X-Industry

Researchers have identified six vulnerabilities in the Antenna House Office Server Document Converter (OSDC).[1]  Antenna House Office Server Document Converter is a product designed to convert Microsoft Office documents into PDF and SVG type documents.  The vulnerabilities are used to remotely execute code on a vulnerable system.  The vulnerabilities identified are exploited to a locally execute code, or can even be accomplished remotely, if the product is used in batch mode by the user.  If conducted in this fashion, the maliciously crafted document could then be automatically handled by the product, and a successful exploitation could result in full control of the vulnerable system.  There are six identified vulnerabilities which can be exploited by a specially crafted Microsoft Office document.

CVE and Talos Explanations

1. CVE-2018-3929 and TALOS-2018-0596 explain the Antenna House OSDC OLEread Code Execution Vulnerability. This vulnerability is located in the conversion process of a PowerPoint (.ppt) to a PDF, JPEG, and other file formats.  A specially crafted .ppt file can lead to heap corruption and remote code execution.
2. CVE-2018-3930, TALOS-2018-0596 and TALOS-2018-0597 and describe the Antenna House OSDC vbgetfp Code Execution vulnerability. This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to a PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to heap corruption and remote code execution.
3. CVE-2018-3931, TALOS-2018-0597 and TALOS-2018-0598 explain the Antenna House OSDC putShapeProperty Code Execution Vulnerability. This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to a PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.
4. CVE-2018-3932, TALOS-2018-0598 and TALOS-2018-0599 show the Antenna House OSDC putlsttbl Code Execution Vulnerability. This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to PDF, JPEG and other file formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.
5. CVE-2018-3933, TALOS-2018-0599 and TALOS-2018-0600 explain the Antenna House OSDC vbputanld Code Execution Vulnerability. This vulnerability is located in the conversion process of a Microsoft Word file (.doc) to PDF, JPEG and other formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.
6. CVE-2018-3936, TALOS-2018-0600 and TALOS-2018-0603 show the Antenna House OSDC GetShapePropery 0x105 Code Execution Vulnerability. An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the `GetShapePropery` method.
7. TALOS-2018-0603, Tested Versions:
8. Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)

Mitigation

The Snort Rules provided below will detect these exploitation attempts.  ***Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information.  For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Snort Rules: 46843, 46844, 46845, 46946, 46768, 46769, 46761, 46762

If any Small Business Alliance members are using the OSDC application, we strongly suggest you utilize the snort rules for exploit detection and follow current and future CVE’s for any future patch applications.  

For questions, comments or amplifying information regarding this report, please contact our Lab directly by at 603-606-1246, or feedback@wapacklabs.com

[1] https://blog.talosintelligence.com/2018/07/vuln-spotlight-antenna.html