Pierluigi Paganini February 05, 2019

A security expert discovered a severe Remote Code Execution vulnerability in the popular LibreOffice and Apache OpenOffice.

The security researcher Alex Inführ discovered a severe remote code execution vulnerability in LibreOffice and Apache OpenOffice that could be exploited by tricking victims into opening an ODT (OpenDocument Text) file embedding an event embedded. The flaw could have a huge impact because the popular free, open source office suite is used by millions of Windows, MacOS and Linux users.

The expert discovered that it is possible to abuse the OpenDocument scripting framework by adding an onmouseoverevent to a link included in the ODT file.

The expert devised an attack that relies on exploiting a directory traversal vulnerability tracked as CVE-2018-16858. By exploiting the vulnerability it is possible to trigger the automatic execution of a specific python library included in the suite using a hidden onmouseover event.

Inführ used a specially ODT file containing a white-colored hyperlink (he has used the white color to make it invisible in the document) that has an “onmouseover” event to execute a local python file.

The expert pointed out that the python file, named “pydoc.py,” is already included in the LibreOffice software. The suite has its own python interpreter and the file accepts arbitrary commands in one of its parameters and executes them through the system’s command line or console.

“The idea was to abuse the path traversal to traverse down into the users Download directory and load the ODT file as a python script (ergo creating a polyglot file, which is a python file + a working ODT file).” wrote the expert.

“For the solution I looked into the python parsing code a little more in depth and discovered that it is not only possible to specify the function you want to call inside a python script, but it is possible to pass parameters as well (this feature seems to be introduced in the 6.1.x branch) “

Inführ also published a video PoC of the attack that shows how to use the event to trigger the execution of a specific function within a Python file.

The expert also published the PoC exploit code for the flaw that works on Windows OS.

Inführ reported the vulnerability to LibreOffice and Apache OpenOffice on October 18. While LibreOffice addressed the flaw by the end of the October, OpenOffice is still affected by the flaw.

Inführ reported the vulnerability to LibreOffice and Apache OpenOffice on October 18 last year. While LibreOffice fixed the issue by the end of that month with the release of LibreOffice 6.0.7/6.1.3, OpenOffice still appears to be vulnerable.

RedHat assigned the flaw the CVE ID and requested the researcher to wait until January 31, 2019 for its public disclosure.

Waiting for a fix it is possible to remove or rename the pythonscript.py file in the installation folder to disable the support for python.

Pierluigi Paganini

(Security Affairs – Libre Office, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]