Pierluigi Paganini
February 14, 2019
ACROS Security’s 0patch released an unofficial patch for a path traversal flaw recently disclosed in the Apache OpenOffice suite.
The security researcher Alex Inführ discovered a severe remote code execution vulnerability in LibreOffice and Apache OpenOffice that could be exploited by tricking victims into opening an ODT (OpenDocument Text) file embedding an event embedded.
“I started to have a look at
The flaw could have a huge impact because the popular free, open source office suite is used by millions of Windows, MacOS and Linux users.
The expert discovered that it is possible to abuse the OpenDocument scripting framework by adding an
Inführ devised an attack that relies on exploiting a directory traversal vulnerability tracked as CVE-2018-16858. By exploiting the vulnerability it is possible to trigger the automatic execution of a specific python library included in the suite using a hidden
Even if OpenOffice developers still haven’t released a fix for the issue, 0patch experts have released an unofficial patch to address this flaw. The
OpenOffice users, this one is for you! We've issued a free micropatch that fixes a remote code execution 0day found by @insertScript (https://t.co/jOn5Rfl205). To get the micropatch applied, just install and register 0patch Agent from https://t.co/UMXoQqpLQh. pic.twitter.com/jxjFhzUtaQ
— 0patch (@0patch) February 13, 2019
Researchers also released patches for LibreOffice as well.
0patch also published a video PoC that shows the exploitation of the vulnerability.
This is the second time in a few days that 0patch released an unofficial patch, this week 0patch experts released a micropatch to address an Adobe Reader zero-day that allows maliciously PDF docs to call home and send over the victim’s NTLM hash.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″] [adrotate banner=”13″]
