ID CVE-2006-2199
Summary Unspecified vulnerability in Java Applets in OpenOffice.org 1.1.x (aka StarOffice) up to 1.1.5 and 2.0.x before 2.0.3 allows user-assisted attackers to escape the Java sandbox and conduct unauthorized activities via certain applets in OpenOffice documents.
References
Vulnerable Configurations
  • cpe:2.3:a:openoffice:openoffice:1.1.0
    cpe:2.3:a:openoffice:openoffice:1.1.0
  • cpe:2.3:a:openoffice:openoffice:1.1.1
    cpe:2.3:a:openoffice:openoffice:1.1.1
  • cpe:2.3:a:openoffice:openoffice:1.1.2
    cpe:2.3:a:openoffice:openoffice:1.1.2
  • cpe:2.3:a:openoffice:openoffice:1.1.3
    cpe:2.3:a:openoffice:openoffice:1.1.3
  • cpe:2.3:a:openoffice:openoffice:1.1.4
    cpe:2.3:a:openoffice:openoffice:1.1.4
  • cpe:2.3:a:openoffice:openoffice:1.1.5
    cpe:2.3:a:openoffice:openoffice:1.1.5
  • cpe:2.3:a:openoffice:openoffice:2.0.0
    cpe:2.3:a:openoffice:openoffice:2.0.0
  • cpe:2.3:a:openoffice:openoffice:2.0.1
    cpe:2.3:a:openoffice:openoffice:2.0.1
  • cpe:2.3:a:openoffice:openoffice:2.0.2
    cpe:2.3:a:openoffice:openoffice:2.0.2
  • Sun StarOffice 6.0
    cpe:2.3:a:sun:staroffice:6.0
  • Sun StarOffice 7.0
    cpe:2.3:a:sun:staroffice:7.0
  • Sun StarOffice 8.0
    cpe:2.3:a:sun:staroffice:8.0
CVSS
Base: 7.6 (as of 03-07-2006 - 09:42)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-005.NASL
    description Rectifies an error patch condition where by corrupt wmf/emf files with out of bounds values in the emf/wmf file could enable an attacker by constructing a malicious file to execute arbitrary code if opened in OpenOffice by a victim. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24184
    published 2007-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24184
    title Fedora Core 5 : openoffice.org-2.0.2-5.20.2 / Fedora Core 6 : openoffice.org-2.0.4-5.5.10 (2007-005)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-118.NASL
    description OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-complicit attackers to conduct unauthorized activities via an OpenOffice document with a malicious BASIC macro, which is executed without prompting the user. (CVE-2006-2198) An unspecified vulnerability in Java Applets in OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-complicit attackers to escape the Java sandbox and conduct unauthorized activities via certain applets in OpenOffice documents. (CVE-2006-2199) Heap-based buffer overflow in OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-complicit attackers to execute arbitrary code via a crafted OpenOffice XML document that is not properly handled by (1) Calc, (2) Draw, (3) Impress, (4) Math, or (5) Writer, aka 'File Format / Buffer Overflow Vulnerability.' (CVE-2006-3117) Updated packages are patched to address this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 22014
    published 2006-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22014
    title Mandrake Linux Security Advisory : OpenOffice.org (MDKSA-2006:118)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1104.NASL
    description Loading malformed XML documents can cause buffer overflows in OpenOffice.org, a free office suite, and cause a denial of service or execute arbitrary code. It turned out that the correction in DSA 1104-1 was not sufficient, hence, another update. For completeness please find the original advisory text below : Several vulnerabilities have been discovered in OpenOffice.org, a free office suite. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-2198 It turned out to be possible to embed arbitrary BASIC macros in documents in a way that OpenOffice.org does not see them but executes them anyway without any user interaction. - CVE-2006-2199 It is possible to evade the Java sandbox with specially crafted Java applets. - CVE-2006-3117 Loading malformed XML documents can cause buffer overflows and cause a denial of service or execute arbitrary code. This update has the Mozilla component disabled, so that the Mozilla/LDAP addressbook feature won't work anymore. It didn't work on anything else than i386 on sarge either.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22646
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22646
    title Debian DSA-1104-2 : openoffice.org - several vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0573.NASL
    description Updated openoffice.org packages are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A Sun security specialist reported an issue with the application framework. An attacker could put macros into document locations that could cause OpenOffice.org to execute them when the file was opened by a victim. (CVE-2006-2198) A bug was found in the OpenOffice.org Java virtual machine implementation. An attacker could write a carefully crafted Java applet that can break through the 'sandbox' and have full access to system resources with the current user privileges. (CVE-2006-2199) A buffer overflow bug was found in the OpenOffice.org file processor. An attacker could create a carefully crafted XML file that could cause OpenOffice.org to write data to an arbitrary location in memory when the file was opened by a victim. (CVE-2006-3117) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21906
    published 2006-07-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21906
    title CentOS 3 / 4 : openoffice.org (CESA-2006:0573)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0573.NASL
    description Updated openoffice.org packages are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A Sun security specialist reported an issue with the application framework. An attacker could put macros into document locations that could cause OpenOffice.org to execute them when the file was opened by a victim. (CVE-2006-2198) A bug was found in the OpenOffice.org Java virtual machine implementation. An attacker could write a carefully crafted Java applet that can break through the 'sandbox' and have full access to system resources with the current user privileges. (CVE-2006-2199) A buffer overflow bug was found in the OpenOffice.org file processor. An attacker could create a carefully crafted XML file that could cause OpenOffice.org to write data to an arbitrary location in memory when the file was opened by a victim. (CVE-2006-3117) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 21916
    published 2006-07-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21916
    title RHEL 3 / 4 : openoffice.org (RHSA-2006:0573)
  • NASL family Windows
    NASL id OPENOFFICE_ORG_203.NASL
    description The remote host is running a version of OpenOffice.org which is older than version 2.0.3. An attacker may use this to execute arbitrary code on this host. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have him open it. The file could be crafted in such a way that it could exploit a buffer overflow in OpenOffice.org's XML parser, or by containing rogue macros.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 21784
    published 2006-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21784
    title OpenOffice < 2.0.3 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-313-1.NASL
    description It was possible to embed Basic macros in documents in a way that OpenOffice.org would not ask for confirmation about executing them. By tricking a user into opening a malicious document, this could be exploited to run arbitrary Basic code (including local file access and modification) with the user's privileges. (CVE-2006-2198) A flaw was discovered in the Java sandbox which allowed Java applets to break out of the sandbox and execute code without restrictions. By tricking a user into opening a malicious document, this could be exploited to run arbitrary code with the user's privileges. This update disables Java applets for OpenOffice.org, since it is not generally possible to guarantee the sandbox restrictions. (CVE-2006-2199) A buffer overflow has been found in the XML parser. By tricking a user into opening a specially crafted XML file with OpenOffice.org, this could be exploited to execute arbitrary code with the user's privileges. (CVE-2006-3117). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27888
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27888
    title Ubuntu 5.04 / 6.06 LTS : openoffice.org-amd64, openoffice.org vulnerabilities (USN-313-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-313-2.NASL
    description USN-313-1 fixed several vulnerabilities in OpenOffice for Ubuntu 5.04 and Ubuntu 6.06 LTS. This followup advisory provides the corresponding update for Ubuntu 5.10. For reference, these are the details of the original USN : It was possible to embed Basic macros in documents in a way that OpenOffice.org would not ask for confirmation about executing them. By tricking a user into opening a malicious document, this could be exploited to run arbitrary Basic code (including local file access and modification) with the user's privileges. (CVE-2006-2198) A flaw was discovered in the Java sandbox which allowed Java applets to break out of the sandbox and execute code without restrictions. By tricking a user into opening a malicious document, this could be exploited to run arbitrary code with the user's privileges. This update disables Java applets for OpenOffice.org, since it is not generally possible to guarantee the sandbox restrictions. (CVE-2006-2199) A buffer overflow has been found in the XML parser. By tricking a user into opening a specially crafted XML file with OpenOffice.org, this could be exploited to execute arbitrary code with the user's privileges. (CVE-2006-3117). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-27
    plugin id 27889
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27889
    title Ubuntu 5.10 : openoffice.org2-amd64, openoffice.org2 vulnerabilities (USN-313-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENOFFICE_ORG-1698.NASL
    description Following security problems were found in OpenOffice_org : - CVE-2006-2198: A security vulnerability in OpenOffice.org may make it possible to inject basic code into documents which is executed upon loading of the document. The user will not be asked or notified and the macro will have full access to system resources with current user's privileges. As a result, the macro may delete/replace system files, read/send private data and/or cause additional security issues. Note that this attack works even with Macro execution disabled. This attack allows remote attackers to modify files / execute code as the user opening the document. - CVE-2006-2199: A security vulnerability related to OpenOffice.org documents may allow certain Java applets to break through the 'sandbox' and therefore have full access to system resources with current user privileges. The offending Applets may be constructed to destroy/replace system files, read or send private data, and/or cause additional security issues. Since Java applet support is only there for historical reasons, as StarOffice was providing browser support, the support has nown been disabled by default. - CVE-2006-3117: A buffer overflow in the XML utf8 converter allows for a value to be written to an arbitrary location in memory. This may lead to command execution in the context of the current user.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27134
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27134
    title openSUSE 10 Security Update : OpenOffice_org (OpenOffice_org-1698)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200607-12.NASL
    description The remote host is affected by the vulnerability described in GLSA-200607-12 (OpenOffice.org: Multiple vulnerabilities) Internal security audits by OpenOffice.org have discovered three security vulnerabilities related to Java applets, macros and the XML file format parser. Specially crafted Java applets can break through the 'sandbox'. Specially crafted macros make it possible to inject BASIC code into documents which is executed when the document is loaded. Loading a malformed XML file can cause a buffer overflow. Impact : An attacker might exploit these vulnerabilities to escape the Java sandbox, execute arbitrary code or BASIC code with the permissions of the user running OpenOffice.org. Workaround : Disabling Java applets will protect against the vulnerability in the handling of Java applets. There are no workarounds for the macro and file format vulnerabilities.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 22120
    published 2006-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22120
    title GLSA-200607-12 : OpenOffice.org: Multiple vulnerabilities
oval via4
accepted 2013-04-29T04:13:21.438-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Unspecified vulnerability in Java Applets in OpenOffice.org 1.1.x (aka StarOffice) up to 1.1.5 and 2.0.x before 2.0.3 allows user-assisted attackers to escape the Java sandbox and conduct unauthorized activities via certain applets in OpenOffice documents.
family unix
id oval:org.mitre.oval:def:11338
status accepted
submitted 2010-07-09T03:56:16-04:00
title Unspecified vulnerability in Java Applets in OpenOffice.org 1.1.x (aka StarOffice) up to 1.1.5 and 2.0.x before 2.0.3 allows user-assisted attackers to escape the Java sandbox and conduct unauthorized activities via certain applets in OpenOffice documents.
version 24
redhat via4
advisories
rhsa
id RHSA-2006:0573
refmap via4
bid 18737
bugtraq 20060926 rPSA-2006-0173-1 openoffice.org
cert-vn VU#243681
confirm
debian DSA-1104
fedora FEDORA-2007-005
gentoo GLSA-200607-12
mandriva MDKSA-2006:118
sectrack 1016414
secunia
  • 20867
  • 20893
  • 20910
  • 20911
  • 20913
  • 20975
  • 20995
  • 21278
  • 23620
sunalert 102475
suse SUSE-SA:2006:040
ubuntu
  • USN-313-1
  • USN-313-2
vupen
  • ADV-2006-2607
  • ADV-2006-2621
xf openoffice-applet-sandbox-bypass(27569)
Last major update 06-05-2011 - 00:00
Published 30-06-2006 - 14:05
Last modified 18-10-2018 - 12:38
Back to Top