Two most popular free, open source office software LibreOffice and Apache OpenOffice have been found to have severe remote code execution (RCE) vulnerability which could be activated by just opening a malicious Open Document Text file.
These software are being used by millions of Windows, MacOS and Linux users and the vulnerabilities have been disclosed by the security researcher Alex Infuhr. The attack depends upon exploiting a directory traversal flaw which has been dubbed as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden “onmouseover” event.
In order to exploit this vulnerability, the researcher first created an ODT file with a white-colored hyperlink so that it cannot be seen and added an event “onmouseover” on it. This is done to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink.
According to him, the python file, named “pydoc.py,” which comes along with the LibreOffice’s own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system’s command line or console.
Proof of Concept and Video Demo
Infuhr provided a video showing the proof-of-concept demonstrating how he managed to trick the event into calling a specific function within a Python file, that finally executed the researcher’s payload through Windows command line (cmd) without showing any warning dialog to the user.
He also released a PoC exploit code for the vulnerability and mentioned that even though he had tested the exploit Windows OS it works on Linux, as well.
The researcher had reported the vulnerability to LibreOffice and Apache OpenOffice in October last year. By the end of the month LibreOffice fixed the issue by releasing lease of LibreOffice 6.0.7/6.1.3, whereas OpenOffice remains to be vulnerable.
By November, RedHat assigned the path traversal vulnerability a CVE ID and informed the researcher to not disclose the details or PoC of the bug until January 31, 2019.
On 1st February Infuhr made the details and PoC exploit code of the vulnerability public as the Apache OpenOffice 4.1.6 still remains unpatched He stated that the exploit code does not work on OpenOffice.
The users can remove or rename the pythonscript.py file in the installation folder to disable it until OpenOffice releases a security patch.
Even if you do not use Microsoft Office for open-source office suites, it could not protect yourself from such attacks, unless some basic security practices are adopted.