A buffer overflow vulnerability which affects both the KOffice and Calligra office suites has been disclosed by Charlie Miller of Accuvant Labs. The vulnerability, which allows an attacker to execute arbitrary code by exploiting an error in the read() function of the ODF renderer, was revealed as part of Miller’s presentation on NFC hacking at the recent Black Hat conference.
The vulnerability is exploited by tricking a user into opening a malicious ODF file that then causes a heap-based buffer overflow and leads to the attacker’s code being executed. Since KOffice runs on the Nokia N9 smartphone, Miller demonstrated how a maliciously crafted ODF file sent over NFC can be used to execute arbitrary code on the target phone.
More information on the vulnerability is available in Miller’s paper which he presented at the Black Hat conference. The vulnerability is rated “Highly Critical” by Secunia and, to date, has not been fixed in either KOffice or Calligra.