B74A9392 shl edx, 4  .text:B74A9395 add edx, ebp  .text:B74A9397 add edx, 800h  .text:B74A939D shl eax, 4 .text:B74A93A0 add eax, ebp .text:B74A93A2 add eax, 800h .text:B74A93A7 mov ecx, [eax+0Eh] .text:B74A93AA mov [edx+0Eh], ecx  .text:B74A93AD mov ecx, [eax+12h] .text:B74A93B0 mov [edx+12h], ecx  .text:B74A93B3 mov ecx, [eax+16h] .text:B74A93B6 mov [edx+16h], ecx  .text:B74A93B9 mov eax, [eax+1Ah] .text:B74A93BC mov [edx+1Ah], eax  .text:B74A93BF add edi, 1 .text:B74A93C2 add esi, 1 .text:B74A93C5 sub word ptr [esp+12Ch+var_9C+2], 1 .text:B74A93CE jnz short loc_B74A936F
Initial value of
di register comes from a byte at offset 0x29d in the
supplied testcase and is used as a starting value for a counter. Value
is zero extended into edx at  and is then used in arithmetic operations at
,  and . Final value is used as a pointer to a structure and values of
eax registers get written to appropriate structure fields at , , 
and . Upper limit for the counter value is 0x100. No bounds checking is
being made after pointer arithmetic resulting in a possible out of bounds
While parsing the first supplied testcase, out of bounds write results in a pointer previously initialized to NULL to become non-NULL leading to an invalid free() during the cleanup after the file has been parsed. In the case of the second supplied testcase, the same vulnerability results in a function pointer overwrite leading to an even simpler exploitable condition.
2015–10-19 - Discovery
2016-04-20 - Initial Vendor Notification
2016-07-19 - Public Disclosure
Discovered by Aleksandar Nikolic of Cisco Talos.