A flaw in LibreOffice could allow the hack of your PC

Pierluigi Paganini July 26, 2019

LibreOffice users have to know that their unpatched computers could be hacked by simply opening a specially crafted document.

Bad news for LibreOffice users, the popular free and open-source office suite is affected by an unpatched remote code execution vulnerability

Recently, LibreOffice released the latest version 6.2.5 that addresses two severe flaws tracked as CVE-2019-9848 and CVE-2019-9849.

The fix CVE-2019-9849 did not completely address the security researcher Alex Inführ explained hot to bypass it.

Below the description for the vulnerability CVE-2019-9848 published by the NIS National Vulnerability Database.

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.” reads the security advisory.

Alex Inführ did not disclose technical details about the technique he devised to bypass the fix but confirmed via Twitter that he was able to successfully exploit it in the latest LibreOffice version 6.2.5

The flaw resides in LibreLogo, a programmable turtle vector graphics script that ships by default with LibreOffice. LibreLogo allows users to specify pre-installed scripts in a document that can be executed when some events occur.

The vulnerability can be exploited by attackers using specially crafted malicious LibreOffice document files that can result in the silent execution of arbitrary python commands without displaying any warning to the victim.

The vulnerability was first discovered by security expert Nils Emmerich that described the issue with the following statement:

LibreOffice is shipped by default with LibreLogo, a macro to programmable move a turtle vector graphic. To move the turtle, LibreLogo executes custom script code that is internally translated to python code and executed.” wrote the expert. “The big problem here is that the code in not translated well and just supplying python code as the script code often results in the same code after translation.”

The expert explained that using forms and OnFocus event, it is even possible to execute arbitrary code when the document is opened, without the need for a mouse-over event. The expert also published a proof-of-concept for this attack.


Waiting for final fix users are recommended to uninstall the LibreLogo component.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – LibreOffice, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment