Security researcher Alex Inführ has discovered a severe remote code execution (RCE) vulnerability in these two open source office suites that could be triggered just by opening a maliciously-crafted ODT (OpenDocument Text) file.
The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event.
To exploit this vulnerability, Inführ created an ODT file with a white-colored hyperlink (so it can’t be seen) that has an “onmouseover” event to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink.
According to the researcher, the python file, named “pydoc.py,” that comes included with the LibreOffice’s own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system’s command line or console.
PoC Exploit and Video Demo Released
Inführ provided a proof-of-concept (PoC) video demonstration showing how he was able to trick the event into calling a specific function within a Python file, which eventually executed the researcher’s payload through Windows command line (cmd) without showing any warning dialog to the user.
The researcher also released the PoC exploit code for the vulnerability and stressed that though he tested his exploit on Microsoft’s Windows operating system, it should work on Linux, as well.
Inführ reported the vulnerability to LibreOffice and Apache OpenOffice on October 18 last year. While LibreOffice fixed the issue by the end of that month with the release of LibreOffice 6.0.7/6.1.3, OpenOffice still appears to be vulnerable.
In mid-November, RedHat assigned the path traversal vulnerability a CVE ID and told the researcher not to disclose the details or PoC of the bug until January 31, 2019.
Inführ made the details and PoC exploit code of the vulnerability public on February 1, even when Apache OpenOffice 4.1.6 (latest version at the time of writing) remains unpatched. However, he says his exploit code does not work on OpenOffice.
“Openoffice does not allow to pass parameters; therefore, my PoC does not work but the path traversal can [still] be abused to execute a python script from another location on the local file system,” Inführ explains.
As a workaround until OpenOffice releases a security fix, users can remove or rename the pythonscript.py file in the installation folder to disable the support for python.
So, merely ditching Microsoft Office for open-source office suites would not help much to protect yourself from such attacks, unless you adopt basic security practices.