Bug could allow for remote code execution

A flaw in LibreOffice and Apache OpenOffice which could allow for remote code execution (RCE) has been patched in only one of the programs.

The vulnerability (CVE-2018-16858) across the open source office suites, which share the same code, was discovered by researcher Alex Inführ, who reported it back in October.

He discovered that he could achieve RCE by using a mouseover event in a link within OpenDocument Text (ODT) file.

This event triggers when the victim’s mouse hovers over the link, executing a local Python file.

Inführ found a way to abuse the event to call a function within a Python file included in LibreOffice’s Python interpreter, which ships as standard.

This exploit was also able to pass parameters.

He wrote in a blog post: “The user controlled cmd parameter is passed to the os.system call, which just passes the string to a subshell (cmd.exe on Window) and therefore allowing to execute a local file with parameters.”

Inführ reported the bug on October 18. By October 30, it was patched by LibreOffice.

Apache OpenOffice still hasn’t fixed the flaw, despite being vulnerable to the remote code execution exploit.

Inführ wrote: “I reconfirmed via email that I am allowed to publish the details of the vulnerability although openoffice is still unpatched.

“Openoffice does not allow to pass parameters therefore my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system.”

The open source office suites famously fractured into two separate projects and are maintained by separate teams.

The Daily Swig has reached out to the Apache OpenOffice team for comment.