Security researchers discovered a security flaw in LibreOffice and Apache OpenOffice, the free open source office software that is used on Windows, MacOS, and Linux operating systems.
Alex Inführ, a security researcher, unearthed a severe remote code execution flaw in both applications. The flaw, known as CVE-2018-16858, can be triggered simply by opening a maliciously-crafted ODT (OpenDocument Text) file.
Technical Overview of CVE-2018-16858
According to RedHat researchers:
It was found that libreoffice was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.
Inführ findings indicate that the Python file pydoc.py which is included in the LibreOffice’s own Python interpreter accepts arbitrary commands in one of its parameters, executing them through the system’s command line or console.
The researcher also released a proof-of-concept video where he shows how he triggered the attack into calling a specific function within a Python file.
Apparently, the exploit should work on Linux, as well despite the initial test being done on a Windows machine. The of CVE-2018-16858 vulnerability was reported to LibreOffice and Apache OpenOffice on October 18, 2019. The flaw was fixed in LibreOffice with the release of LibreOffice 6.0.7/6.1.3. However, OpenOffice is still not patched.
It should be noted that RedHat assigned the vulnerability a CVE ID in November, and asked the researcher not to disclose the details of the proof-of-concept until January 31, 2019. The researcher revealed the exploit code on February 1, with Apache OpenOffice 4.1.6 still unpatched. Nonetheless, the researcher says the exploit code doesn’t affect OpenOffice.
“Openoffice does not allow to pass parameters; therefore, my PoC does not work but the path traversal can [still] be abused to execute a python script from another location on the local file system,” Inführ said.